Last Comment Bug 568855 - Crash [@ nanojit::LIns::opcode] with non-native __proto__
: Crash [@ nanojit::LIns::opcode] with non-native __proto__
Status: RESOLVED FIXED
[ccbr][sg:critical?] fixed-in-tracemo...
: assertion, crash, regression, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: x86 Mac OS X
: -- critical (vote)
: ---
Assigned To: Andreas Gal :gal
:
: Jason Orendorff [:jorendorff]
Mentors:
Depends on:
Blocks: jsfunfuzz harmony:proxies
  Show dependency treegraph
 
Reported: 2010-05-28 09:32 PDT by Jesse Ruderman
Modified: 2013-01-19 14:07 PST (History)
13 users (show)
choller: in‑testsuite+
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---
final+
.7+
.7-fixed
unaffected


Attachments
patch (1.03 KB, patch)
2010-05-28 16:45 PDT, Andreas Gal :gal
dvander: review+
Details | Diff | Splinter Review
patch for 1.9.2 (1.03 KB, patch)
2010-06-30 14:21 PDT, Andreas Gal :gal
dvander: review+
christian: approval1.9.2.7+
Details | Diff | Splinter Review

Description Jesse Ruderman 2010-05-28 09:32:49 PDT
this.__proto__ = Proxy.create({has:function(){return false}});
(function(){
  eval("(function(){ for(var j=0;j<6;++j) if(j%2==1) p=0; })")();
})()

Triggers one of the following (all in a debug build):
* Crash [@ nanojit::LIns::opcode]
* Crash [@ nanojit::LirWriter::insImmI]
* Assertion failed: 0 (../nanojit/LIR.cpp:996)
* Assertion failure: status == ARECORD_COMPLETED || status == ARECORD_ABORTED || status == ARECORD_ERROR, at ../jstracer.cpp:7139

The proliferation of assertions and crashes may make this annoying for jsfunfuzz.
Comment 1 Andreas Gal :gal 2010-05-28 09:35:47 PDT
This can be triggered via liveconnect as well, and might affect branches.
Comment 2 Gary Kwong [:gkw] [:nth10sd] 2010-05-28 10:29:08 PDT
js> this.__proto__ = Proxy.create({has:function(){return false}});
js> (function(){
  eval("(function(){ for(var j=0;j<6;++j) if(j%2==1) p=0; })")();
})()

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_PROTECTION_FAILURE at address: 0x0000003a
0x001601f5 in nanojit::CseFilter::insLoad ()
(gdb) 
(gdb) bt
#0  0x001601f5 in nanojit::CseFilter::insLoad ()
#1  0x0012cd95 in js::TraceRecorder::traverseScopeChain ()
#2  0x00138575 in js::TraceRecorder::record_JSOP_BINDNAME ()
#3  0x00155618 in js::TraceRecorder::monitorRecording ()
#4  0x0005bc76 in js_Interpret ()
#5  0x000665a0 in js_Execute ()
#6  0x0000f67c in JS_ExecuteScript ()
#7  0x00004cfc in Process ()
#8  0x000090ba in main ()
(gdb) x/i $eip
0x1601f5 <_ZN7nanojit9CseFilter7insLoadENS_7LOpcodeEPNS_4LInsEih+629>:  call   *0x30(%ecx)
(gdb) x/b $ecx
0xa:    Cannot access memory at address 0xa
Comment 3 Andreas Gal :gal 2010-05-28 10:33:39 PDT
This is not a recent regression. And it affects branches. Keep this closed please.
Comment 4 Andreas Gal :gal 2010-05-28 16:45:35 PDT
Created attachment 448142 [details] [diff] [review]
patch

Existing bug in js_FindIdentifierBase usage here. It can deep abort. Static analysis would be nice here.
Comment 5 Gary Kwong [:gkw] [:nth10sd] 2010-06-03 04:36:46 PDT
(This was checked in to TM)

http://hg.mozilla.org/tracemonkey/rev/3e86dbfb0814
Comment 7 christian 2010-06-25 17:13:51 PDT
Any hope for branch patches for this?
Comment 8 Andreas Gal :gal 2010-06-30 14:21:54 PDT
Created attachment 455263 [details] [diff] [review]
patch for 1.9.2
Comment 9 christian 2010-06-30 16:30:42 PDT
Comment on attachment 455263 [details] [diff] [review]
patch for 1.9.2

a=LegNeato for 1.9.2.7. Please land on mozilla-1.9.2 default.

Thanks for getting to this!
Comment 11 christian 2010-06-30 18:43:11 PDT
This affects 1.9.1 as well, yes?
Comment 12 Andreas Gal :gal 2010-06-30 19:25:36 PDT
1.9.1 is not affected. We didn't trace this case back then.
Comment 13 christian 2010-06-30 20:37:17 PDT
Thanks for confirming!
Comment 14 Christian Holler (:decoder) 2013-01-19 14:07:42 PST
Automatically extracted testcase for this bug was committed:

https://hg.mozilla.org/mozilla-central/rev/efaf8960a929

Note You need to log in before you can comment on or make changes to this bug.