Closed Bug 453935 Opened 12 years ago Closed 12 years ago

TM: Crash [@ jitted code] with array, XMLHttpRequest, nodeType

Categories

(Core :: JavaScript Engine, defect, P3)

x86
macOS
defect

Tracking

()

RESOLVED WORKSFORME
mozilla1.9.1

People

(Reporter: jruderman, Assigned: gal)

References

(Blocks 1 open bug)

Details

(Keywords: crash, testcase)

Crash Data

Attachments

(1 file)

The testcase involves the same function as the one that found bug 453747.  I'm using a build from the tracemonkey branch that's new enough to have the patch from that bug.
Priority: -- → P1
Summary: Crash [@ jitted code] with array, XMLHttpRequest, nodeType → TM: Crash [@ jitted code] with array, XMLHttpRequest, nodeType
Target Milestone: --- → mozilla1.9.1b1
Blocking1.9.1+, P2, Assigning to Andreas.
Assignee: general → gal
Flags: blocking1.9.1+
Priority: P1 → P2
The property cache is filled incorrectly here. We should not generate code that walks up the prototype chain since we fall of the end of the world.

*** loading ISO8601DateUtils
WARNING: NS_ENSURE_SUCCESS(rv, rv) failed with result 0x8000FFFF: file /Users/gal/workspace/tracemonkey-repository/netwerk/base/src/nsIOService.cpp, line 1028
WARNING: NS_ENSURE_SUCCESS(rv, 0) failed with result 0x8000FFFF: file ../../dist/include/necko/nsNetUtil.h, line 1464
++DOMWINDOW == 14 (0x1e7a83ec) [serial = 14] [outer = 0x1d075b00]

Breakpoint 2, TraceRecorder::getProp (this=0x16878580, obj=0x162749c0, obj_ins=0x128d5798) at /Users/gal/workspace/tracemonkey-repository/js/src/jstracer.cpp:5339
5339	    if (!prop(obj, obj_ins, slot, v_ins))
(gdb) s
TraceRecorder::prop (this=0x16878580, obj=0x162749c0, obj_ins=0x128d5798, slot=@0xbfffbab8, v_ins=@0xbfffbab4) at /Users/gal/workspace/tracemonkey-repository/js/src/jstracer.cpp:5214
5214	    if (obj == globalObj)
(gdb) n
5216	    guard(false, lir->ins2(LIR_eq, obj_ins, INS_CONSTPTR(globalObj)), MISMATCH_EXIT);
(gdb) 
5224	    if (!test_property_cache(obj, obj_ins, obj2, pcval))
(gdb) s
TraceRecorder::test_property_cache (this=0x16878580, obj=0x162749c0, obj_ins=0x128d5798, obj2=@0xbfffba60, pcval=@0xbfffba5c) at /Users/gal/workspace/tracemonkey-repository/js/src/jstracer.cpp:3427
3427	    jsbytecode* pc = cx->fp->regs->pc;
(gdb) n
3428	    JS_ASSERT(*pc != JSOP_INITPROP && *pc != JSOP_SETNAME && *pc != JSOP_SETPROP);
(gdb) 
3433	    JSObject* aobj = obj;
(gdb) 
3434	    if (OBJ_IS_DENSE_ARRAY(cx, obj)) {
(gdb) 
3439	    LIns* map_ins = lir->insLoad(LIR_ldp, obj_ins, (int)offsetof(JSObject, map));
(gdb) 
3451	    uint32 format = js_CodeSpec[*pc].format;
(gdb) 
3452	    uint32 mode = JOF_MODE(format);
(gdb) 
3455	    JS_ASSERT(OBJ_IS_NATIVE(globalObj));
(gdb) 
3456	    if (aobj != globalObj) {
(gdb) 
3457	        size_t op_offset = 0;
(gdb) 
3458	        if (mode == JOF_PROP || mode == JOF_VARPROP) {
(gdb) 
3459	            JS_ASSERT(!(format & JOF_SET));
(gdb) 
3460	            op_offset = offsetof(JSObjectOps, getProperty);
(gdb) 
3458	        if (mode == JOF_PROP || mode == JOF_VARPROP) {
(gdb) 
3465	        if (!map_is_native(aobj->map, map_ins, ops_ins, op_offset))
(gdb) 
3471	    PROPERTY_CACHE_TEST(cx, pc, aobj, obj2, entry, atom);
(gdb) 
3472	    if (atom) {
(gdb) 
3476	        jsid id = ATOM_TO_JSID(atom);
(gdb) 
3478	        if (JOF_OPMODE(*pc) == JOF_NAME) {
(gdb) 
3483	            int protoIndex = js_LookupPropertyWithFlags(cx, aobj, id, 0, &obj2, &prop);
(gdb) s
js_LookupPropertyWithFlags (cx=0xb92800, obj=0x162749c0, id=307380468, flags=0, objp=0xbfffba60, propp=0xbfffb994) at /Users/gal/workspace/tracemonkey-repository/js/src/jsobj.cpp:3322
3322	    CHECK_FOR_STRING_INDEX(id);
(gdb) n
3323	    JS_COUNT_OPERATION(cx, JSOW_LOOKUP_PROPERTY);
(gdb) 
3326	    start = obj;
(gdb) 
3327	    for (protoIndex = 0; ; protoIndex++) {
(gdb) 
3328	        JS_LOCK_OBJ(cx, obj);
(gdb) 
3329	        scope = OBJ_SCOPE(obj);
(gdb) 
3330	        if (scope->object == obj) {
(gdb) 
3334	            sprop = NULL;
(gdb) 
3338	        if (!sprop) {
(gdb) 
3339	            clasp = LOCKED_OBJ_GET_CLASS(obj);
(gdb) 
3340	            resolve = clasp->resolve;
(gdb) 
3341	            if (resolve != JS_ResolveStub) {
(gdb) 
3343	                key.obj = obj;
(gdb) 
3344	                key.id = id;
(gdb) 
3352	                if (!js_StartResolving(cx, &key, JSRESFLAG_LOOKUP, &entry)) {
(gdb) 
3356	                if (!entry) {
(gdb) 
3361	                generation = cx->resolvingTable->generation;
(gdb) 
3364	                *propp = NULL;
(gdb) 
3366	                if (clasp->flags & JSCLASS_NEW_RESOLVE) {
(gdb) p resolve
$38 = (JSResolveOp) 0x111e5584 <XPC_WN_Helper_NewResolve>
(gdb) n
3367	                    newresolve = (JSNewResolveOp)resolve;
(gdb) 
3368	                    if (!(flags & JSRESOLVE_CLASSNAME) &&
(gdb) 
3370	                        pc = cx->fp->regs->pc;
(gdb) 
3371	                        cs = &js_CodeSpec[*pc];
(gdb) 
3372	                        format = cs->format;
(gdb) 
3373	                        if (JOF_MODE(format) != JOF_NAME)
(gdb) 
3374	                            flags |= JSRESOLVE_QUALIFIED;
(gdb) 
3375	                        if ((format & JOF_ASSIGNING) ||
(gdb) 
3379	                            pc += cs->length;
(gdb) 
3380	                            if (Detecting(cx, pc))
(gdb) n
3383	                        if (format & JOF_DECLARING)
(gdb) 
3388	                           : NULL;
(gdb) 
3389	                    JS_UNLOCK_OBJ(cx, obj);
(gdb) 
3392	                    JS_KEEP_ATOMS(cx->runtime);
(gdb) p obj2
$39 = (JSObject *) 0x0
(gdb) n
3393	                    ok = newresolve(cx, obj, ID_TO_VALUE(id), flags, &obj2);
(gdb) 
3394	                    JS_UNKEEP_ATOMS(cx->runtime);
(gdb) p obj2
$40 = (JSObject *) 0x0
(gdb) n
3395	                    if (!ok)
(gdb) 
3398	                    JS_LOCK_OBJ(cx, obj);
(gdb) 
3399	                    if (obj2) {
(gdb) 
3457	                js_StopResolving(cx, &key, JSRESFLAG_LOOKUP, entry, generation);
(gdb) 
3458	                if (!ok)
(gdb) 
3460	                if (*propp)
(gdb) 
3465	        if (sprop) {
(gdb) 
3474	        proto = LOCKED_OBJ_GET_PROTO(obj);
(gdb) 
3475	        JS_UNLOCK_OBJ(cx, obj);
(gdb) 
3476	        if (!proto)
(gdb) 
3478	        if (!OBJ_IS_NATIVE(proto)) {
(gdb) 
3483	        obj = proto;
(gdb) 
3327	    for (protoIndex = 0; ; protoIndex++) {
(gdb) 
3328	        JS_LOCK_OBJ(cx, obj);
(gdb) 
3329	        scope = OBJ_SCOPE(obj);
(gdb) 
3330	        if (scope->object == obj) {
(gdb) 
3331	            sprop = SCOPE_GET_PROPERTY(scope, id);
(gdb) 
3338	        if (!sprop) {
(gdb) p sprop
$41 = (JSScopeProperty *) 0xfd8950
(gdb) p *sprop
$42 = {
  id = 307380468, 
  getter = 0, 
  setter = 0, 
  slot = 5, 
  attrs = 1 '\001', 
  flags = 0 '\0', 
  shortid = 0, 
  parent = 0xfd8930, 
  kids = 0x0, 
  shape = 40906
}
(gdb) p obj.dslots
$43 = (jsval *) 0x168782b4
(gdb) p obj.dslots[-1]
$44 = 8
(gdb) p obj.dslots[0]
$45 = 201
(gdb) p obj.dslots[0]/2
$46 = 100
(gdb) c
Continuing.

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_PROTECTION_FAILURE at address: 0x00000000
0x128d4f54 in ?? ()
(gdb) !dis
Undefined command: "".  Try "help".
(gdb) disasm $pc-136, $pc+32
Undefined command: "disasm".  Try "help".
(gdb) disas $pc-136 $pc+32
Dump of assembler code from 0x128d4ecc to 0x128d4f74:
0x128d4ecc:	inc    %eax
0x128d4ecd:	push   %edx
0x128d4ece:	adc    %al,%ch
0x128d4ed0:	xor    $0x38,%al
0x128d4ed2:	movsl  %ds:(%esi),%es:(%edi)
0x128d4ed3:	in     (%dx),%eax
0x128d4ed4:	add    $0xc,%esp
0x128d4ed7:	mov    %eax,%ecx
0x128d4ed9:	mov    -0xc(%ebp),%eax
0x128d4edc:	cmp    $0x2,%ecx
0x128d4edf:	je     0x6fdd40
0x128d4ee5:	cmp    $0x1,%ecx
0x128d4ee8:	sete   %cl
0x128d4eeb:	movzbl %cl,%ecx
0x128d4eee:	mov    %ecx,(%esi)
0x128d4ef0:	cmp    $0x1,%ecx
0x128d4ef3:	jne    0x6fdd80
0x128d4ef9:	cmp    $0x163fa8c0,%eax
0x128d4efe:	je     0x6fddc0
0x128d4f04:	mov    (%eax),%ecx
0x128d4f06:	mov    0x4(%ecx),%edx
0x128d4f09:	mov    0x10(%edx),%edx
0x128d4f0c:	cmp    $0x25cfc4,%edx
0x128d4f12:	jne    0x6fde00
0x128d4f18:	mov    0x20(%ecx),%ecx
0x128d4f1b:	cmp    $0x9fca,%ecx
0x128d4f21:	jne    0x6fde40
0x128d4f27:	mov    $0x16274980,%ecx
0x128d4f2c:	mov    (%ecx),%ecx
0x128d4f2e:	mov    0x4(%ecx),%edx
0x128d4f31:	mov    (%edx),%edx
0x128d4f33:	cmp    $0x25653c,%edx
0x128d4f39:	jne    0x6fde80
0x128d4f3f:	mov    0x20(%ecx),%ecx
0x128d4f42:	cmp    $0x9fca,%ecx
0x128d4f48:	jne    0x6fdec0
0x128d4f4e:	mov    0x8(%eax),%eax
0x128d4f51:	mov    0x1c(%eax),%eax
0x128d4f54:	mov    (%eax),%ecx
0x128d4f56:	mov    %ecx,%eax
0x128d4f58:	and    $0x7,%eax
0x128d4f5b:	cmp    $0x2,%eax
0x128d4f5e:	sete   %dl
0x128d4f61:	movzbl %dl,%edx
0x128d4f64:	mov    %ecx,%eax
0x128d4f66:	and    $0x1,%eax
0x128d4f69:	or     %edx,%eax
0x128d4f6b:	test   %eax,%eax
0x128d4f6d:	je     0x6fdf00
0x128d4f73:	call   0x32604a <_Z14js_UnboxDoublel>
End of assembler dump.
(gdb) p $px
$47 = void
(gdb) p $pc
$48 = (void (*)(void)) 0x128d4f54
(gdb) i reg eax
eax            0x0	0
(gdb) p *(JSObject*)0x16274980
$49 = {
  map = 0x16877c30, 
  classword = 287583713, 
  fslots = {371673632, 373270720, 377978001, 371669352, 371669408}, 
  dslots = 0x168782b4
}
(gdb) p *(JSClass*)($.classword&~3)
$50 = {
  name = 0x1123df9c "XPC_WN_ModsAllowed_NoCall_Proto_JSClass", 
  flags = 524289, 
  addProperty = 0x1be9e4 <JS_PropertyStub>, 
  delProperty = 0x1be9e4 <JS_PropertyStub>, 
  getProperty = 0x1be9e4 <JS_PropertyStub>, 
  setProperty = 0x1be9e4 <JS_PropertyStub>, 
  enumerate = 0x111e1fe2 <XPC_WN_Shared_Proto_Enumerate>, 
  resolve = 0x111e4caa <XPC_WN_ModsAllowed_Proto_Resolve>, 
  convert = 0x111e22d4 <XPC_WN_Shared_Proto_Convert>, 
  finalize = 0x111e22e2 <XPC_WN_Shared_Proto_Finalize>, 
  getObjectOps = 0x111e234a <XPC_WN_Proto_GetObjectOps(JSContext*, JSClass*)>, 
  checkAccess = 0, 
  call = 0, 
  construct = 0, 
  xdrObject = 0, 
  hasInstance = 0, 
  mark = 0x111e2318 <XPC_WN_Shared_Proto_Trace>, 
  reserveSlots = 0
}
(gdb) p $49.dslots[-1]
$51 = 8
(gdb) p $49.dslots[0] 
$52 = 201
(gdb) disas $pc-138 $pc+32
Dump of assembler code from 0x128d4eca to 0x128d4f74:
0x128d4eca:	push   $0x125240f0
0x128d4ecf:	call   0x328708 <_Z19js_HasNamedPropertyP9JSContextP8JSObjectP8JSString>
0x128d4ed4:	add    $0xc,%esp
0x128d4ed7:	mov    %eax,%ecx
0x128d4ed9:	mov    -0xc(%ebp),%eax
0x128d4edc:	cmp    $0x2,%ecx
0x128d4edf:	je     0x6fdd40
0x128d4ee5:	cmp    $0x1,%ecx
0x128d4ee8:	sete   %cl
0x128d4eeb:	movzbl %cl,%ecx
0x128d4eee:	mov    %ecx,(%esi)
0x128d4ef0:	cmp    $0x1,%ecx
0x128d4ef3:	jne    0x6fdd80
0x128d4ef9:	cmp    $0x163fa8c0,%eax
0x128d4efe:	je     0x6fddc0
0x128d4f04:	mov    (%eax),%ecx
0x128d4f06:	mov    0x4(%ecx),%edx
0x128d4f09:	mov    0x10(%edx),%edx
0x128d4f0c:	cmp    $0x25cfc4,%edx
0x128d4f12:	jne    0x6fde00
0x128d4f18:	mov    0x20(%ecx),%ecx
0x128d4f1b:	cmp    $0x9fca,%ecx
0x128d4f21:	jne    0x6fde40
0x128d4f27:	mov    $0x16274980,%ecx
0x128d4f2c:	mov    (%ecx),%ecx
0x128d4f2e:	mov    0x4(%ecx),%edx
0x128d4f31:	mov    (%edx),%edx
0x128d4f33:	cmp    $0x25653c,%edx
0x128d4f39:	jne    0x6fde80
0x128d4f3f:	mov    0x20(%ecx),%ecx
0x128d4f42:	cmp    $0x9fca,%ecx
0x128d4f48:	jne    0x6fdec0
0x128d4f4e:	mov    0x8(%eax),%eax
0x128d4f51:	mov    0x1c(%eax),%eax
0x128d4f54:	mov    (%eax),%ecx
0x128d4f56:	mov    %ecx,%eax
0x128d4f58:	and    $0x7,%eax
0x128d4f5b:	cmp    $0x2,%eax
0x128d4f5e:	sete   %dl
0x128d4f61:	movzbl %dl,%edx
0x128d4f64:	mov    %ecx,%eax
0x128d4f66:	and    $0x1,%eax
0x128d4f69:	or     %edx,%eax
0x128d4f6b:	test   %eax,%eax
0x128d4f6d:	je     0x6fdf00
0x128d4f73:	call   0x32604a <_Z14js_UnboxDoublel>
End of assembler dump.
(gdb) x/x $ebp-12
0xbfff9304:	0x16274980
(gdb) p *(JSObject*)0x16274980
$53 = {
  map = 0x16877c30, 
  classword = 287583713, 
  fslots = {371673632, 373270720, 377978001, 371669352, 371669408}, 
  dslots = 0x168782b4
}
(gdb) p *(JSClass*)($.classword&~3)
$54 = {
  name = 0x1123df9c "XPC_WN_ModsAllowed_NoCall_Proto_JSClass", 
  flags = 524289, 
  addProperty = 0x1be9e4 <JS_PropertyStub>, 
  delProperty = 0x1be9e4 <JS_PropertyStub>, 
  getProperty = 0x1be9e4 <JS_PropertyStub>, 
  setProperty = 0x1be9e4 <JS_PropertyStub>, 
  enumerate = 0x111e1fe2 <XPC_WN_Shared_Proto_Enumerate>, 
  resolve = 0x111e4caa <XPC_WN_ModsAllowed_Proto_Resolve>, 
  convert = 0x111e22d4 <XPC_WN_Shared_Proto_Convert>, 
  finalize = 0x111e22e2 <XPC_WN_Shared_Proto_Finalize>, 
  getObjectOps = 0x111e234a <XPC_WN_Proto_GetObjectOps(JSContext*, JSClass*)>, 
  checkAccess = 0, 
  call = 0, 
  construct = 0, 
  xdrObject = 0, 
  hasInstance = 0, 
  mark = 0x111e2318 <XPC_WN_Shared_Proto_Trace>, 
  reserveSlots = 0
}
(gdb) p $53.dslots[0]
$55 = 201
(gdb)
Downgrading. Weird fuzzer bug, unlikely to appear in content. Suggest not blocking beta1.
Flags: blocking1.9.1+
Priority: P2 → P3
Target Milestone: mozilla1.9.1b1 → mozilla1.9.1
Doesn't crash Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1b1pre) Gecko/20081006 Minefield/3.1b1pre 20081006034237

Did anything change?
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → WORKSFORME
Flags: in-testsuite+
Crash Signature: [@ jitted code]
You need to log in before you can comment on or make changes to this bug.