Crash [@ js_LookupPropertyWithFlags] or "Assertion failure: isNative(),"

RESOLVED FIXED

Status

()

P2
critical
RESOLVED FIXED
9 years ago
6 years ago

People

(Reporter: gkw, Assigned: gal)

Tracking

(Blocks: 1 bug, 4 keywords)

Trunk
assertion, crash, regression, testcase
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite -

Firefox Tracking Flags

(blocking2.0 betaN+, blocking1.9.2 .7+, status1.9.2 .7-fixed, blocking1.9.1 .11+, status1.9.1 .11-fixed)

Details

(Whiteboard: [sg:critical?], fixed-in-tracemonkey, crash signature)

Attachments

(2 attachments, 1 obsolete attachment)

(Reporter)

Description

9 years ago
for (a = 0; a < 8; ++a) {
    if (a) {
        Proxy.create({}).t()
    }
}

crashes js opt shell on TM tip with -j at js_LookupPropertyWithFlags and asserts js debug shell on TM tip with -j at Assertion failure: isNative(), at ../jsscope.h:549

Tested on 64-bit Ubuntu Linux 10.04 and changeset tm-42457-f423fbc93e3f. Assuming related to harmony:proxies. Doesn't seem related to bug 566908.

Console stdout:

Program received signal SIGSEGV, Segmentation fault.
0x000000000046673d in js_LookupPropertyWithFlags ()
(gdb) bt
#0  0x000000000046673d in js_LookupPropertyWithFlags ()
#1  0x0000000000519d87 in js::TraceRecorder::test_property_cache(JSObject*, nanojit::LIns*, JSObject*&, js::PCVal&) ()
#2  0x0000000000524424 in js::TraceRecorder::record_JSOP_CALLPROP() ()
#3  0x0000000000527e4d in js::TraceRecorder::monitorRecording(JSOp) ()
#4  0x000000000054d64a in js_Interpret ()
#5  0x0000000000458421 in js_Execute ()
#6  0x000000000040b6d6 in JS_ExecuteScript ()
#7  0x00000000004069e5 in Process(JSContext*, JSObject*, char*, int) ()
#8  0x0000000000407269 in main ()
(gdb) x/i $rip
=> 0x46673d <js_LookupPropertyWithFlags+189>:	cmp    (%rdx),%rbx
(gdb) x/b $rdx
0xffffffff:	Cannot access memory at address 0xffffffff
(Assignee)

Comment 1

9 years ago
Created attachment 446456 [details] [diff] [review]
patch

Our soon to be native xml and with objects would have hit this, too. Good thing we found it early.
Assignee: general → gal
Attachment #446456 - Flags: review?(dvander)
(In reply to comment #1)
> Our soon to be native xml and with objects would have hit this, too.

s/native/non-native/

We have non-native Java objects in 3.6 still. Wonder what the test does with such a LiveConnect critter instead of Proxy.create()'s return value.

/be
(Assignee)

Comment 3

9 years ago
map will be null so its probably a fairly safe crash
Group: core-security
map will point to a singleton shared map statically pointed at by the non-native JSObjectOps singleton.

/be
Attachment #446456 - Flags: review?(dvander) → review+
(Assignee)

Comment 5

9 years ago
The actual effects are still a bit unclear but best case we generate bad jit code and more likely we crash.
blocking2.0: --- → ?
status1.9.1: --- → ?
status1.9.2: --- → ?
OS: Linux → All
Priority: -- → P2
Hardware: x86 → All
Whiteboard: [sg:investigate?]
(Assignee)

Updated

9 years ago
blocking1.9.1: --- → ?
blocking1.9.2: --- → ?
status1.9.1: ? → ---
status1.9.2: ? → ---
(Assignee)

Comment 6

9 years ago
http://hg.mozilla.org/tracemonkey/rev/89d31a27e5b8
Whiteboard: [sg:investigate?] → [sg:investigate?], fixed-in-tracemonkey
(Assignee)

Comment 8

9 years ago
Double aehm ... Follow-up fix. 2-liner and we got it still wrong. That will teach me not to thoroughly test trivial fixes.

http://hg.mozilla.org/tracemonkey/rev/aefd4f69b448
Andreas: can you provide a roll-up patch for mozilla-1.9.2 landing and nominate for approval1.9.2.5?
blocking1.9.2: ? → needed
blocking1.9.1: ? → needed
(Assignee)

Comment 10

9 years ago
#9: pulling 1.9.2. Patch today.
status1.9.1: --- → wanted
status1.9.2: --- → wanted

Comment 11

9 years ago
http://hg.mozilla.org/mozilla-central/rev/89d31a27e5b8
Status: NEW → RESOLVED
Last Resolved: 9 years ago
Resolution: --- → FIXED

Updated

9 years ago
blocking1.9.1: needed → .11+
blocking1.9.2: needed → .5+
blocking1.9.2: .5+ → .6+
Whiteboard: [sg:investigate?], fixed-in-tracemonkey → [sg:critical?][needs branch patch or approval request from :gal] fixed-in-tracemonkey

Comment 12

9 years ago
Any hope for branch patches for this?
(Assignee)

Comment 13

9 years ago
Created attachment 454234 [details] [diff] [review]
1.9.2 patch
Attachment #446456 - Attachment is obsolete: true
(Assignee)

Updated

9 years ago
Attachment #446456 - Attachment is obsolete: false
(Assignee)

Updated

9 years ago
Attachment #454234 - Attachment description: patch → 1.9.2 patch
(Assignee)

Comment 14

9 years ago
Comment on attachment 454234 [details] [diff] [review]
1.9.2 patch

Can someone land this for me please? (its a blocker so I am not sure I even need approval)
Attachment #454234 - Flags: approval1.9.2.6?
(Assignee)

Updated

9 years ago
Keywords: checkin-needed
Whiteboard: [sg:critical?][needs branch patch or approval request from :gal] fixed-in-tracemonkey → [sg:critical?], fixed-in-tracemonkey
Created attachment 454241 [details] [diff] [review]
1.9.2 patch with missing ! restored
Attachment #454234 - Attachment is obsolete: true
Attachment #454241 - Flags: review+
Attachment #454241 - Flags: approval1.9.2.6?
Attachment #454234 - Flags: approval1.9.2.6?
(Assignee)

Comment 16

9 years ago
Thanks for catching this. Pulling 1.9.1 right now over the hotel's 9600 baud connection.
http://hg.mozilla.org/releases/mozilla-1.9.2/rev/1804452e19b1
http://hg.mozilla.org/releases/mozilla-1.9.2/rev/98888b2f3bf8

I wasn't able to build 1.9.2 js shell (debug or opt) on 64-bit Mac:

c++ -o jsregexp.o -c -fvisibility=hidden -DOSTYPE=\"Darwin10.4.0\" -DOSARCH=Darwin -DEXPORT_JS_API  -DJS_USE_SAFE_ARENA  -I.. -I. -I./dist/include -I./dist/include/nsprpub     -I..    -fPIC   -fno-rtti -fno-exceptions -Wall -Wpointer-arith -Woverloaded-virtual -Wsynth -Wno-ctor-dtor-privacy -Wno-non-virtual-dtor -Wcast-align -Wno-invalid-offsetof -Wno-variadic-macros -Wno-long-long -fno-strict-aliasing -fpascal-strings -fno-common -pthread -pipe  -DNDEBUG -DTRIMMED -O3 -fstrict-aliasing    -DMOZILLA_CLIENT -include ./js-confdefs.h -Wp,-MD,.deps/jsregexp.pp ../jsregexp.cpp
{standard input}:17427:suffix or operands invalid for `call'
make[1]: *** [jsregexp.o] Error 1
make: *** [default] Error 2

So I went in blind. Then opened my eyes and read the patch, and fixed the bug in it :-|.

Setting .6-fixed but if this goes in .7 due to another release intervening, please fix the status.

/be
status1.9.2: wanted → .6-fixed
(Assignee)

Comment 18

9 years ago
Yeah that's why I didn't test either. Can't build 1.9.1 either. Trying to build for 32-bit. Maybe that works.
(In reply to comment #17)
> Setting .6-fixed but if this goes in .7 due to another release intervening,
> please fix the status.

Is there a reason why this landed without approval? All branch patches require approval from drivers before landing.
(In reply to comment #14)
> Can someone land this for me please? (its a blocker so I am not sure I even
> need approval)

*All* patches on the branches require approval. It seems dveditz needs to do his yearly reminder mail...

http://groups.google.com/group/mozilla.dev.planning/browse_thread/thread/9b31b7523bd8cc48/5a289dbac727fead
Keywords: checkin-needed
Reed, you are not helping here.

/be

Updated

9 years ago
Attachment #454241 - Flags: approval1.9.2.7? → approval1.9.2.7+

Comment 22

9 years ago
a=LegNeato for 1.9.2.7, though we only want it if we can be sure we will be getting the 1.9.1 patch as well (don't want to leave those users vulnerable).
no crash with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.7pre) Gecko/20100701 Firefox/3.6.7pre 

Garry can you reproduce the crash ?
(Reporter)

Comment 25

9 years ago
Proxies are not defined for 1.9.1 and 1.9.2 so the underlying issue cannot be tested using the original testcase in comment #0.

Updated

9 years ago
blocking2.0: ? → betaN+
Group: core-security

Updated

8 years ago
Flags: in-testsuite?
Crash Signature: [@ js_LookupPropertyWithFlags]
Filter on qa-project-auto-change:

Bug in removed tracer code, setting in-testsuite- flag.
Flags: in-testsuite? → in-testsuite-
You need to log in before you can comment on or make changes to this bug.