TM: Crash [@ jitted code] with array, XMLHttpRequest, nodeType

RESOLVED WORKSFORME

Status

()

defect
P3
critical
RESOLVED WORKSFORME
11 years ago
8 years ago

People

(Reporter: jruderman, Assigned: gal)

Tracking

(Blocks 2 bugs, {crash, testcase})

Trunk
mozilla1.9.1
x86
macOS
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

(crash signature)

Attachments

(1 attachment)

Reporter

Description

11 years ago
The testcase involves the same function as the one that found bug 453747.  I'm using a build from the tracemonkey branch that's new enough to have the patch from that bug.

Updated

11 years ago
Priority: -- → P1
Summary: Crash [@ jitted code] with array, XMLHttpRequest, nodeType → TM: Crash [@ jitted code] with array, XMLHttpRequest, nodeType
Target Milestone: --- → mozilla1.9.1b1
Blocking1.9.1+, P2, Assigning to Andreas.
Assignee: general → gal
Flags: blocking1.9.1+
Priority: P1 → P2
Assignee

Comment 2

11 years ago
The property cache is filled incorrectly here. We should not generate code that walks up the prototype chain since we fall of the end of the world.

*** loading ISO8601DateUtils
WARNING: NS_ENSURE_SUCCESS(rv, rv) failed with result 0x8000FFFF: file /Users/gal/workspace/tracemonkey-repository/netwerk/base/src/nsIOService.cpp, line 1028
WARNING: NS_ENSURE_SUCCESS(rv, 0) failed with result 0x8000FFFF: file ../../dist/include/necko/nsNetUtil.h, line 1464
++DOMWINDOW == 14 (0x1e7a83ec) [serial = 14] [outer = 0x1d075b00]

Breakpoint 2, TraceRecorder::getProp (this=0x16878580, obj=0x162749c0, obj_ins=0x128d5798) at /Users/gal/workspace/tracemonkey-repository/js/src/jstracer.cpp:5339
5339	    if (!prop(obj, obj_ins, slot, v_ins))
(gdb) s
TraceRecorder::prop (this=0x16878580, obj=0x162749c0, obj_ins=0x128d5798, slot=@0xbfffbab8, v_ins=@0xbfffbab4) at /Users/gal/workspace/tracemonkey-repository/js/src/jstracer.cpp:5214
5214	    if (obj == globalObj)
(gdb) n
5216	    guard(false, lir->ins2(LIR_eq, obj_ins, INS_CONSTPTR(globalObj)), MISMATCH_EXIT);
(gdb) 
5224	    if (!test_property_cache(obj, obj_ins, obj2, pcval))
(gdb) s
TraceRecorder::test_property_cache (this=0x16878580, obj=0x162749c0, obj_ins=0x128d5798, obj2=@0xbfffba60, pcval=@0xbfffba5c) at /Users/gal/workspace/tracemonkey-repository/js/src/jstracer.cpp:3427
3427	    jsbytecode* pc = cx->fp->regs->pc;
(gdb) n
3428	    JS_ASSERT(*pc != JSOP_INITPROP && *pc != JSOP_SETNAME && *pc != JSOP_SETPROP);
(gdb) 
3433	    JSObject* aobj = obj;
(gdb) 
3434	    if (OBJ_IS_DENSE_ARRAY(cx, obj)) {
(gdb) 
3439	    LIns* map_ins = lir->insLoad(LIR_ldp, obj_ins, (int)offsetof(JSObject, map));
(gdb) 
3451	    uint32 format = js_CodeSpec[*pc].format;
(gdb) 
3452	    uint32 mode = JOF_MODE(format);
(gdb) 
3455	    JS_ASSERT(OBJ_IS_NATIVE(globalObj));
(gdb) 
3456	    if (aobj != globalObj) {
(gdb) 
3457	        size_t op_offset = 0;
(gdb) 
3458	        if (mode == JOF_PROP || mode == JOF_VARPROP) {
(gdb) 
3459	            JS_ASSERT(!(format & JOF_SET));
(gdb) 
3460	            op_offset = offsetof(JSObjectOps, getProperty);
(gdb) 
3458	        if (mode == JOF_PROP || mode == JOF_VARPROP) {
(gdb) 
3465	        if (!map_is_native(aobj->map, map_ins, ops_ins, op_offset))
(gdb) 
3471	    PROPERTY_CACHE_TEST(cx, pc, aobj, obj2, entry, atom);
(gdb) 
3472	    if (atom) {
(gdb) 
3476	        jsid id = ATOM_TO_JSID(atom);
(gdb) 
3478	        if (JOF_OPMODE(*pc) == JOF_NAME) {
(gdb) 
3483	            int protoIndex = js_LookupPropertyWithFlags(cx, aobj, id, 0, &obj2, &prop);
(gdb) s
js_LookupPropertyWithFlags (cx=0xb92800, obj=0x162749c0, id=307380468, flags=0, objp=0xbfffba60, propp=0xbfffb994) at /Users/gal/workspace/tracemonkey-repository/js/src/jsobj.cpp:3322
3322	    CHECK_FOR_STRING_INDEX(id);
(gdb) n
3323	    JS_COUNT_OPERATION(cx, JSOW_LOOKUP_PROPERTY);
(gdb) 
3326	    start = obj;
(gdb) 
3327	    for (protoIndex = 0; ; protoIndex++) {
(gdb) 
3328	        JS_LOCK_OBJ(cx, obj);
(gdb) 
3329	        scope = OBJ_SCOPE(obj);
(gdb) 
3330	        if (scope->object == obj) {
(gdb) 
3334	            sprop = NULL;
(gdb) 
3338	        if (!sprop) {
(gdb) 
3339	            clasp = LOCKED_OBJ_GET_CLASS(obj);
(gdb) 
3340	            resolve = clasp->resolve;
(gdb) 
3341	            if (resolve != JS_ResolveStub) {
(gdb) 
3343	                key.obj = obj;
(gdb) 
3344	                key.id = id;
(gdb) 
3352	                if (!js_StartResolving(cx, &key, JSRESFLAG_LOOKUP, &entry)) {
(gdb) 
3356	                if (!entry) {
(gdb) 
3361	                generation = cx->resolvingTable->generation;
(gdb) 
3364	                *propp = NULL;
(gdb) 
3366	                if (clasp->flags & JSCLASS_NEW_RESOLVE) {
(gdb) p resolve
$38 = (JSResolveOp) 0x111e5584 <XPC_WN_Helper_NewResolve>
(gdb) n
3367	                    newresolve = (JSNewResolveOp)resolve;
(gdb) 
3368	                    if (!(flags & JSRESOLVE_CLASSNAME) &&
(gdb) 
3370	                        pc = cx->fp->regs->pc;
(gdb) 
3371	                        cs = &js_CodeSpec[*pc];
(gdb) 
3372	                        format = cs->format;
(gdb) 
3373	                        if (JOF_MODE(format) != JOF_NAME)
(gdb) 
3374	                            flags |= JSRESOLVE_QUALIFIED;
(gdb) 
3375	                        if ((format & JOF_ASSIGNING) ||
(gdb) 
3379	                            pc += cs->length;
(gdb) 
3380	                            if (Detecting(cx, pc))
(gdb) n
3383	                        if (format & JOF_DECLARING)
(gdb) 
3388	                           : NULL;
(gdb) 
3389	                    JS_UNLOCK_OBJ(cx, obj);
(gdb) 
3392	                    JS_KEEP_ATOMS(cx->runtime);
(gdb) p obj2
$39 = (JSObject *) 0x0
(gdb) n
3393	                    ok = newresolve(cx, obj, ID_TO_VALUE(id), flags, &obj2);
(gdb) 
3394	                    JS_UNKEEP_ATOMS(cx->runtime);
(gdb) p obj2
$40 = (JSObject *) 0x0
(gdb) n
3395	                    if (!ok)
(gdb) 
3398	                    JS_LOCK_OBJ(cx, obj);
(gdb) 
3399	                    if (obj2) {
(gdb) 
3457	                js_StopResolving(cx, &key, JSRESFLAG_LOOKUP, entry, generation);
(gdb) 
3458	                if (!ok)
(gdb) 
3460	                if (*propp)
(gdb) 
3465	        if (sprop) {
(gdb) 
3474	        proto = LOCKED_OBJ_GET_PROTO(obj);
(gdb) 
3475	        JS_UNLOCK_OBJ(cx, obj);
(gdb) 
3476	        if (!proto)
(gdb) 
3478	        if (!OBJ_IS_NATIVE(proto)) {
(gdb) 
3483	        obj = proto;
(gdb) 
3327	    for (protoIndex = 0; ; protoIndex++) {
(gdb) 
3328	        JS_LOCK_OBJ(cx, obj);
(gdb) 
3329	        scope = OBJ_SCOPE(obj);
(gdb) 
3330	        if (scope->object == obj) {
(gdb) 
3331	            sprop = SCOPE_GET_PROPERTY(scope, id);
(gdb) 
3338	        if (!sprop) {
(gdb) p sprop
$41 = (JSScopeProperty *) 0xfd8950
(gdb) p *sprop
$42 = {
  id = 307380468, 
  getter = 0, 
  setter = 0, 
  slot = 5, 
  attrs = 1 '\001', 
  flags = 0 '\0', 
  shortid = 0, 
  parent = 0xfd8930, 
  kids = 0x0, 
  shape = 40906
}
(gdb) p obj.dslots
$43 = (jsval *) 0x168782b4
(gdb) p obj.dslots[-1]
$44 = 8
(gdb) p obj.dslots[0]
$45 = 201
(gdb) p obj.dslots[0]/2
$46 = 100
(gdb) c
Continuing.

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_PROTECTION_FAILURE at address: 0x00000000
0x128d4f54 in ?? ()
(gdb) !dis
Undefined command: "".  Try "help".
(gdb) disasm $pc-136, $pc+32
Undefined command: "disasm".  Try "help".
(gdb) disas $pc-136 $pc+32
Dump of assembler code from 0x128d4ecc to 0x128d4f74:
0x128d4ecc:	inc    %eax
0x128d4ecd:	push   %edx
0x128d4ece:	adc    %al,%ch
0x128d4ed0:	xor    $0x38,%al
0x128d4ed2:	movsl  %ds:(%esi),%es:(%edi)
0x128d4ed3:	in     (%dx),%eax
0x128d4ed4:	add    $0xc,%esp
0x128d4ed7:	mov    %eax,%ecx
0x128d4ed9:	mov    -0xc(%ebp),%eax
0x128d4edc:	cmp    $0x2,%ecx
0x128d4edf:	je     0x6fdd40
0x128d4ee5:	cmp    $0x1,%ecx
0x128d4ee8:	sete   %cl
0x128d4eeb:	movzbl %cl,%ecx
0x128d4eee:	mov    %ecx,(%esi)
0x128d4ef0:	cmp    $0x1,%ecx
0x128d4ef3:	jne    0x6fdd80
0x128d4ef9:	cmp    $0x163fa8c0,%eax
0x128d4efe:	je     0x6fddc0
0x128d4f04:	mov    (%eax),%ecx
0x128d4f06:	mov    0x4(%ecx),%edx
0x128d4f09:	mov    0x10(%edx),%edx
0x128d4f0c:	cmp    $0x25cfc4,%edx
0x128d4f12:	jne    0x6fde00
0x128d4f18:	mov    0x20(%ecx),%ecx
0x128d4f1b:	cmp    $0x9fca,%ecx
0x128d4f21:	jne    0x6fde40
0x128d4f27:	mov    $0x16274980,%ecx
0x128d4f2c:	mov    (%ecx),%ecx
0x128d4f2e:	mov    0x4(%ecx),%edx
0x128d4f31:	mov    (%edx),%edx
0x128d4f33:	cmp    $0x25653c,%edx
0x128d4f39:	jne    0x6fde80
0x128d4f3f:	mov    0x20(%ecx),%ecx
0x128d4f42:	cmp    $0x9fca,%ecx
0x128d4f48:	jne    0x6fdec0
0x128d4f4e:	mov    0x8(%eax),%eax
0x128d4f51:	mov    0x1c(%eax),%eax
0x128d4f54:	mov    (%eax),%ecx
0x128d4f56:	mov    %ecx,%eax
0x128d4f58:	and    $0x7,%eax
0x128d4f5b:	cmp    $0x2,%eax
0x128d4f5e:	sete   %dl
0x128d4f61:	movzbl %dl,%edx
0x128d4f64:	mov    %ecx,%eax
0x128d4f66:	and    $0x1,%eax
0x128d4f69:	or     %edx,%eax
0x128d4f6b:	test   %eax,%eax
0x128d4f6d:	je     0x6fdf00
0x128d4f73:	call   0x32604a <_Z14js_UnboxDoublel>
End of assembler dump.
(gdb) p $px
$47 = void
(gdb) p $pc
$48 = (void (*)(void)) 0x128d4f54
(gdb) i reg eax
eax            0x0	0
(gdb) p *(JSObject*)0x16274980
$49 = {
  map = 0x16877c30, 
  classword = 287583713, 
  fslots = {371673632, 373270720, 377978001, 371669352, 371669408}, 
  dslots = 0x168782b4
}
(gdb) p *(JSClass*)($.classword&~3)
$50 = {
  name = 0x1123df9c "XPC_WN_ModsAllowed_NoCall_Proto_JSClass", 
  flags = 524289, 
  addProperty = 0x1be9e4 <JS_PropertyStub>, 
  delProperty = 0x1be9e4 <JS_PropertyStub>, 
  getProperty = 0x1be9e4 <JS_PropertyStub>, 
  setProperty = 0x1be9e4 <JS_PropertyStub>, 
  enumerate = 0x111e1fe2 <XPC_WN_Shared_Proto_Enumerate>, 
  resolve = 0x111e4caa <XPC_WN_ModsAllowed_Proto_Resolve>, 
  convert = 0x111e22d4 <XPC_WN_Shared_Proto_Convert>, 
  finalize = 0x111e22e2 <XPC_WN_Shared_Proto_Finalize>, 
  getObjectOps = 0x111e234a <XPC_WN_Proto_GetObjectOps(JSContext*, JSClass*)>, 
  checkAccess = 0, 
  call = 0, 
  construct = 0, 
  xdrObject = 0, 
  hasInstance = 0, 
  mark = 0x111e2318 <XPC_WN_Shared_Proto_Trace>, 
  reserveSlots = 0
}
(gdb) p $49.dslots[-1]
$51 = 8
(gdb) p $49.dslots[0] 
$52 = 201
(gdb) disas $pc-138 $pc+32
Dump of assembler code from 0x128d4eca to 0x128d4f74:
0x128d4eca:	push   $0x125240f0
0x128d4ecf:	call   0x328708 <_Z19js_HasNamedPropertyP9JSContextP8JSObjectP8JSString>
0x128d4ed4:	add    $0xc,%esp
0x128d4ed7:	mov    %eax,%ecx
0x128d4ed9:	mov    -0xc(%ebp),%eax
0x128d4edc:	cmp    $0x2,%ecx
0x128d4edf:	je     0x6fdd40
0x128d4ee5:	cmp    $0x1,%ecx
0x128d4ee8:	sete   %cl
0x128d4eeb:	movzbl %cl,%ecx
0x128d4eee:	mov    %ecx,(%esi)
0x128d4ef0:	cmp    $0x1,%ecx
0x128d4ef3:	jne    0x6fdd80
0x128d4ef9:	cmp    $0x163fa8c0,%eax
0x128d4efe:	je     0x6fddc0
0x128d4f04:	mov    (%eax),%ecx
0x128d4f06:	mov    0x4(%ecx),%edx
0x128d4f09:	mov    0x10(%edx),%edx
0x128d4f0c:	cmp    $0x25cfc4,%edx
0x128d4f12:	jne    0x6fde00
0x128d4f18:	mov    0x20(%ecx),%ecx
0x128d4f1b:	cmp    $0x9fca,%ecx
0x128d4f21:	jne    0x6fde40
0x128d4f27:	mov    $0x16274980,%ecx
0x128d4f2c:	mov    (%ecx),%ecx
0x128d4f2e:	mov    0x4(%ecx),%edx
0x128d4f31:	mov    (%edx),%edx
0x128d4f33:	cmp    $0x25653c,%edx
0x128d4f39:	jne    0x6fde80
0x128d4f3f:	mov    0x20(%ecx),%ecx
0x128d4f42:	cmp    $0x9fca,%ecx
0x128d4f48:	jne    0x6fdec0
0x128d4f4e:	mov    0x8(%eax),%eax
0x128d4f51:	mov    0x1c(%eax),%eax
0x128d4f54:	mov    (%eax),%ecx
0x128d4f56:	mov    %ecx,%eax
0x128d4f58:	and    $0x7,%eax
0x128d4f5b:	cmp    $0x2,%eax
0x128d4f5e:	sete   %dl
0x128d4f61:	movzbl %dl,%edx
0x128d4f64:	mov    %ecx,%eax
0x128d4f66:	and    $0x1,%eax
0x128d4f69:	or     %edx,%eax
0x128d4f6b:	test   %eax,%eax
0x128d4f6d:	je     0x6fdf00
0x128d4f73:	call   0x32604a <_Z14js_UnboxDoublel>
End of assembler dump.
(gdb) x/x $ebp-12
0xbfff9304:	0x16274980
(gdb) p *(JSObject*)0x16274980
$53 = {
  map = 0x16877c30, 
  classword = 287583713, 
  fslots = {371673632, 373270720, 377978001, 371669352, 371669408}, 
  dslots = 0x168782b4
}
(gdb) p *(JSClass*)($.classword&~3)
$54 = {
  name = 0x1123df9c "XPC_WN_ModsAllowed_NoCall_Proto_JSClass", 
  flags = 524289, 
  addProperty = 0x1be9e4 <JS_PropertyStub>, 
  delProperty = 0x1be9e4 <JS_PropertyStub>, 
  getProperty = 0x1be9e4 <JS_PropertyStub>, 
  setProperty = 0x1be9e4 <JS_PropertyStub>, 
  enumerate = 0x111e1fe2 <XPC_WN_Shared_Proto_Enumerate>, 
  resolve = 0x111e4caa <XPC_WN_ModsAllowed_Proto_Resolve>, 
  convert = 0x111e22d4 <XPC_WN_Shared_Proto_Convert>, 
  finalize = 0x111e22e2 <XPC_WN_Shared_Proto_Finalize>, 
  getObjectOps = 0x111e234a <XPC_WN_Proto_GetObjectOps(JSContext*, JSClass*)>, 
  checkAccess = 0, 
  call = 0, 
  construct = 0, 
  xdrObject = 0, 
  hasInstance = 0, 
  mark = 0x111e2318 <XPC_WN_Shared_Proto_Trace>, 
  reserveSlots = 0
}
(gdb) p $53.dslots[0]
$55 = 201
(gdb)
Assignee

Comment 3

11 years ago
Downgrading. Weird fuzzer bug, unlikely to appear in content. Suggest not blocking beta1.
Flags: blocking1.9.1+
Priority: P2 → P3
Target Milestone: mozilla1.9.1b1 → mozilla1.9.1

Comment 4

11 years ago
Doesn't crash Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1b1pre) Gecko/20081006 Minefield/3.1b1pre 20081006034237

Did anything change?

Updated

11 years ago
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → WORKSFORME
Reporter

Updated

11 years ago
Flags: in-testsuite+
Crash Signature: [@ jitted code]
You need to log in before you can comment on or make changes to this bug.