Closed Bug 517250 Opened 15 years ago Closed 15 years ago

Crash [@ js_TraceStackFrame] with for...in, yield

Categories

(Core :: JavaScript Engine, defect, P2)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
macOS
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Tracking Flags:
Tracking Status
status1.9.2 --- beta1-fixed
status1.9.1 --- unaffected

People

(Reporter: gkw, Assigned: mrbkap)

References

Details

(4 keywords, Whiteboard: [sg:nse][ccbr] fixed-in-tracemonkey)

Crash Data

Attachments

(1 file)

Fix a bad assert
845 bytes, patch
Waldo
: review+
Details | Diff | Splinter Review 
for (a in (function () {
    yield
})()) gczeal(2); *

crashes near null at js_TraceStackFrame in debug js shell on TM branch without -j. Turning security-sensitive because this involves gczeal.

autoBisect shows this is probably related to bug 517041:

The first bad revision is:
changeset:   32269:5002e220aac1
user:        Blake Kaplan
date:        Wed Sep 16 16:13:41 2009 -0700
summary:     Bug 517041 - Instead of giving pseudo frames an sp, protect against null sps during GC. r=brendan

===

Exception Type:  EXC_BAD_ACCESS (SIGBUS)
Exception Codes: KERN_PROTECTION_FAILURE at 0x0000000000000004
Crashed Thread:  0

Thread 0 Crashed:
0   js-dbg-tm-darwin              	0x0006a8f1 js_TraceStackFrame + 535
1   js-dbg-tm-darwin              	0x0009d79c generator_trace(JSTracer*, JSObject*) + 118
2   js-dbg-tm-darwin              	0x000b2d0b js_TraceObject + 363
3   js-dbg-tm-darwin              	0x0006a230 JS_TraceChildren + 90
4   js-dbg-tm-darwin              	0x0006a18b JS_CallTracer + 1513
5   js-dbg-tm-darwin              	0x0006ae5a TraceWeakRoots(JSTracer*, JSWeakRoots*) + 104
6   js-dbg-tm-darwin              	0x0006b2e5 js_TraceContext + 837
7   js-dbg-tm-darwin              	0x0006b904 js_TraceRuntime + 172
8   js-dbg-tm-darwin              	0x0006c2dd js_GC + 905
9   js-dbg-tm-darwin              	0x0006e12d JSObject* NewGCThing<JSObject>(JSContext*, unsigned int) + 329
10  js-dbg-tm-darwin              	0x0006e49b js_NewGCObject + 17
11  js-dbg-tm-darwin              	0x000a82d3 js_NewObjectWithGivenProto + 275
12  js-dbg-tm-darwin              	0x001246b4 js_GetAnyName + 144
13  js-dbg-tm-darwin              	0x000929fa js_Interpret + 141068
14  js-dbg-tm-darwin              	0x000997d7 js_Execute + 1155
15  js-dbg-tm-darwin              	0x0001ef82 JS_ExecuteScript + 54
16  js-dbg-tm-darwin              	0x000089a8 Process(JSContext*, JSObject*, char*, int) + 1408
17  js-dbg-tm-darwin              	0x00009e3a ProcessArgs(JSContext*, JSObject*, char**, int) + 2276
18  js-dbg-tm-darwin              	0x0000b493 main + 927
19  js-dbg-tm-darwin              	0x000020eb _start + 209
20  js-dbg-tm-darwin              	0x00002019 start + 41
Flags: blocking1.9.2?
Whiteboard: [ccbr]
Attached patch Fix a bad assertSplinter Review 
This is just a bug in the assertion. It means to say "if there are regs but no sp, then nfixed must be 0."
Assignee: general → mrbkap
Status: NEW → ASSIGNED
Attachment #401259 - Flags: review?(jwalden+bmo)
(and it can say that because the only way for that condition to be true is for a pseudo js_watch_set frame.)
Attachment #401259 - Flags: review?(jwalden+bmo) → review+
blocking 1.9.2+ P2.
Flags: blocking1.9.2? → blocking1.9.2+
Priority: -- → P2
http://hg.mozilla.org/tracemonkey/rev/14d4bb685d0a
Whiteboard: [ccbr] → [ccbr] fixed-in-tracemonkey
js1_7/extensions/regress-355512.js crashes this way, so we had test suite coverage.
Flags: in-testsuite+
Group: core-security
I don't think we should be calling debug-only exit()s due to an assert a "crash" -- that's confusing two different symptoms.
Keywords: crashassertion
Summary: Crash [@ js_TraceStackFrame] with for...in, yield → assertion [@ js_TraceStackFrame] with for...in, yield
Whiteboard: [ccbr] fixed-in-tracemonkey → [sg:nse][ccbr] fixed-in-tracemonkey
(In reply to comment #6)
> I don't think we should be calling debug-only exit()s due to an assert a
> "crash" -- that's confusing two different symptoms.

This was a crash, though. The assertion condition was crashing before it could even be tested.
Keywords: assertioncrash
Summary: assertion [@ js_TraceStackFrame] with for...in, yield → Crash [@ js_TraceStackFrame] with for...in, yield
http://hg.mozilla.org/mozilla-central/rev/14d4bb685d0a
Status: ASSIGNED → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
This is now happening on mozilla-1.9.2 since bug 517041 was checked in there.
This is also covered by js1_7/extensions/regress-387955-01.js on 1.9.2
sayrer: ping re comment 9
what about comment 9?
This needs to land in 1.9.2, at a guess? Just trying to keep up with my bugmail.

/be
yes. this needs to land on 1.9.2. sorry about not being  more specific.
js1_7/extensions/regress-355512.js
js1_7/extensions/regress-387955-01.js

v 1.9.3, 1.9.2
Status: RESOLVED → VERIFIED
Keywords: verified1.9.2
Crash Signature: [@ js_TraceStackFrame]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: