Crash [@ js_TraceStackFrame] with for...in, yield

VERIFIED FIXED

Status

()

Core
JavaScript Engine
P2
critical
VERIFIED FIXED
9 years ago
7 years ago

People

(Reporter: gkw, Assigned: mrbkap)

Tracking

(Blocks: 1 bug, 4 keywords)

Trunk
x86
Mac OS X
crash, regression, testcase, verified1.9.2
Points:
---
Dependency tree / graph
Bug Flags:
blocking1.9.2 +
in-testsuite +

Firefox Tracking Flags

(status1.9.2 beta1-fixed, status1.9.1 unaffected)

Details

(Whiteboard: [sg:nse][ccbr] fixed-in-tracemonkey, crash signature)

Attachments

(1 attachment)

(Reporter)

Description

9 years ago
for (a in (function () {
    yield
})()) gczeal(2); *

crashes near null at js_TraceStackFrame in debug js shell on TM branch without -j. Turning security-sensitive because this involves gczeal.

autoBisect shows this is probably related to bug 517041:

The first bad revision is:
changeset:   32269:5002e220aac1
user:        Blake Kaplan
date:        Wed Sep 16 16:13:41 2009 -0700
summary:     Bug 517041 - Instead of giving pseudo frames an sp, protect against null sps during GC. r=brendan

===

Exception Type:  EXC_BAD_ACCESS (SIGBUS)
Exception Codes: KERN_PROTECTION_FAILURE at 0x0000000000000004
Crashed Thread:  0

Thread 0 Crashed:
0   js-dbg-tm-darwin              	0x0006a8f1 js_TraceStackFrame + 535
1   js-dbg-tm-darwin              	0x0009d79c generator_trace(JSTracer*, JSObject*) + 118
2   js-dbg-tm-darwin              	0x000b2d0b js_TraceObject + 363
3   js-dbg-tm-darwin              	0x0006a230 JS_TraceChildren + 90
4   js-dbg-tm-darwin              	0x0006a18b JS_CallTracer + 1513
5   js-dbg-tm-darwin              	0x0006ae5a TraceWeakRoots(JSTracer*, JSWeakRoots*) + 104
6   js-dbg-tm-darwin              	0x0006b2e5 js_TraceContext + 837
7   js-dbg-tm-darwin              	0x0006b904 js_TraceRuntime + 172
8   js-dbg-tm-darwin              	0x0006c2dd js_GC + 905
9   js-dbg-tm-darwin              	0x0006e12d JSObject* NewGCThing<JSObject>(JSContext*, unsigned int) + 329
10  js-dbg-tm-darwin              	0x0006e49b js_NewGCObject + 17
11  js-dbg-tm-darwin              	0x000a82d3 js_NewObjectWithGivenProto + 275
12  js-dbg-tm-darwin              	0x001246b4 js_GetAnyName + 144
13  js-dbg-tm-darwin              	0x000929fa js_Interpret + 141068
14  js-dbg-tm-darwin              	0x000997d7 js_Execute + 1155
15  js-dbg-tm-darwin              	0x0001ef82 JS_ExecuteScript + 54
16  js-dbg-tm-darwin              	0x000089a8 Process(JSContext*, JSObject*, char*, int) + 1408
17  js-dbg-tm-darwin              	0x00009e3a ProcessArgs(JSContext*, JSObject*, char**, int) + 2276
18  js-dbg-tm-darwin              	0x0000b493 main + 927
19  js-dbg-tm-darwin              	0x000020eb _start + 209
20  js-dbg-tm-darwin              	0x00002019 start + 41
Flags: blocking1.9.2?
(Reporter)

Updated

9 years ago
Whiteboard: [ccbr]
(Assignee)

Comment 1

9 years ago
Created attachment 401259 [details] [diff] [review]
Fix a bad assert

This is just a bug in the assertion. It means to say "if there are regs but no sp, then nfixed must be 0."
Assignee: general → mrbkap
Status: NEW → ASSIGNED
Attachment #401259 - Flags: review?(jwalden+bmo)
(Assignee)

Comment 2

9 years ago
(and it can say that because the only way for that condition to be true is for a pseudo js_watch_set frame.)

Updated

9 years ago
Attachment #401259 - Flags: review?(jwalden+bmo) → review+
blocking 1.9.2+ P2.
Flags: blocking1.9.2? → blocking1.9.2+
Priority: -- → P2
(Assignee)

Comment 4

9 years ago
http://hg.mozilla.org/tracemonkey/rev/14d4bb685d0a
Whiteboard: [ccbr] → [ccbr] fixed-in-tracemonkey
js1_7/extensions/regress-355512.js crashes this way, so we had test suite coverage.
Flags: in-testsuite+
Group: core-security
I don't think we should be calling debug-only exit()s due to an assert a "crash" -- that's confusing two different symptoms.
Keywords: crash → assertion
Summary: Crash [@ js_TraceStackFrame] with for...in, yield → assertion [@ js_TraceStackFrame] with for...in, yield
Whiteboard: [ccbr] fixed-in-tracemonkey → [sg:nse][ccbr] fixed-in-tracemonkey
(Assignee)

Comment 7

9 years ago
(In reply to comment #6)
> I don't think we should be calling debug-only exit()s due to an assert a
> "crash" -- that's confusing two different symptoms.

This was a crash, though. The assertion condition was crashing before it could even be tested.

Updated

9 years ago
Keywords: assertion → crash
Summary: assertion [@ js_TraceStackFrame] with for...in, yield → Crash [@ js_TraceStackFrame] with for...in, yield

Comment 8

9 years ago
http://hg.mozilla.org/mozilla-central/rev/14d4bb685d0a
Status: ASSIGNED → RESOLVED
Last Resolved: 9 years ago
Resolution: --- → FIXED

Comment 9

9 years ago
This is now happening on mozilla-1.9.2 since bug 517041 was checked in there.

Comment 10

9 years ago
This is also covered by js1_7/extensions/regress-387955-01.js on 1.9.2

Comment 11

9 years ago
sayrer: ping re comment 9

Comment 12

9 years ago
what about comment 9?
This needs to land in 1.9.2, at a guess? Just trying to keep up with my bugmail.

/be

Comment 14

9 years ago
yes. this needs to land on 1.9.2. sorry about not being  more specific.

Comment 16

9 years ago
js1_7/extensions/regress-355512.js
js1_7/extensions/regress-387955-01.js

v 1.9.3, 1.9.2
Status: RESOLVED → VERIFIED
Keywords: verified1.9.2
status1.9.1: --- → unaffected
Crash Signature: [@ js_TraceStackFrame]
You need to log in before you can comment on or make changes to this bug.