Note: There are a few cases of duplicates in user autocompletion which are being worked on.

Crash [@ js_LookupPropertyWithFlags] or "Assertion failure: isNative(),"

RESOLVED FIXED

Status

()

Core
JavaScript Engine
P2
critical
RESOLVED FIXED
7 years ago
4 years ago

People

(Reporter: gkw, Assigned: gal)

Tracking

(Blocks: 1 bug, 4 keywords)

Trunk
assertion, crash, regression, testcase
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite -

Firefox Tracking Flags

(blocking2.0 betaN+, blocking1.9.2 .7+, status1.9.2 .7-fixed, blocking1.9.1 .11+, status1.9.1 .11-fixed)

Details

(Whiteboard: [sg:critical?], fixed-in-tracemonkey, crash signature)

Attachments

(2 attachments, 1 obsolete attachment)

(Reporter)

Description

7 years ago
for (a = 0; a < 8; ++a) {
    if (a) {
        Proxy.create({}).t()
    }
}

crashes js opt shell on TM tip with -j at js_LookupPropertyWithFlags and asserts js debug shell on TM tip with -j at Assertion failure: isNative(), at ../jsscope.h:549

Tested on 64-bit Ubuntu Linux 10.04 and changeset tm-42457-f423fbc93e3f. Assuming related to harmony:proxies. Doesn't seem related to bug 566908.

Console stdout:

Program received signal SIGSEGV, Segmentation fault.
0x000000000046673d in js_LookupPropertyWithFlags ()
(gdb) bt
#0  0x000000000046673d in js_LookupPropertyWithFlags ()
#1  0x0000000000519d87 in js::TraceRecorder::test_property_cache(JSObject*, nanojit::LIns*, JSObject*&, js::PCVal&) ()
#2  0x0000000000524424 in js::TraceRecorder::record_JSOP_CALLPROP() ()
#3  0x0000000000527e4d in js::TraceRecorder::monitorRecording(JSOp) ()
#4  0x000000000054d64a in js_Interpret ()
#5  0x0000000000458421 in js_Execute ()
#6  0x000000000040b6d6 in JS_ExecuteScript ()
#7  0x00000000004069e5 in Process(JSContext*, JSObject*, char*, int) ()
#8  0x0000000000407269 in main ()
(gdb) x/i $rip
=> 0x46673d <js_LookupPropertyWithFlags+189>:	cmp    (%rdx),%rbx
(gdb) x/b $rdx
0xffffffff:	Cannot access memory at address 0xffffffff
(Assignee)

Comment 1

7 years ago
Created attachment 446456 [details] [diff] [review]
patch

Our soon to be native xml and with objects would have hit this, too. Good thing we found it early.
Assignee: general → gal
Attachment #446456 - Flags: review?(dvander)
(In reply to comment #1)
> Our soon to be native xml and with objects would have hit this, too.

s/native/non-native/

We have non-native Java objects in 3.6 still. Wonder what the test does with such a LiveConnect critter instead of Proxy.create()'s return value.

/be
(Assignee)

Comment 3

7 years ago
map will be null so its probably a fairly safe crash
Group: core-security
map will point to a singleton shared map statically pointed at by the non-native JSObjectOps singleton.

/be
Attachment #446456 - Flags: review?(dvander) → review+
(Assignee)

Comment 5

7 years ago
The actual effects are still a bit unclear but best case we generate bad jit code and more likely we crash.
blocking2.0: --- → ?
status1.9.1: --- → ?
status1.9.2: --- → ?
OS: Linux → All
Priority: -- → P2
Hardware: x86 → All
Whiteboard: [sg:investigate?]
(Assignee)

Updated

7 years ago
blocking1.9.1: --- → ?
blocking1.9.2: --- → ?
status1.9.1: ? → ---
status1.9.2: ? → ---
(Assignee)

Comment 6

7 years ago
http://hg.mozilla.org/tracemonkey/rev/89d31a27e5b8
Whiteboard: [sg:investigate?] → [sg:investigate?], fixed-in-tracemonkey
(Assignee)

Comment 7

7 years ago
Aehm ...

http://hg.mozilla.org/tracemonkey/rev/89d31a27e5b8
(Assignee)

Comment 8

7 years ago
Double aehm ... Follow-up fix. 2-liner and we got it still wrong. That will teach me not to thoroughly test trivial fixes.

http://hg.mozilla.org/tracemonkey/rev/aefd4f69b448
Andreas: can you provide a roll-up patch for mozilla-1.9.2 landing and nominate for approval1.9.2.5?
blocking1.9.2: ? → needed
blocking1.9.1: ? → needed
(Assignee)

Comment 10

7 years ago
#9: pulling 1.9.2. Patch today.
status1.9.1: --- → wanted
status1.9.2: --- → wanted

Comment 11

7 years ago
http://hg.mozilla.org/mozilla-central/rev/89d31a27e5b8
Status: NEW → RESOLVED
Last Resolved: 7 years ago
Resolution: --- → FIXED

Updated

7 years ago
blocking1.9.1: needed → .11+
blocking1.9.2: needed → .5+
blocking1.9.2: .5+ → .6+
Whiteboard: [sg:investigate?], fixed-in-tracemonkey → [sg:critical?][needs branch patch or approval request from :gal] fixed-in-tracemonkey

Comment 12

7 years ago
Any hope for branch patches for this?
(Assignee)

Comment 13

7 years ago
Created attachment 454234 [details] [diff] [review]
1.9.2 patch
Attachment #446456 - Attachment is obsolete: true
(Assignee)

Updated

7 years ago
Attachment #446456 - Attachment is obsolete: false
(Assignee)

Updated

7 years ago
Attachment #454234 - Attachment description: patch → 1.9.2 patch
(Assignee)

Comment 14

7 years ago
Comment on attachment 454234 [details] [diff] [review]
1.9.2 patch

Can someone land this for me please? (its a blocker so I am not sure I even need approval)
Attachment #454234 - Flags: approval1.9.2.6?
(Assignee)

Updated

7 years ago
Keywords: checkin-needed
Whiteboard: [sg:critical?][needs branch patch or approval request from :gal] fixed-in-tracemonkey → [sg:critical?], fixed-in-tracemonkey
Created attachment 454241 [details] [diff] [review]
1.9.2 patch with missing ! restored
Attachment #454234 - Attachment is obsolete: true
Attachment #454241 - Flags: review+
Attachment #454241 - Flags: approval1.9.2.6?
Attachment #454234 - Flags: approval1.9.2.6?
(Assignee)

Comment 16

7 years ago
Thanks for catching this. Pulling 1.9.1 right now over the hotel's 9600 baud connection.
http://hg.mozilla.org/releases/mozilla-1.9.2/rev/1804452e19b1
http://hg.mozilla.org/releases/mozilla-1.9.2/rev/98888b2f3bf8

I wasn't able to build 1.9.2 js shell (debug or opt) on 64-bit Mac:

c++ -o jsregexp.o -c -fvisibility=hidden -DOSTYPE=\"Darwin10.4.0\" -DOSARCH=Darwin -DEXPORT_JS_API  -DJS_USE_SAFE_ARENA  -I.. -I. -I./dist/include -I./dist/include/nsprpub     -I..    -fPIC   -fno-rtti -fno-exceptions -Wall -Wpointer-arith -Woverloaded-virtual -Wsynth -Wno-ctor-dtor-privacy -Wno-non-virtual-dtor -Wcast-align -Wno-invalid-offsetof -Wno-variadic-macros -Wno-long-long -fno-strict-aliasing -fpascal-strings -fno-common -pthread -pipe  -DNDEBUG -DTRIMMED -O3 -fstrict-aliasing    -DMOZILLA_CLIENT -include ./js-confdefs.h -Wp,-MD,.deps/jsregexp.pp ../jsregexp.cpp
{standard input}:17427:suffix or operands invalid for `call'
make[1]: *** [jsregexp.o] Error 1
make: *** [default] Error 2

So I went in blind. Then opened my eyes and read the patch, and fixed the bug in it :-|.

Setting .6-fixed but if this goes in .7 due to another release intervening, please fix the status.

/be
status1.9.2: wanted → .6-fixed
(Assignee)

Comment 18

7 years ago
Yeah that's why I didn't test either. Can't build 1.9.1 either. Trying to build for 32-bit. Maybe that works.
(In reply to comment #17)
> Setting .6-fixed but if this goes in .7 due to another release intervening,
> please fix the status.

Is there a reason why this landed without approval? All branch patches require approval from drivers before landing.
(In reply to comment #14)
> Can someone land this for me please? (its a blocker so I am not sure I even
> need approval)

*All* patches on the branches require approval. It seems dveditz needs to do his yearly reminder mail...

http://groups.google.com/group/mozilla.dev.planning/browse_thread/thread/9b31b7523bd8cc48/5a289dbac727fead
Keywords: checkin-needed
Reed, you are not helping here.

/be

Updated

7 years ago
Attachment #454241 - Flags: approval1.9.2.7? → approval1.9.2.7+

Comment 22

7 years ago
a=LegNeato for 1.9.2.7, though we only want it if we can be sure we will be getting the 1.9.1 patch as well (don't want to leave those users vulnerable).
http://hg.mozilla.org/releases/mozilla-1.9.1/rev/ae51fe8759e3

/be
status1.9.1: wanted → .11-fixed
no crash with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.7pre) Gecko/20100701 Firefox/3.6.7pre 

Garry can you reproduce the crash ?
(Reporter)

Comment 25

7 years ago
Proxies are not defined for 1.9.1 and 1.9.2 so the underlying issue cannot be tested using the original testcase in comment #0.

Updated

7 years ago
blocking2.0: ? → betaN+
Group: core-security

Updated

7 years ago
Flags: in-testsuite?
Crash Signature: [@ js_LookupPropertyWithFlags]
Filter on qa-project-auto-change:

Bug in removed tracer code, setting in-testsuite- flag.
Flags: in-testsuite? → in-testsuite-
You need to log in before you can comment on or make changes to this bug.