TM: Crash [@ JSObject::dropProperty] or [@ js::TraceRecorder::record_JSOP_IN] or "Assertion failure: status == ARECORD_ERROR,"

VERIFIED FIXED

Status

()

defect
P2
critical
VERIFIED FIXED
9 years ago
4 years ago

People

(Reporter: gkw, Assigned: gal)

Tracking

(Blocks 1 bug, 4 keywords)

Trunk
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite -

Firefox Tracking Flags

(blocking2.0 betaN+, blocking1.9.2 .14+, status1.9.2 .14-fixed, status1.9.1 unaffected)

Details

(Whiteboard: [ccbr][sg:critical], fixed-in-tracemonkey [critsmash:patch] [qa-ntd-192], crash signature)

Attachments

(1 attachment)

(Reporter)

Description

9 years ago
for (b = 0; b < 1; ++b) {
    var d = b
}
(function () {
    x = Proxy.create(function () {
        return {
            getPropertyDescriptor: function () {
                +""
            }
        }
    }(), 5)
}())
for (a = 0; a < 3; ++a) {
    if (a == 1) {
        d in x
    }
}

crashes js opt shell with -j on TM tip at JSObject::dropProperty and asserts js debug shell with -j on TM tip at Assertion failure: status == ARECORD_ERROR, at ../jsops.cpp:7

s-s because this seems like a scary address (prior to reduction the edx instruction was at a weird 0x128 location). Assuming [sg:critical?] unless otherwise noted.

Program received signal SIGSEGV, Segmentation fault.
0x080bfef7 in JSObject::dropProperty(JSContext*, JSProperty*) ()
(gdb) bt
#0  0x080bfef7 in JSObject::dropProperty(JSContext*, JSProperty*) ()
#1  0x08216644 in ?? ()
Backtrace stopped: previous frame inner to this frame (corrupt stack?)
(gdb) x/i $eip
=> 0x80bfef7 <_ZN8JSObject12dropPropertyEP9JSContextP10JSProperty+7>:	mov    (%edx),%eax
(gdb) x/b $edx
0x1:	Cannot access memory at address 0x1
(Reporter)

Comment 1

9 years ago
(Also assuming related to harmony:proxies, setting dependency)

Updated

9 years ago
Assignee: general → gal
Whiteboard: [ccbr][sg:critical?] → [ccbr][sg:critical?][critsmash:investigating]
(Assignee)

Comment 2

9 years ago
#0  0x00000000014021c0 in ?? ()
Cannot access memory at address 0x14021c0
#1  0x00000001001a3007 in js::TraceRecorder::record_JSOP_IN (this=0x100415410) at ../jstracer.cpp:14019
#2  0x00000001001a73e7 in js::TraceRecorder::monitorRecording (this=0x100415410, op=JSOP_IN) at jsopcode.tbl:281
#3  0x000000010008557d in js_Interpret (cx=0x10083c800) at jsops.cpp:78
#4  0x00000001000ae19a in js_Execute (cx=0x10083c800, chain=0x101402000, script=0x100414f90, down=0x0, flags=0, result=0x0) at jsinterp.cpp:837
#5  0x00000001000123af in JS_ExecuteScript (cx=0x10083c800, obj=0x101402000, script=0x100414f90, rval=0x0) at ../jsapi.cpp:4831
#6  0x000000010000a168 in Process (cx=0x10083c800, obj=0x101402000, filename=0x7fff5fbffa90 "x2.js", forceTTY=0) at ../../shell/js.cpp:422
#7  0x000000010000adad in ProcessArgs (cx=0x10083c800, obj=0x101402000, argv=0x7fff5fbff938, argc=2) at ../../shell/js.cpp:836
#8  0x000000010000af28 in main (argc=2, argv=0x7fff5fbff938, envp=0x7fff5fbff950) at ../../shell/js.cpp:5082
(Assignee)

Comment 3

9 years ago
not proxy related, just proxy triggered, probably needs branch fixing too, patch soon
(Assignee)

Comment 4

9 years ago
Posted patch patchSplinter Review
(Assignee)

Updated

9 years ago
Attachment #448619 - Flags: review?(lw)
(Assignee)

Updated

9 years ago
No longer blocks: harmony:proxies
OS: Linux → All
Priority: -- → P2
Hardware: x86 → All
Whiteboard: [ccbr][sg:critical?][critsmash:investigating] → [ccbr][sg:critical]
(Assignee)

Updated

9 years ago
Blocks: 567068
Comment on attachment 448619 [details] [diff] [review]
patch

Ew, lame; thanks for finding and fixing that.
Attachment #448619 - Flags: review?(lw) → review+
(Assignee)

Comment 6

9 years ago
http://hg.mozilla.org/tracemonkey/rev/66cee22c2706
Whiteboard: [ccbr][sg:critical] → [ccbr][sg:critical], fixed-in-tracemonkey
(Reporter)

Comment 7

9 years ago
for (let n = 0; n < 7; ++n) {
    x = Proxy.create(function() {
        return {
            getPropertyDescriptor: function() {
                + ""
            }
        }
    } (), /x/)
}
for (z = 0; z < 5; ++z) {
    var a = z
}
for (var m = 0; m < 9; ++m) {
    if (m % 5 == 0) {} else {
        print(let(y = a in x) 7)
    }
}

is a 64-bit crash testcase (both in debug and opt shells) that got fixed by this patch, and it also crashes at js::TraceRecorder::record_JSOP_IN
Summary: TM: Crash [@ JSObject::dropProperty] or "Assertion failure: status == ARECORD_ERROR," → TM: Crash [@ JSObject::dropProperty] or [@ js::TraceRecorder::record_JSOP_IN] or "Assertion failure: status == ARECORD_ERROR,"
Whiteboard: [ccbr][sg:critical], fixed-in-tracemonkey → [ccbr][sg:critical], fixed-in-tracemonkey [critsmash:patch]

Comment 8

9 years ago
http://hg.mozilla.org/mozilla-central/rev/66cee22c2706
Status: NEW → RESOLVED
Last Resolved: 9 years ago
status1.9.1: --- → ?
status1.9.2: --- → ?
Resolution: --- → FIXED

Updated

9 years ago
blocking2.0: ? → betaN+
a non-proxy testcase that could be used to verify the branches would be great. The patch itself needs only minor merging for the branches (Macro/#define name changes).
blocking1.9.1: --- → ?
blocking1.9.2: --- → ?
Keywords: testcase-wanted
blocking1.9.1: ? → .17+
blocking1.9.2: ? → .14+
(Assignee)

Comment 10

8 years ago
The bug doesn't exist in 1.9.1 (I tried the test case on 1.9.1, no crash). Landed on 1.9.2.

http://hg.mozilla.org/releases/mozilla-1.9.2/rev/98467bef1347
blocking1.9.1: .17+ → ---
(In reply to comment #0)
> for (b = 0; b < 1; ++b) {
>     var d = b
> }
> (function () {
>     x = Proxy.create(function () {
>         return {
>             getPropertyDescriptor: function () {
>                 +""
>             }
>         }
>     }(), 5)
> }())
> for (a = 0; a < 3; ++a) {
>     if (a == 1) {
>         d in x
>     }
> }

When I run this in my own 1.9.2 debug build (pre-fix) or 1.9.2.13, I get "ReferenceError on line 5: Proxy is not defined".

I'm not a JS shell expert but I expect I'm doing something wrong here.
(Assignee)

Comment 12

8 years ago
1.9.2 doesn't have proxies. You would need some other non-native object to make this happen (i.e. liveconnect).
Marking this at NTD (nothing to do) for QA for branch since there are no steps to reproduce or testcases.
Whiteboard: [ccbr][sg:critical], fixed-in-tracemonkey [critsmash:patch] → [ccbr][sg:critical], fixed-in-tracemonkey [critsmash:patch] [qa-ntd-192]
Group: core-security
Crash Signature: [@ JSObject::dropProperty] [@ js::TraceRecorder::record_JSOP_IN]
Tracer has been long gone on trunk, marking verified.
Status: RESOLVED → VERIFIED
Crash Signature: [@ JSObject::dropProperty] [@ js::TraceRecorder::record_JSOP_IN] → [@ JSObject::dropProperty] [@ js::TraceRecorder::record_JSOP_IN]
Bug in removed tracer code, setting in-testsuite- flag.
Flags: in-testsuite-
You need to log in before you can comment on or make changes to this bug.