473040 - TM: Crash [@ NativeToValue]

Status: VERIFIED DUPLICATE of bug 464096

(Core :: JavaScript Engine, defect)

Description

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Attachment: gdb output, bt backtraces, normal and full

__proto__.functional getter= (new Function("gc()"));
for each (let x in [new Boolean(true), new Boolean(true), -0, new Boolean(true), -0]) { undefined; }

crashes opt at some scary address 0x080cec8f at NativeToValue and asserts debug at:
Assertion failure: tm->reservedDoublePoolPtr > tm->reservedDoublePool, at ../jstracer.cpp

This has been a bug that has proved elusive when trying to reduce on a Mac and in Linux the reduced form has finally been discovered. Security-sensitive because it crashes at a scary address in opt.

Comment 1

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

See bug 464096 for a similar assertion but slightly different testcase.

Comment 2

[Andreas Gal :gal]

#0  js_GC (cx=0x30b870, gckind=GC_NORMAL) at ../jsgc.cpp:3233
#1  0x0001679f in JS_GC (cx=0x30b870) at ../jsapi.cpp:2487
#2  0x00003c7a in GC (cx=0x30b870, argc=0, vp=0x815e20) at ../js.cpp:997
#3  0x000791e0 in js_Interpret (cx=0x30b870) at ../jsinterp.cpp:4996
#4  0x0008a740 in js_Invoke (cx=0x30b870, argc=0, vp=0x815e18, flags=0) at jsinterp.cpp:1336
#5  0x0008a9f6 in js_InternalInvoke (cx=0x30b870, obj=0x26a1c0, fval=2557640, flags=0, argc=0, argv=0x0, rval=0xbfffc6ec) at jsinterp.cpp:1393
#6  0x0008ac57 in js_InternalGetOrSet (cx=0x30b870, obj=0x26a1c0, id=2541124, fval=2557640, mode=JSACC_READ, argc=0, argv=0x0, rval=0xbfffc6ec) at jsinterp.cpp:1454
#7  0x0009ca93 in js_NativeGet (cx=0x30b870, obj=0x26a1c0, pobj=0x26a020, sprop=0x80fb30, vp=0xbfffc6ec) at ../jsobj.cpp:3732
#8  0x000229fb in array_getProperty (cx=0x30b870, obj=0x26a1c0, id=2541124, vp=0xbfffc6ec) at ../jsarray.cpp:718
#9  0x0008ca85 in CallEnumeratorNext (cx=0x30b870, iterobj=0x26a240, flags=3, rval=0xbfffc6ec) at ../jsiter.cpp:566
#10 0x0008cb95 in js_CallIteratorNext (cx=0x30b870, iterobj=0x26a240, rval=0xbfffc6ec) at ../jsiter.cpp:600
#11 0x00184a53 in js_FastCallIteratorNext (cx=0x30b870, iterobj=0x26a240) at ../jsbuiltins.cpp:258
#12 0x00243fb2 in ?? ()
#13 0xbfffedb8 in ?? ()
#14 0x0013f773 in js_MonitorLoopEdge (cx=0x30b870, inlineCallCount=@0xbffff260) at ../jstracer.cpp:3817
#15 0x0006462d in js_Interpret (cx=0x30b870) at ../jsinterp.cpp:3097
#16 0x0008923c in js_Execute (cx=0x30b870, chain=0x26a000, script=0x30d760, down=0x0, flags=0, result=0x0) at jsinterp.cpp:1564
#17 0x0001a65e in JS_ExecuteScript (cx=0x30b870, obj=0x26a000, script=0x30d760, rval=0x0) at ../jsapi.cpp:5083
#18 0x000083c5 in Process (cx=0x30b870, obj=0x26a000, filename=0xbffffa1c "x.js", forceTTY=0) at ../js.cpp:377
#19 0x000096bc in ProcessArgs (cx=0x30b870, obj=0x26a000, argv=0xbffff920, argc=2) at ../js.cpp:749
#20 0x0000a88b in main (argc=2, argv=0xbffff920, envp=0xbffff92c) at ../js.cpp:4321

Same issue here. gc is triggered from on-trace. To check for this break on js_GC and then run the code. If you stop from within trace code, Jason's patch will fix it. Dup of 468782.

Comment 3

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

$ ./js-dbg-tm-intelmac -j
js> __proto__.functional getter= (new Function("gc()"));
function anonymous() {
    gc();
}
js> for each (let x in [new Boolean(true), new Boolean(true), -0, new Boolean(true), -0]) { undefined; }
Assertion failure: !JS_ON_TRACE(cx), at ../jsobj.cpp:3709
Trace/BPT trap

Now asserts another message and seems to work as expected in opt.

Comment 4

[Bob Clary [:bc] (inactive)]

Attachment: js1_8/extensions/regress-473040.js

i couldn't reproduce the original issue on tracemonkey with 6475993319c4

Comment 5

[Bob Clary [:bc] (inactive)]

Attachment: js1_8/extensions/regress-473040.js

forgot jit calls. :-(

Comment 6

[Bob Clary [:bc] (inactive)]

verified on 1.9.1, 1.9.1-tm, 1.9.2

Comment 7

[Bob Clary [:bc] (inactive)]

http://hg.mozilla.org/tracemonkey/rev/46099e1c0fa5
/cvsroot/mozilla/js/tests/js1_8/extensions/regress-473040.js,v  <--  regress-473040.js
initial revision: 1.1