Closed Bug 574294 Opened 10 years ago Closed 10 years ago

Crash [@ js::fun_toStringHelper] or "Assertion failure: proxy->isFunctionProxy(),"


(Core :: JavaScript Engine, defect, critical)

Not set





(Reporter: gkw, Assigned: gal)



(Keywords: assertion, regression, testcase, Whiteboard: fixed-in-tracemonkey)


(1 file, 1 obsolete file)

print(Proxy.create((function(x) {
  return {
	get: function(r, name) {
	  return x[name]
})(function() {})))

asserts js debug shell on TM tip without -j at Assertion failure: proxy->isFunctionProxy(), at ../jsproxy.cpp:59


(gdb) bt
#0  0x001508d9 in JS_Assert (s=0x1f1d11 "proxy->isFunctionProxy()", file=0x1f1c01 "../jsproxy.cpp", ln=59) at ../jsutil.cpp:77
#1  0x001057fa in js::GetCall (proxy=0x1002160) at ../jsproxy.cpp:59
#2  0x00108dc0 in js::JSProxyHandler::fun_toString (this=0x20ee10, cx=0x809200, proxy=0x1002160, indent=0) at ../jsproxy.cpp:231
#3  0x00104a1e in js::JSProxy::fun_toString (cx=0x809200, proxy=0x1002160, indent=0) at ../jsproxy.cpp:817
#4  0x0006f57d in js::fun_toStringHelper (cx=0x809200, obj=0x1002160, indent=0) at ../jsfun.cpp:1829
#5  0x0006f8f7 in fun_toString (cx=0x809200, argc=0, vp=0x500110) at ../jsfun.cpp:1860
#6  0x000b11e0 in js::callJSFastNative (cx=0x809200, native=0x6f792 <fun_toString(JSContext*, unsigned int, long*)>, argc=0, vp=0x500110) at jscntxtinlines.h:347
#7  0x000ad6cc in Invoke<int (*)(JSContext*, JSObject*, unsigned int, long*, long*)> (cx=0x809200, fun=0x10030a8, script=0x0, native=0x6f792 <fun_toString(JSContext*, unsigned int, long*)>, args=@0xbfffec20, flags=0) at jsinterp.cpp:462
#8  0x000b0258 in js_Invoke (cx=0x809200, args=@0xbfffec20, flags=0) at jsinterp.cpp:672
#9  0x000b07e4 in js_InternalInvoke (cx=0x809200, thisv=16785760, fval=16789672, flags=0, argc=0, argv=0x0, rval=0xbfffecd8) at jsinterp.cpp:718
#10 0x000c7f7f in js_TryMethod (cx=0x809200, obj=0x1002160, atom=0x1000524, argc=0, argv=0x0, rval=0xbfffecd8) at ../jsobj.cpp:5919
#11 0x000c8285 in js_DefaultValue (cx=0x809200, obj=0x1002160, hint=JSTYPE_STRING, vp=0xbfffed74) at ../jsobj.cpp:5359
#12 0x0013b18b in JSObject::defaultValue (this=0x1002160, cx=0x809200, hint=JSTYPE_STRING, vp=0xbfffed74) at jsobj.h:680
#13 0x00133988 in js_ValueToString (cx=0x809200, v=16785760) at ../jsstr.cpp:3234
#14 0x00013f53 in JS_ValueToString (cx=0x809200, v=16785760) at ../jsapi.cpp:424
#15 0x00008f42 in Print (cx=0x809200, argc=1, vp=0x5000e0) at ../../shell/js.cpp:1036
#16 0x0009dbff in js_Interpret (cx=0x809200) at jsops.cpp:2145
#17 0x000afad3 in js_Execute (cx=0x809200, chain=0x1002000, script=0x40c880, down=0x0, flags=0, result=0x0) at jsinterp.cpp:870
#18 0x00016466 in JS_ExecuteScript (cx=0x809200, obj=0x1002000, script=0x40c880, rval=0x0) at ../jsapi.cpp:4737
#19 0x00009cdf in Process (cx=0x809200, obj=0x1002000, filename=0xbffff840 "w76-reduced.js", forceTTY=0) at ../../shell/js.cpp:429
#20 0x0000aa11 in ProcessArgs (cx=0x809200, obj=0x1002000, argv=0xbffff72c, argc=1) at ../../shell/js.cpp:843
#21 0x0000ab2a in shell (cx=0x809200, argc=1, argv=0xbffff72c, envp=0xbffff734) at ../../shell/js.cpp:5057
#22 0x0000ac4e in main (argc=1, argv=0xbffff72c, envp=0xbffff734) at ../../shell/js.cpp:5144
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   44269:3aaaa21012c8
user:        Jason Orendorff
date:        Wed Jun 23 16:35:10 2010 -0500
summary:     Bug 563099 - Compartments and wrappers API. r=gal.

This also causes a near-null dereference in opt shells:

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_PROTECTION_FAILURE at address: 0x00000014
0x0004a23e in js::fun_toStringHelper ()
(gdb) bt
#0  0x0004a23e in js::fun_toStringHelper ()
#1  0x000b410c in js::JSProxy::fun_toString ()
#2  0x0004edd3 in fun_toString ()
#3  0x0006744d in Invoke<int (*)(JSContext*, JSObject*, unsigned int, long*, long*)> ()
#4  0x00067848 in js_Invoke ()
#5  0x000682c0 in js_InternalInvoke ()
#6  0x0007888d in js_TryMethod ()
#7  0x000789ad in js_DefaultValue ()
#8  0x000e2c4f in js_ValueToString ()
#9  0x000049c6 in Print ()
#10 0x0005fce4 in js_Interpret ()
#11 0x00066ec6 in js_Execute ()
#12 0x000134f8 in JS_ExecuteScript ()
#13 0x00005356 in Process ()
#14 0x000087a7 in shell ()
#15 0x00008cc7 in main ()
(gdb) x/i $eip
0x4a23e <_ZN2js18fun_toStringHelperEP9JSContextP8JSObjectj+30>: mov    0x4(%ecx),%edx
(gdb) x/b $ecx
0x10:   Cannot access memory at address 0x10
Summary: "Assertion failure: proxy->isFunctionProxy()," → Crash [@ js::fun_toStringHelper] or "Assertion failure: proxy->isFunctionProxy(),"
Assignee: general → gal
Attached patch patch (obsolete) — Splinter Review
Couple things. Don't try to Function.prototype.toString a non-function proxy. Also set proto to Object.prototype if not supplied for Proxy.create and proto->getParent() must be the parent we looked up in the parent standard slot (is that true?).
Talked about this on iChat. I pointed to

which the middle hunk violates. Third hunk looks good. First seems better than crashing, albeit only a little ;-).

Attached patch minimal fixSplinter Review
Attachment #453787 - Attachment is obsolete: true
Attachment #453791 - Flags: review?(brendan)
Attachment #453791 - Flags: review?(brendan) → review+
Whiteboard: fixed-in-tracemonkey
Closed: 10 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.