Closed Bug 528870 Opened 16 years ago Closed 16 years ago

TM: Crash [@ TraceRecorder::slurpDownFrames] or "Assertion failure: traceMonitor->recorder == this, at ../jstracer.cpp"

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED
Tracking Flags:
Tracking Status
status1.9.2 --- unaffected
status1.9.1 --- unaffected

People

(Reporter: gkw, Assigned: luke)

References

Details

(4 keywords, Whiteboard: [ccbr][sg:critical?], fixed-in-tracemonkey)

Crash Data

Attachments

(1 file)

fix
1.35 KB, patch
dvander
: review+
Details | Diff | Splinter Review
eval("\ for each(x in [0, 0, Infinity, Infinity, 0, Infinity, new Boolean(true)]) { \ ((function f(aaaaaa) {\ return aaaaaa.length == 0 ? 0 : aaaaaa[0] + f(aaaaaa.slice(1))\ })([x, new Number, /x/]))\ }\ ") crashes js opt shell at TraceRecorder::slurpDownFrames at 0xc0000097 and asserts js debug shell at Assertion failure: traceMonitor->recorder == this, at ../jstracer.cpp:2508 with -j on TM tip on 10.5.8. Security-sensitive because this is crashing at a scary address in 32-bit in 10.5.8. It is apparently crashing near null in 64-bit in 10.6.2. autoBisect shows this is probably related to bug 517174: The first bad revision is: changeset: 34686:81afd53646d4 user: Luke Wagner date: Thu Nov 12 18:34:24 2009 -0800 summary: Bug 517174 - trace js_Invoke calls from natives (r=dvander)
jsfunfuzz is hitting this fairly regularly. (Also assuming [sg:critical?] until otherwise known) 10.5.8 opt stack: Exception Type: EXC_BAD_ACCESS (SIGSEGV) Exception Codes: KERN_INVALID_ADDRESS at 0x00000000c0000097 Crashed Thread: 0 Thread 0 Crashed: 0 js-opt-tm-darwin 0x00115b57 TraceRecorder::slurpDownFrames(unsigned char*) + 23 1 js-opt-tm-darwin 0x00117e92 TraceRecorder::startRecorder(JSContext*, VMSideExit*, VMFragment*, TreeInfo*, unsigned int, unsigned int, JSTraceType_*, VMSideExit*, unsigned char*, unsigned int, RecordReason) + 434 2 js-opt-tm-darwin 0x00118258 __ZL19AttemptToExtendTreeP9JSContextP10VMSideExitS2_Ph + 920 3 js-opt-tm-darwin 0x0011a87b js_MonitorLoopEdge(JSContext*, unsigned int&, RecordReason) + 1307 4 js-opt-tm-darwin 0x00059923 js_Interpret + 46995 5 js-opt-tm-darwin 0x0005dfdc js_Execute + 444 6 js-opt-tm-darwin 0x00070dda __ZL8obj_evalP9JSContextP8JSObjectjPlS3_ + 2346 7 js-opt-tm-darwin 0x0005e824 js_Invoke + 1332 8 js-opt-tm-darwin 0x0004ec01 js_Interpret + 2673 9 js-opt-tm-darwin 0x0005dfdc js_Execute + 444 10 js-opt-tm-darwin 0x0000d1ac JS_ExecuteScript + 60 11 js-opt-tm-darwin 0x00003de5 __ZL7ProcessP9JSContextP8JSObjectPci + 1605 12 js-opt-tm-darwin 0x00007dd4 main + 2212 13 js-opt-tm-darwin 0x00001c5b _start + 209 14 js-opt-tm-darwin 0x00001b89 start + 41
Whiteboard: [ccbr][sg:critical?]
Attached patch fixSplinter Review
This was written correctly at some point in time, but lost in a rebase. Righteous fuzzing, thanks!
Assignee: general → lw
Status: NEW → ASSIGNED
Attachment #412624 - Flags: review?(dvander)
Attachment #412624 - Flags: review?(dvander) → review+
http://hg.mozilla.org/tracemonkey/rev/13081eb1537d
Whiteboard: [ccbr][sg:critical?] → [ccbr][sg:critical?], fixed-in-tracemonkey
http://hg.mozilla.org/mozilla-central/rev/13081eb1537d
Status: ASSIGNED → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
Group: core-security
status1.9.1: --- → unaffected
status1.9.2: --- → unaffected
Crash Signature: [@ TraceRecorder::slurpDownFrames]
Tracer has been long gone on trunk, marking verified.
Status: RESOLVED → VERIFIED
Bug in removed tracer code, setting in-testsuite- flag.
Flags: in-testsuite-
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: