Closed Bug 567059 Opened 15 years ago Closed 14 years ago

Crash [@ js_LookupPropertyWithFlags] or "Assertion failure: isNative(),"

Categories

(Core :: JavaScript Engine, defect, P2)

Product:
Core
Component:
JavaScript Engine
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
blocking2.0 --- betaN+
blocking1.9.2 --- .7+
status1.9.2 --- .7-fixed
blocking1.9.1 --- .11+
status1.9.1 --- .11-fixed

People

(Reporter: gkw, Assigned: gal)

References

Details

(4 keywords, Whiteboard: [sg:critical?], fixed-in-tracemonkey)

Crash Data

Attachments

(2 files, 1 obsolete file)

patch
824 bytes, patch
dvander
: review+
Details | Diff | Splinter Review
1.9.2 patch with missing ! restored
734 bytes, patch
brendan
: review+
christian
: approval1.9.2.7+
Details | Diff | Splinter Review
for (a = 0; a < 8; ++a) { if (a) { Proxy.create({}).t() } } crashes js opt shell on TM tip with -j at js_LookupPropertyWithFlags and asserts js debug shell on TM tip with -j at Assertion failure: isNative(), at ../jsscope.h:549 Tested on 64-bit Ubuntu Linux 10.04 and changeset tm-42457-f423fbc93e3f. Assuming related to harmony:proxies. Doesn't seem related to bug 566908. Console stdout: Program received signal SIGSEGV, Segmentation fault. 0x000000000046673d in js_LookupPropertyWithFlags () (gdb) bt #0 0x000000000046673d in js_LookupPropertyWithFlags () #1 0x0000000000519d87 in js::TraceRecorder::test_property_cache(JSObject*, nanojit::LIns*, JSObject*&, js::PCVal&) () #2 0x0000000000524424 in js::TraceRecorder::record_JSOP_CALLPROP() () #3 0x0000000000527e4d in js::TraceRecorder::monitorRecording(JSOp) () #4 0x000000000054d64a in js_Interpret () #5 0x0000000000458421 in js_Execute () #6 0x000000000040b6d6 in JS_ExecuteScript () #7 0x00000000004069e5 in Process(JSContext*, JSObject*, char*, int) () #8 0x0000000000407269 in main () (gdb) x/i $rip => 0x46673d <js_LookupPropertyWithFlags+189>: cmp (%rdx),%rbx (gdb) x/b $rdx 0xffffffff: Cannot access memory at address 0xffffffff
Attached patch patchSplinter Review
Our soon to be native xml and with objects would have hit this, too. Good thing we found it early.
Assignee: general → gal
Attachment #446456 - Flags: review?(dvander)
(In reply to comment #1) > Our soon to be native xml and with objects would have hit this, too. s/native/non-native/ We have non-native Java objects in 3.6 still. Wonder what the test does with such a LiveConnect critter instead of Proxy.create()'s return value. /be
map will be null so its probably a fairly safe crash
Group: core-security
map will point to a singleton shared map statically pointed at by the non-native JSObjectOps singleton. /be
Attachment #446456 - Flags: review?(dvander) → review+
The actual effects are still a bit unclear but best case we generate bad jit code and more likely we crash.
blocking2.0: --- → ?
status1.9.1: --- → ?
status1.9.2: --- → ?
OS: Linux → All
Priority: -- → P2
Hardware: x86 → All
Whiteboard: [sg:investigate?]
blocking1.9.1: --- → ?
blocking1.9.2: --- → ?
status1.9.1: ? → ---
status1.9.2: ? → ---
http://hg.mozilla.org/tracemonkey/rev/89d31a27e5b8
Whiteboard: [sg:investigate?] → [sg:investigate?], fixed-in-tracemonkey
Double aehm ... Follow-up fix. 2-liner and we got it still wrong. That will teach me not to thoroughly test trivial fixes. http://hg.mozilla.org/tracemonkey/rev/aefd4f69b448
Andreas: can you provide a roll-up patch for mozilla-1.9.2 landing and nominate for approval1.9.2.5?
blocking1.9.2: ? → needed
blocking1.9.1: ? → needed
#9: pulling 1.9.2. Patch today.
http://hg.mozilla.org/mozilla-central/rev/89d31a27e5b8
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
blocking1.9.1: needed → .11+
blocking1.9.2: needed → .5+
blocking1.9.2: .5+ → .6+
Whiteboard: [sg:investigate?], fixed-in-tracemonkey → [sg:critical?][needs branch patch or approval request from :gal] fixed-in-tracemonkey
Any hope for branch patches for this?
Attached patch 1.9.2 patch (obsolete) — Splinter Review
Attachment #446456 - Attachment is obsolete: true
Attachment #446456 - Attachment is obsolete: false
Attachment #454234 - Attachment description: patch → 1.9.2 patch
Comment on attachment 454234 [details] [diff] [review] 1.9.2 patch Can someone land this for me please? (its a blocker so I am not sure I even need approval)
Attachment #454234 - Flags: approval1.9.2.6?
Keywords: checkin-needed
Whiteboard: [sg:critical?][needs branch patch or approval request from :gal] fixed-in-tracemonkey → [sg:critical?], fixed-in-tracemonkey
Attachment #454234 - Attachment is obsolete: true
Attachment #454241 - Flags: review+
Attachment #454241 - Flags: approval1.9.2.6?
Attachment #454234 - Flags: approval1.9.2.6?
Thanks for catching this. Pulling 1.9.1 right now over the hotel's 9600 baud connection.
http://hg.mozilla.org/releases/mozilla-1.9.2/rev/1804452e19b1 http://hg.mozilla.org/releases/mozilla-1.9.2/rev/98888b2f3bf8 I wasn't able to build 1.9.2 js shell (debug or opt) on 64-bit Mac: c++ -o jsregexp.o -c -fvisibility=hidden -DOSTYPE=\"Darwin10.4.0\" -DOSARCH=Darwin -DEXPORT_JS_API -DJS_USE_SAFE_ARENA -I.. -I. -I./dist/include -I./dist/include/nsprpub -I.. -fPIC -fno-rtti -fno-exceptions -Wall -Wpointer-arith -Woverloaded-virtual -Wsynth -Wno-ctor-dtor-privacy -Wno-non-virtual-dtor -Wcast-align -Wno-invalid-offsetof -Wno-variadic-macros -Wno-long-long -fno-strict-aliasing -fpascal-strings -fno-common -pthread -pipe -DNDEBUG -DTRIMMED -O3 -fstrict-aliasing -DMOZILLA_CLIENT -include ./js-confdefs.h -Wp,-MD,.deps/jsregexp.pp ../jsregexp.cpp {standard input}:17427:suffix or operands invalid for `call' make[1]: *** [jsregexp.o] Error 1 make: *** [default] Error 2 So I went in blind. Then opened my eyes and read the patch, and fixed the bug in it :-|. Setting .6-fixed but if this goes in .7 due to another release intervening, please fix the status. /be
Yeah that's why I didn't test either. Can't build 1.9.1 either. Trying to build for 32-bit. Maybe that works.
(In reply to comment #17) > Setting .6-fixed but if this goes in .7 due to another release intervening, > please fix the status. Is there a reason why this landed without approval? All branch patches require approval from drivers before landing.
(In reply to comment #14) > Can someone land this for me please? (its a blocker so I am not sure I even > need approval) *All* patches on the branches require approval. It seems dveditz needs to do his yearly reminder mail... http://groups.google.com/group/mozilla.dev.planning/browse_thread/thread/9b31b7523bd8cc48/5a289dbac727fead
Keywords: checkin-needed
Reed, you are not helping here. /be
Attachment #454241 - Flags: approval1.9.2.7? → approval1.9.2.7+
a=LegNeato for 1.9.2.7, though we only want it if we can be sure we will be getting the 1.9.1 patch as well (don't want to leave those users vulnerable).
no crash with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.7pre) Gecko/20100701 Firefox/3.6.7pre Garry can you reproduce the crash ?
Proxies are not defined for 1.9.1 and 1.9.2 so the underlying issue cannot be tested using the original testcase in comment #0.
blocking2.0: ? → betaN+
Group: core-security
Flags: in-testsuite?
Crash Signature: [@ js_LookupPropertyWithFlags]
Filter on qa-project-auto-change: Bug in removed tracer code, setting in-testsuite- flag.
Flags: in-testsuite? → in-testsuite-
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: