Closed
Bug 569384
Opened 13 years ago
Closed 13 years ago
TM: Crash [@ JSObject::dropProperty] or [@ js::TraceRecorder::record_JSOP_IN] or "Assertion failure: status == ARECORD_ERROR,"
Categories
(Core :: JavaScript Engine, defect, P2)
Core
JavaScript Engine
Tracking
()
VERIFIED
FIXED
Tracking | Status | |
---|---|---|
blocking2.0 | --- | betaN+ |
blocking1.9.2 | --- | .14+ |
status1.9.2 | --- | .14-fixed |
status1.9.1 | --- | unaffected |
People
(Reporter: gkw, Assigned: gal)
References
Details
(4 keywords, Whiteboard: [ccbr][sg:critical], fixed-in-tracemonkey [critsmash:patch] [qa-ntd-192])
Crash Data
Attachments
(1 file)
937 bytes,
patch
|
luke
:
review+
|
Details | Diff | Splinter Review |
for (b = 0; b < 1; ++b) { var d = b } (function () { x = Proxy.create(function () { return { getPropertyDescriptor: function () { +"" } } }(), 5) }()) for (a = 0; a < 3; ++a) { if (a == 1) { d in x } } crashes js opt shell with -j on TM tip at JSObject::dropProperty and asserts js debug shell with -j on TM tip at Assertion failure: status == ARECORD_ERROR, at ../jsops.cpp:7 s-s because this seems like a scary address (prior to reduction the edx instruction was at a weird 0x128 location). Assuming [sg:critical?] unless otherwise noted. Program received signal SIGSEGV, Segmentation fault. 0x080bfef7 in JSObject::dropProperty(JSContext*, JSProperty*) () (gdb) bt #0 0x080bfef7 in JSObject::dropProperty(JSContext*, JSProperty*) () #1 0x08216644 in ?? () Backtrace stopped: previous frame inner to this frame (corrupt stack?) (gdb) x/i $eip => 0x80bfef7 <_ZN8JSObject12dropPropertyEP9JSContextP10JSProperty+7>: mov (%edx),%eax (gdb) x/b $edx 0x1: Cannot access memory at address 0x1
![]() |
Reporter | |
Comment 1•13 years ago
|
||
(Also assuming related to harmony:proxies, setting dependency)
Updated•13 years ago
|
Assignee: general → gal
Updated•13 years ago
|
Whiteboard: [ccbr][sg:critical?] → [ccbr][sg:critical?][critsmash:investigating]
Assignee | ||
Comment 2•13 years ago
|
||
#0 0x00000000014021c0 in ?? () Cannot access memory at address 0x14021c0 #1 0x00000001001a3007 in js::TraceRecorder::record_JSOP_IN (this=0x100415410) at ../jstracer.cpp:14019 #2 0x00000001001a73e7 in js::TraceRecorder::monitorRecording (this=0x100415410, op=JSOP_IN) at jsopcode.tbl:281 #3 0x000000010008557d in js_Interpret (cx=0x10083c800) at jsops.cpp:78 #4 0x00000001000ae19a in js_Execute (cx=0x10083c800, chain=0x101402000, script=0x100414f90, down=0x0, flags=0, result=0x0) at jsinterp.cpp:837 #5 0x00000001000123af in JS_ExecuteScript (cx=0x10083c800, obj=0x101402000, script=0x100414f90, rval=0x0) at ../jsapi.cpp:4831 #6 0x000000010000a168 in Process (cx=0x10083c800, obj=0x101402000, filename=0x7fff5fbffa90 "x2.js", forceTTY=0) at ../../shell/js.cpp:422 #7 0x000000010000adad in ProcessArgs (cx=0x10083c800, obj=0x101402000, argv=0x7fff5fbff938, argc=2) at ../../shell/js.cpp:836 #8 0x000000010000af28 in main (argc=2, argv=0x7fff5fbff938, envp=0x7fff5fbff950) at ../../shell/js.cpp:5082
Assignee | ||
Comment 3•13 years ago
|
||
not proxy related, just proxy triggered, probably needs branch fixing too, patch soon
Assignee | ||
Comment 4•13 years ago
|
||
Assignee | ||
Updated•13 years ago
|
Attachment #448619 -
Flags: review?(lw)
Assignee | ||
Updated•13 years ago
|
No longer blocks: harmony:proxies
OS: Linux → All
Priority: -- → P2
Hardware: x86 → All
Whiteboard: [ccbr][sg:critical?][critsmash:investigating] → [ccbr][sg:critical]
![]() |
||
Comment 5•13 years ago
|
||
Comment on attachment 448619 [details] [diff] [review] patch Ew, lame; thanks for finding and fixing that.
Attachment #448619 -
Flags: review?(lw) → review+
Assignee | ||
Comment 6•13 years ago
|
||
http://hg.mozilla.org/tracemonkey/rev/66cee22c2706
Whiteboard: [ccbr][sg:critical] → [ccbr][sg:critical], fixed-in-tracemonkey
![]() |
Reporter | |
Comment 7•13 years ago
|
||
for (let n = 0; n < 7; ++n) { x = Proxy.create(function() { return { getPropertyDescriptor: function() { + "" } } } (), /x/) } for (z = 0; z < 5; ++z) { var a = z } for (var m = 0; m < 9; ++m) { if (m % 5 == 0) {} else { print(let(y = a in x) 7) } } is a 64-bit crash testcase (both in debug and opt shells) that got fixed by this patch, and it also crashes at js::TraceRecorder::record_JSOP_IN
Summary: TM: Crash [@ JSObject::dropProperty] or "Assertion failure: status == ARECORD_ERROR," → TM: Crash [@ JSObject::dropProperty] or [@ js::TraceRecorder::record_JSOP_IN] or "Assertion failure: status == ARECORD_ERROR,"
Updated•13 years ago
|
Whiteboard: [ccbr][sg:critical], fixed-in-tracemonkey → [ccbr][sg:critical], fixed-in-tracemonkey [critsmash:patch]
Comment 8•13 years ago
|
||
http://hg.mozilla.org/mozilla-central/rev/66cee22c2706
Status: NEW → RESOLVED
Closed: 13 years ago
status1.9.1:
--- → ?
status1.9.2:
--- → ?
Resolution: --- → FIXED
Updated•13 years ago
|
blocking2.0: ? → betaN+
Comment 9•12 years ago
|
||
a non-proxy testcase that could be used to verify the branches would be great. The patch itself needs only minor merging for the branches (Macro/#define name changes).
Updated•12 years ago
|
blocking1.9.1: ? → .17+
blocking1.9.2: ? → .14+
Assignee | ||
Comment 10•12 years ago
|
||
The bug doesn't exist in 1.9.1 (I tried the test case on 1.9.1, no crash). Landed on 1.9.2. http://hg.mozilla.org/releases/mozilla-1.9.2/rev/98467bef1347
Comment 11•12 years ago
|
||
(In reply to comment #0) > for (b = 0; b < 1; ++b) { > var d = b > } > (function () { > x = Proxy.create(function () { > return { > getPropertyDescriptor: function () { > +"" > } > } > }(), 5) > }()) > for (a = 0; a < 3; ++a) { > if (a == 1) { > d in x > } > } When I run this in my own 1.9.2 debug build (pre-fix) or 1.9.2.13, I get "ReferenceError on line 5: Proxy is not defined". I'm not a JS shell expert but I expect I'm doing something wrong here.
Assignee | ||
Comment 12•12 years ago
|
||
1.9.2 doesn't have proxies. You would need some other non-native object to make this happen (i.e. liveconnect).
Comment 13•12 years ago
|
||
Marking this at NTD (nothing to do) for QA for branch since there are no steps to reproduce or testcases.
Whiteboard: [ccbr][sg:critical], fixed-in-tracemonkey [critsmash:patch] → [ccbr][sg:critical], fixed-in-tracemonkey [critsmash:patch] [qa-ntd-192]
Updated•12 years ago
|
Group: core-security
Updated•12 years ago
|
Crash Signature: [@ JSObject::dropProperty]
[@ js::TraceRecorder::record_JSOP_IN]
Comment 14•11 years ago
|
||
Tracer has been long gone on trunk, marking verified.
Status: RESOLVED → VERIFIED
Crash Signature: [@ JSObject::dropProperty]
[@ js::TraceRecorder::record_JSOP_IN] → [@ JSObject::dropProperty]
[@ js::TraceRecorder::record_JSOP_IN]
Comment 15•10 years ago
|
||
Bug in removed tracer code, setting in-testsuite- flag.
Flags: in-testsuite-
Updated•8 years ago
|
Keywords: testcase-wanted
You need to log in
before you can comment on or make changes to this bug.
Description
•