Closed Bug 1293244 Opened 8 years ago Closed 8 years ago

Assertion failure: !IsProxy(this)

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED INCOMPLETE
Tracking Flags:
Tracking Status
firefox49 --- ?
firefox50 --- ?
firefox51 - ?

People

(Reporter: cbook, Unassigned)

References

(
URL
)

Details

(4 keywords)

Attachments

(3 files)

complete stack
106.48 KB, text/plain
Details
test_case.html
155.83 KB, text/html
Details
linux_dbg_log.txt
7.97 KB, text/plain
Details
Attached file complete stack 
Assertion failure: !IsProxy(this), at c:/builds/moz2_slave/m-cen-w32-d-000000000000000000/build/src/js/src/jsobj.cpp:3695

Steps to reproduce:
-> Load http://www.marriott.com/default.mi 
-->> Assertion failure: !IsProxy(this), at c:/builds/moz2_slave/m-cen-w32-d-000000000000000000/build/src/js/src/jsobj.cpp:3695

also crashes opt builds like :

https://crash-stats.mozilla.com/report/index/7c29d9dd-f619-4234-8b7f-547c52160808

one crash was marked in bughunter as security issue as high/low exploitable.

Seems nightly only crash so far, so marking as s-s
[Tracking Requested - why for this release]:
bughunter found on topsites
tracking-firefox51: --- → ?
This assertion is failing when we try to tenure a nursery object.  I added similar assertions when we allocate nursery objects and they weren't hit which implies this is some kind of corruption.  One guess would be that it's a dynamically allocated Class that is being freed to soon.
Group: core-security → javascript-core-security
Tracking 51+ for this crash - could affect some topsites.
tracking-firefox51: ?+
This looks like the JIT code is writing an object value containing this bad pointer in to elements of an array.
See Also: → 1243151
Please save a local copy of this page and see if it reproduces there, in case they change the page.
Flags: needinfo?(bob)
Sounds bad. I'll mark the other one critical too in case it isn't a dupe.
Keywords: sec-critical
Attached file test_case.html 
The issue seems to be triggered by webAnalytics.js
Flags: in-testsuite?
Keywords: testcase
Gary, could you try minimizing the test case that Tyson attached? Thanks.
Flags: needinfo?(gary)
On a trip currently - I can help better if someone is able to convert to testcase to a standalone one that crashes in a shell.
Flags: needinfo?(twsmith)
Bug 1293258 has landed now, which maybe was related to this, so it would be worth retrying it.
I haven't been able to reproduce in Bughunter using Windows 7 using current builds. Previously Bughunter saw this from late 2016-08-06 to early 2016-08-12 but has not seen it since.
Flags: needinfo?(bob)
There's still 60 crashes with this signature on beta 5, so the issue may still exist. Maybe whatever it was in the analytic on the marriot site isn't loading every time. If we fixed this, or they fixed it, it's still crashing in 49.
status-firefox49: --- → affected
status-firefox50: --- → affected
status-firefox51: --- → affected
I don't have the tools to reduce this.
Flags: needinfo?(twsmith)
Christian?
Flags: needinfo?(choller)
The attached test didn't reproduce for me in a Firefox 51 debug build, is it supposed to?

I'm also seeing this error on the console:

JavaScript error: file:///path/to/test.html, line 5: TypeError: Not allowed to define a non-configurable property on the WindowProxy object
Flags: needinfo?(choller) → needinfo?(twsmith)
(In reply to Gary Kwong [:gkw] [:nth10sd] from comment #10)
> On a trip currently - I can help better if someone is able to convert to
> testcase to a standalone one that crashes in a shell.

Clearing needinfo?, unsure if I am the best person for this now...
Flags: needinfo?(gary)
No one can reproduce or reduce this. Tomcat, please re-open if it keeps occurring.
Status: NEW → RESOLVED
Closed: 8 years ago
Flags: needinfo?(twsmith)
Resolution: --- → INCOMPLETE
Group: javascript-core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: