Closed Bug 473040 Opened 11 years ago Closed 11 years ago

TM: Crash [@ NativeToValue]


(Core :: JavaScript Engine, defect, critical)

Not set





(Reporter: gkw, Unassigned)


(Blocks 1 open bug)


(Keywords: assertion, crash, testcase, Whiteboard: [sg:critical?])

Crash Data


(2 files, 1 obsolete file)

__proto__.functional getter= (new Function("gc()"));
for each (let x in [new Boolean(true), new Boolean(true), -0, new Boolean(true), -0]) { undefined; }

crashes opt at some scary address 0x080cec8f at NativeToValue and asserts debug at:
Assertion failure: tm->reservedDoublePoolPtr > tm->reservedDoublePool, at ../jstracer.cpp

This has been a bug that has proved elusive when trying to reduce on a Mac and in Linux the reduced form has finally been discovered. Security-sensitive because it crashes at a scary address in opt.
Flags: blocking1.9.1?
See bug 464096 for a similar assertion but slightly different testcase.
OS: Linux → All
Hardware: x86 → All
Whiteboard: [sg:critical?]
Flags: blocking1.9.1? → blocking1.9.1+
#0  js_GC (cx=0x30b870, gckind=GC_NORMAL) at ../jsgc.cpp:3233
#1  0x0001679f in JS_GC (cx=0x30b870) at ../jsapi.cpp:2487
#2  0x00003c7a in GC (cx=0x30b870, argc=0, vp=0x815e20) at ../js.cpp:997
#3  0x000791e0 in js_Interpret (cx=0x30b870) at ../jsinterp.cpp:4996
#4  0x0008a740 in js_Invoke (cx=0x30b870, argc=0, vp=0x815e18, flags=0) at jsinterp.cpp:1336
#5  0x0008a9f6 in js_InternalInvoke (cx=0x30b870, obj=0x26a1c0, fval=2557640, flags=0, argc=0, argv=0x0, rval=0xbfffc6ec) at jsinterp.cpp:1393
#6  0x0008ac57 in js_InternalGetOrSet (cx=0x30b870, obj=0x26a1c0, id=2541124, fval=2557640, mode=JSACC_READ, argc=0, argv=0x0, rval=0xbfffc6ec) at jsinterp.cpp:1454
#7  0x0009ca93 in js_NativeGet (cx=0x30b870, obj=0x26a1c0, pobj=0x26a020, sprop=0x80fb30, vp=0xbfffc6ec) at ../jsobj.cpp:3732
#8  0x000229fb in array_getProperty (cx=0x30b870, obj=0x26a1c0, id=2541124, vp=0xbfffc6ec) at ../jsarray.cpp:718
#9  0x0008ca85 in CallEnumeratorNext (cx=0x30b870, iterobj=0x26a240, flags=3, rval=0xbfffc6ec) at ../jsiter.cpp:566
#10 0x0008cb95 in js_CallIteratorNext (cx=0x30b870, iterobj=0x26a240, rval=0xbfffc6ec) at ../jsiter.cpp:600
#11 0x00184a53 in js_FastCallIteratorNext (cx=0x30b870, iterobj=0x26a240) at ../jsbuiltins.cpp:258
#12 0x00243fb2 in ?? ()
#13 0xbfffedb8 in ?? ()
#14 0x0013f773 in js_MonitorLoopEdge (cx=0x30b870, inlineCallCount=@0xbffff260) at ../jstracer.cpp:3817
#15 0x0006462d in js_Interpret (cx=0x30b870) at ../jsinterp.cpp:3097
#16 0x0008923c in js_Execute (cx=0x30b870, chain=0x26a000, script=0x30d760, down=0x0, flags=0, result=0x0) at jsinterp.cpp:1564
#17 0x0001a65e in JS_ExecuteScript (cx=0x30b870, obj=0x26a000, script=0x30d760, rval=0x0) at ../jsapi.cpp:5083
#18 0x000083c5 in Process (cx=0x30b870, obj=0x26a000, filename=0xbffffa1c "x.js", forceTTY=0) at ../js.cpp:377
#19 0x000096bc in ProcessArgs (cx=0x30b870, obj=0x26a000, argv=0xbffff920, argc=2) at ../js.cpp:749
#20 0x0000a88b in main (argc=2, argv=0xbffff920, envp=0xbffff92c) at ../js.cpp:4321

Same issue here. gc is triggered from on-trace. To check for this break on js_GC and then run the code. If you stop from within trace code, Jason's patch will fix it. Dup of 468782.
Closed: 11 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 468782
Flags: in-testsuite?
$ ./js-dbg-tm-intelmac -j
js> __proto__.functional getter= (new Function("gc()"));
function anonymous() {
js> for each (let x in [new Boolean(true), new Boolean(true), -0, new Boolean(true), -0]) { undefined; }
Assertion failure: !JS_ON_TRACE(cx), at ../jsobj.cpp:3709
Trace/BPT trap

Now asserts another message and seems to work as expected in opt.
Duplicate of bug: 464096
Depends on: 475144
Attached file js1_8/extensions/regress-473040.js (obsolete) —
i couldn't reproduce the original issue on tracemonkey with 6475993319c4
Flags: in-testsuite? → in-testsuite+
forgot jit calls. :-(
Attachment #360727 - Attachment is obsolete: true
verified on 1.9.1, 1.9.1-tm, 1.9.2
Flags: wanted1.9.0.x-
Group: core-security
/cvsroot/mozilla/js/tests/js1_8/extensions/regress-473040.js,v  <--  regress-473040.js
initial revision: 1.1
Crash Signature: [@ NativeToValue]
You need to log in before you can comment on or make changes to this bug.