Closed
Bug 569306
Opened 15 years ago
Closed 14 years ago
(64-bit) Crash: [@ js_ArrayClass] or [@ js_GetPropertyHelper] or "Assertion failure: JSVAL_IS_OBJECT(v),"
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
People
(Reporter: gkw, Assigned: gal)
References
Details
(4 keywords, Whiteboard: [ccbr][sg:critical] fixed-in-tracemonkey [critsmash:patch])
Crash Data
Attachments
(1 file, 1 obsolete file)
16.29 KB,
patch
|
mrbkap
:
review+
|
Details | Diff | Splinter Review |
typeof w & options().i
function g() {
delete this.uneval;
uneval
}
g()
(function() {
for each(e in [
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
]) {
(function f(aaaaaa) {
for (x in "") {}
if (aaaaaa) {
f(aaaaaa - 1)
}
} (2906))
}
} ())
crashes 64-bit js opt shell on TM tip without -j at js_ArrayClass with js_GetPropertyHelper somewhere on the stack, and asserts 64-bit js debug shell on TM tip without -j at Assertion failure: JSVAL_IS_OBJECT(v), at ../jsapi.h:183
s-s because it crashes at a strange and scary memory address which had seemingly morphed several times during the process of reduction. Assume [sg:critical?] unless otherwise noted.
Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_PROTECTION_FAILURE at address: 0x000000010018dfe0
0x000000010018dfe0 in js_ArrayClass ()
(gdb) bt
#0 0x000000010018dfe0 in js_ArrayClass ()
#1 0x0000000100072dec in js_LookupPropertyWithFlags ()
#2 0x0000000100074a19 in js_GetPropertyHelper ()
#3 0x0000000100074dae in js_GetMethod ()
#4 0x000000010006802c in GetIterator ()
#5 0x0000000100068bfe in js_ValueToIterator ()
#6 0x00000001000579fd in js_Interpret ()
#7 0x0000000100063f85 in js_Execute ()
#8 0x000000010000d110 in JS_ExecuteScript ()
#9 0x000000010000341a in Process ()
#10 0x0000000100006f4d in main ()
(gdb) x/i $rip
0x10018dfe0 <js_ArrayClass>: and %eax,(%rdx)
(gdb) x/b $eax
Value can't be converted to integer.
(gdb) x/b $rdx
0x1012007e4: 0x00
Reporter | ||
Comment 1•15 years ago
|
||
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: 41832:b15fd8b568e4
user: Andreas Gal
date: Fri May 07 17:52:52 2010 -0700
summary: fast object iteration (558754, r=brendan, CLOSED TREE).
Blocks: fastiterators
Assignee | ||
Comment 2•15 years ago
|
||
Looks like a rooting bug. Nice test case Gary.
(gdb) r x.js
Starting program: /Users/gal/workspace/tracemonkey-repository/js/src/Darwin_DBG.OBJ/js x.js
Reading symbols for shared libraries .++++..................................................................................... done
Assertion failure: JSVAL_IS_OBJECT(v), at ../jsapi.h:183
Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0x0000000000000000
0x000000010015556e in JS_Assert (s=0x1001ee284 "JSVAL_IS_OBJECT(v)", file=0x1001e5708 "../jsapi.h", ln=183) at ../jsutil.cpp:77
77 *((int *) NULL) = 0; /* To continue from here in GDB: "return" then "continue". */
(gdb) up
#1 0x000000010014312a in JSVAL_TO_OBJECT (v=-2676586395008836902) at jsapi.h:183
183 JS_ASSERT(JSVAL_IS_OBJECT(v));
(gdb) p/x v
$1 = 0xdadadadadadadada
(gdb) bt
#0 0x000000010015556e in JS_Assert (s=0x1001ee284 "JSVAL_IS_OBJECT(v)", file=0x1001e5708 "../jsapi.h", ln=183) at ../jsutil.cpp:77
#1 0x000000010014312a in JSVAL_TO_OBJECT (v=-2676586395008836902) at jsapi.h:183
#2 0x0000000100146845 in JSObject::getParent (this=0x101402180) at jsobj.h:366
#3 0x00000001000beffa in js::NewObjectWithGivenProto (cx=0x10083c800, clasp=0x100267540, proto=0x101402180, parent=0x0, objectSize=0) at jsobjinlines.h:645
#4 0x00000001000c51f1 in js::NewObject (cx=0x10083c800, clasp=0x100267540, proto=0x101402180, parent=0x0, objectSize=0) at jsobjinlines.h:700
#5 0x00000001000c52a0 in js_PrimitiveToObject (cx=0x10083c800, vp=0x7fff5fbfeb50) at ../jsobj.cpp:5878
#6 0x00000001000c5341 in js_ValueToObject (cx=0x10083c800, v=4315938820, objp=0x7fff5fbfebc8) at ../jsobj.cpp:5896
#7 0x00000001000b3884 in js_ValueToIterator (cx=0x10083c800, flags=1, vp=0x101014cf8) at ../jsiter.cpp:589
#8 0x000000010008a84f in js_Interpret (cx=0x10083c800) at jsops.cpp:458
#9 0x00000001000ae19a in js_Execute (cx=0x10083c800, chain=0x101402000, script=0x100414810, down=0x0, flags=0, result=0x0) at jsinterp.cpp:837
#10 0x00000001000123af in JS_ExecuteScript (cx=0x10083c800, obj=0x101402000, script=0x100414810, rval=0x0) at ../jsapi.cpp:4831
#11 0x000000010000a168 in Process (cx=0x10083c800, obj=0x101402000, filename=0x7fff5fbffa95 "x.js", forceTTY=0) at ../../shell/js.cpp:422
#12 0x000000010000adad in ProcessArgs (cx=0x10083c800, obj=0x101402000, argv=0x7fff5fbff948, argc=1) at ../../shell/js.cpp:836
#13 0x000000010000af28 in main (argc=1, argv=0x7fff5fbff948, envp=0x7fff5fbff958) at ../../shell/js.cpp:5082
(gdb)
Comment 3•15 years ago
|
||
A rooting bug? Does that mean the garbage collector is running at some point?
Assignee | ||
Comment 4•15 years ago
|
||
Yes.
(gdb) r
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /Users/gal/workspace/tracemonkey-repository/js/src/Darwin_DBG.OBJ/js x.js
Reading symbols for shared libraries . done
Breakpoint 1, js_GC (cx=0x10083c800, gckind=GC_LOCK_HELD) at ../jsgc.cpp:3175
3175 JSRuntime *rt = cx->runtime;
(gdb)
If you look at the stack trace you see the value v=-2676586395008836902.
(gdb) p/x -2676586395008836902
$2 = 0xdadadadadadadada
0xdadadadadadadada is the value the GC clears dead objects with. Whenever you see that in a stack trace, a rooting bug is very likely.
Updated•15 years ago
|
blocking2.0: --- → ?
Updated•15 years ago
|
Whiteboard: [ccbr][sg:critical?] → [ccbr][sg:critical?][critsmash:investigating]
Assignee | ||
Comment 5•15 years ago
|
||
I will grab this for now. If anyone else has free cycles, please steal.
Assignee: general → gal
Assignee | ||
Updated•15 years ago
|
blocking1.9.1: --- → ?
blocking1.9.2: --- → ?
Assignee | ||
Updated•15 years ago
|
Whiteboard: [ccbr][sg:critical?][critsmash:investigating] → [ccbr][sg:critical]
Assignee | ||
Comment 6•15 years ago
|
||
Very old rooting bug.
Assignee | ||
Updated•15 years ago
|
Attachment #448627 -
Flags: review?(brendan)
Assignee | ||
Comment 7•15 years ago
|
||
Comment on attachment 448627 [details] [diff] [review]
patch
Note that the code triggers a GC _exactly_ and _reproducibly_ between the GetClassPrototype and the NewObejectWithGivenProto call. Amazing.
Comment 8•15 years ago
|
||
Comment on attachment 448627 [details] [diff] [review]
patch
I talked about this with gal and we found the underlying cause of this: we were resolving string twice. The reduced testcase to observe misbehavior is:
var s = new String();
delete uneval;
uneval;
s instanceof String;
should return true, instead returns false. gal is re-patching.
Attachment #448627 -
Flags: review?(brendan) → review-
Assignee | ||
Comment 9•15 years ago
|
||
Attachment #448627 -
Attachment is obsolete: true
Assignee | ||
Updated•15 years ago
|
Attachment #448667 -
Flags: review?(mrbkap)
Comment 10•15 years ago
|
||
Comment on attachment 448667 [details] [diff] [review]
patch
r=me pending tryserver success.
Attachment #448667 -
Flags: review?(mrbkap) → review+
Assignee | ||
Comment 11•15 years ago
|
||
Comment 12•15 years ago
|
||
three tests are failing:
REFTEST TEST-UNEXPECTED-FAIL | file:///builds/slave/tracemonkey-macosx-opt-unittest-jsreftest/build/jsreftest/tests/jsreftest.html?test=js1_5/extensions/regress-352604.js | Unknown file:///builds/slave/tracemonkey-macosx-opt-unittest-jsreftest/build/jsreftest/tests/js1_5/extensions/regress-352604.js:58: Function is not defined item 1
REFTEST TEST-UNEXPECTED-FAIL | file:///builds/slave/tracemonkey-macosx-opt-unittest-jsreftest/build/jsreftest/tests/jsreftest.html?test=js1_5/Regress/regress-352604.js | Unknown file:///builds/slave/tracemonkey-macosx-opt-unittest-jsreftest/build/jsreftest/tests/js1_5/Regress/regress-352604.js:56: Function is not defined item 1
REFTEST TEST-UNEXPECTED-FAIL | file:///builds/slave/tracemonkey-macosx-opt-unittest-jsreftest/build/jsreftest/tests/jsreftest.html?test=js1_8_5/regress/regress-533876.js | Unknown file:///builds/slave/tracemonkey-macosx-opt-unittest-jsreftest/build/jsreftest/tests/js1_8_5/regress/regress-533876.js:19: eval is not defined item 1
Assignee | ||
Comment 13•15 years ago
|
||
Looking.
Assignee | ||
Comment 14•15 years ago
|
||
I can reproduce.
Assignee | ||
Comment 15•15 years ago
|
||
352604 is an invalid test:
function f() {}
delete Function;
var g = new Function('');
expect = f.__proto__;
actual = g.__proto__;
if you delete Function, is gone now. resolve hook won't rematerialize it.
Assignee | ||
Comment 16•15 years ago
|
||
533876 is invalid too:
delete eval; // force dictionary scope for global
gc();
var f = eval("(function () { return /x/; })");
x.watch('x', f); // clone property from global to x, including SPROP_IN_DICTIONARY flag
Disabling both.
Assignee | ||
Comment 17•15 years ago
|
||
Comment 18•15 years ago
|
||
Rather than disabling the tests, you should change the expected result, so we'll notice if we accidentally go back to the old wrong behavior.
Assignee | ||
Comment 19•15 years ago
|
||
I will make a better test. The test are testing a but failing on b. That's a horrible test.
Assignee | ||
Comment 20•15 years ago
|
||
Reporter | ||
Updated•15 years ago
|
Whiteboard: [ccbr][sg:critical] → [ccbr][sg:critical] fixed-in-tracemonkey
Comment 21•15 years ago
|
||
They're fuzz-generated tests. What do you expect? ;)
Updated•15 years ago
|
blocking1.9.1: ? → needed
blocking1.9.2: ? → needed
status1.9.1:
--- → wanted
status1.9.2:
--- → wanted
Updated•15 years ago
|
Whiteboard: [ccbr][sg:critical] fixed-in-tracemonkey → [ccbr][sg:critical] fixed-in-tracemonkey [critsmash:patch]
Comment 22•14 years ago
|
||
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Updated•14 years ago
|
blocking2.0: ? → betaN+
Updated•14 years ago
|
blocking1.9.1: needed → .13+
blocking1.9.2: needed → .10+
Comment 23•14 years ago
|
||
Does this patch apply to the branches?
Assignee | ||
Comment 24•14 years ago
|
||
I am really busy with compartment stuff. Any chance that someone can backport this for me? Assigning to sayrer to find an owner. Bounce it back to me if nobody can be found. Thanks.
Assignee: gal → sayrer
Comment 25•14 years ago
|
||
When are you (or another js team member) not going to be busy with compartments? We need a branch patch.
blocking1.9.1: ? → needed
blocking1.9.2: ? → needed
Updated•14 years ago
|
blocking1.9.1: needed → ?
blocking1.9.2: needed → ?
Updated•14 years ago
|
blocking1.9.1: ? → .18+
blocking1.9.2: ? → .15+
Assignee | ||
Comment 26•14 years ago
|
||
Lets do this the other way around. Give me a date when you need this and I will make sure we have a patch.
Comment 27•14 years ago
|
||
Deferring to a future point release as we have run out of time. If this absolutely needs to be fixed and can land today or tomorrow, please send a note to release-drivers@mozilla.org
blocking1.9.1: .19+ → .20+
blocking1.9.2: .17+ → .18+
Updated•14 years ago
|
Assignee: sayrer → gal
Updated•14 years ago
|
blocking1.9.1: .20+ → needed
Updated•14 years ago
|
blocking1.9.2: .18+ → .19+
Updated•14 years ago
|
Crash Signature: [@ js_ArrayClass]
[@ js_GetPropertyHelper]
Updated•10 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•