Closed Bug 569384 Opened 14 years ago Closed 14 years ago

TM: Crash [@ JSObject::dropProperty] or [@ js::TraceRecorder::record_JSOP_IN] or "Assertion failure: status == ARECORD_ERROR,"

Categories

(Core :: JavaScript Engine, defect, P2)

Product:
Core
Component:
JavaScript Engine
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Tracking Flags:
Tracking Status
blocking2.0 --- betaN+
blocking1.9.2 --- .14+
status1.9.2 --- .14-fixed
status1.9.1 --- unaffected

People

(Reporter: gkw, Assigned: gal)

References

Details

(4 keywords, Whiteboard: [ccbr][sg:critical], fixed-in-tracemonkey [critsmash:patch] [qa-ntd-192])

Crash Data

Attachments

(1 file)

patch
937 bytes, patch
luke
: review+
Details | Diff | Splinter Review 
for (b = 0; b < 1; ++b) {
    var d = b
}
(function () {
    x = Proxy.create(function () {
        return {
            getPropertyDescriptor: function () {
                +""
            }
        }
    }(), 5)
}())
for (a = 0; a < 3; ++a) {
    if (a == 1) {
        d in x
    }
}

crashes js opt shell with -j on TM tip at JSObject::dropProperty and asserts js debug shell with -j on TM tip at Assertion failure: status == ARECORD_ERROR, at ../jsops.cpp:7

s-s because this seems like a scary address (prior to reduction the edx instruction was at a weird 0x128 location). Assuming [sg:critical?] unless otherwise noted.

Program received signal SIGSEGV, Segmentation fault.
0x080bfef7 in JSObject::dropProperty(JSContext*, JSProperty*) ()
(gdb) bt
#0  0x080bfef7 in JSObject::dropProperty(JSContext*, JSProperty*) ()
#1  0x08216644 in ?? ()
Backtrace stopped: previous frame inner to this frame (corrupt stack?)
(gdb) x/i $eip
=> 0x80bfef7 <_ZN8JSObject12dropPropertyEP9JSContextP10JSProperty+7>:	mov    (%edx),%eax
(gdb) x/b $edx
0x1:	Cannot access memory at address 0x1
(Also assuming related to harmony:proxies, setting dependency)
Assignee: general → gal
Whiteboard: [ccbr][sg:critical?] → [ccbr][sg:critical?][critsmash:investigating]
#0  0x00000000014021c0 in ?? ()
Cannot access memory at address 0x14021c0
#1  0x00000001001a3007 in js::TraceRecorder::record_JSOP_IN (this=0x100415410) at ../jstracer.cpp:14019
#2  0x00000001001a73e7 in js::TraceRecorder::monitorRecording (this=0x100415410, op=JSOP_IN) at jsopcode.tbl:281
#3  0x000000010008557d in js_Interpret (cx=0x10083c800) at jsops.cpp:78
#4  0x00000001000ae19a in js_Execute (cx=0x10083c800, chain=0x101402000, script=0x100414f90, down=0x0, flags=0, result=0x0) at jsinterp.cpp:837
#5  0x00000001000123af in JS_ExecuteScript (cx=0x10083c800, obj=0x101402000, script=0x100414f90, rval=0x0) at ../jsapi.cpp:4831
#6  0x000000010000a168 in Process (cx=0x10083c800, obj=0x101402000, filename=0x7fff5fbffa90 "x2.js", forceTTY=0) at ../../shell/js.cpp:422
#7  0x000000010000adad in ProcessArgs (cx=0x10083c800, obj=0x101402000, argv=0x7fff5fbff938, argc=2) at ../../shell/js.cpp:836
#8  0x000000010000af28 in main (argc=2, argv=0x7fff5fbff938, envp=0x7fff5fbff950) at ../../shell/js.cpp:5082
not proxy related, just proxy triggered, probably needs branch fixing too, patch soon
Attached patch patchSplinter Review 

    
  

        Attachment #448619 -
        Flags: review?(lw)

    
  
No longer blocks: harmony:proxies
OS: Linux → All
Priority: -- → P2
Hardware: x86 → All
Whiteboard: [ccbr][sg:critical?][critsmash:investigating] → [ccbr][sg:critical]

    
  
Blocks: 567068

    
    

    
  
Comment on attachment 448619 [details] [diff] [review]
patch

Ew, lame; thanks for finding and fixing that.

        Attachment #448619 -
        Flags: review?(lw) → review+

    
    

    
  
http://hg.mozilla.org/tracemonkey/rev/66cee22c2706
Whiteboard: [ccbr][sg:critical] → [ccbr][sg:critical], fixed-in-tracemonkey

    
    

    
  
for (let n = 0; n < 7; ++n) {
    x = Proxy.create(function() {
        return {
            getPropertyDescriptor: function() {
                + ""
            }
        }
    } (), /x/)
}
for (z = 0; z < 5; ++z) {
    var a = z
}
for (var m = 0; m < 9; ++m) {
    if (m % 5 == 0) {} else {
        print(let(y = a in x) 7)
    }
}

is a 64-bit crash testcase (both in debug and opt shells) that got fixed by this patch, and it also crashes at js::TraceRecorder::record_JSOP_IN
Summary: TM: Crash [@ JSObject::dropProperty] or "Assertion failure: status == ARECORD_ERROR," → TM: Crash [@ JSObject::dropProperty] or [@ js::TraceRecorder::record_JSOP_IN] or "Assertion failure: status == ARECORD_ERROR,"
Whiteboard: [ccbr][sg:critical], fixed-in-tracemonkey → [ccbr][sg:critical], fixed-in-tracemonkey [critsmash:patch]

    
    

    
  
http://hg.mozilla.org/mozilla-central/rev/66cee22c2706
Status: NEW → RESOLVED
Closed: 14 years ago

          status1.9.1:
          --- → ?

          status1.9.2:
          --- → ?
Resolution: --- → FIXED

    
  
blocking2.0: ? → betaN+

    
    

    
  
a non-proxy testcase that could be used to verify the branches would be great. The patch itself needs only minor merging for the branches (Macro/#define name changes).
blocking1.9.1: --- → ?
blocking1.9.2: --- → ?

          status1.9.1:
          ?wanted

          status1.9.2:
          ?wanted
Keywords: testcase-wanted
blocking1.9.1: ? → .17+
blocking1.9.2: ? → .14+

    
    

    
  
The bug doesn't exist in 1.9.1 (I tried the test case on 1.9.1, no crash). Landed on 1.9.2.

http://hg.mozilla.org/releases/mozilla-1.9.2/rev/98467bef1347
blocking1.9.1: .17+ → ---

          status1.9.1:
          wantedunaffected

          status1.9.2:
          wanted.14-fixed

    
    

    
  
(In reply to comment #0)
> for (b = 0; b < 1; ++b) {
>     var d = b
> }
> (function () {
>     x = Proxy.create(function () {
>         return {
>             getPropertyDescriptor: function () {
>                 +""
>             }
>         }
>     }(), 5)
> }())
> for (a = 0; a < 3; ++a) {
>     if (a == 1) {
>         d in x
>     }
> }

When I run this in my own 1.9.2 debug build (pre-fix) or 1.9.2.13, I get "ReferenceError on line 5: Proxy is not defined".

I'm not a JS shell expert but I expect I'm doing something wrong here.

    
    

    
  
1.9.2 doesn't have proxies. You would need some other non-native object to make this happen (i.e. liveconnect).

    
    

    
  
Marking this at NTD (nothing to do) for QA for branch since there are no steps to reproduce or testcases.
Whiteboard: [ccbr][sg:critical], fixed-in-tracemonkey [critsmash:patch] → [ccbr][sg:critical], fixed-in-tracemonkey [critsmash:patch] [qa-ntd-192]
Group: core-security
Crash Signature: [@ JSObject::dropProperty]
[@ js::TraceRecorder::record_JSOP_IN]

    
    

    
  
Tracer has been long gone on trunk, marking verified.
Status: RESOLVED → VERIFIED
Crash Signature: [@ JSObject::dropProperty]
[@ js::TraceRecorder::record_JSOP_IN] → [@ JSObject::dropProperty]
[@ js::TraceRecorder::record_JSOP_IN]

    
    

    
  
Bug in removed tracer code, setting in-testsuite- flag.
Flags: in-testsuite-

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: