Crash [@ js::JSProxyHandler::construct] or "Assertion failure: proto->isNative(),"

RESOLVED FIXED

Status

()

Core
JavaScript Engine
--
critical
RESOLVED FIXED
8 years ago
7 years ago

People

(Reporter: gkw, Unassigned)

Tracking

(Blocks: 1 bug, 4 keywords)

Trunk
x86
Mac OS X
assertion, crash, regression, testcase
Points:
---
Bug Flags:
in-testsuite ?

Firefox Tracking Flags

(blocking2.0 betaN+, status1.9.2 unaffected, status1.9.1 unaffected)

Details

(Whiteboard: [ccbr][sg:dos], crash signature)

(Reporter)

Description

8 years ago
x = Proxy.createFunction((function() {
  return {
    get: function() {
      return x
    }
  }
})(), eval)
new(x)

crashes js opt shell on TM tip without -j at js::JSProxyHandler::construct and asserts js debug shell on TM tip without -j at Assertion failure: proto->isNative(), at ../jsobjinlines.h:636

Seems like a null deref, assuming [sg:dos] but setting s-s just-in-case.

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_PROTECTION_FAILURE at address: 0x0000002d
0x000b5dd8 in js::JSProxyHandler::construct ()
(gdb) bt
#0  0x000b5dd8 in js::JSProxyHandler::construct ()
#1  0x000b472b in js::proxy_Construct ()
#2  0x0006695c in Invoke<int (*)(JSContext*, JSObject*, unsigned int, long*, long*)> ()
#3  0x00067244 in js_Invoke ()
#4  0x000679d6 in js_InvokeConstructor ()
#5  0x000592e0 in js_Interpret ()
#6  0x00066fa6 in js_Execute ()
#7  0x000132f8 in JS_ExecuteScript ()
#8  0x00004b9c in Process ()
#9  0x00008206 in shell ()
#10 0x00008717 in main ()
(gdb) x/i $eip
0xb5dd8 <_ZN2js14JSProxyHandler9constructEP9JSContextP8JSObjectS4_jPlS5_+424>:  incl   0x2c(%eax)
(gdb) x/b $eax
0x1:    Cannot access memory at address 0x1
(Reporter)

Comment 1

8 years ago
Assertion failure: proto->isNative(), at ../jsobjinlines.h:636

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_PROTECTION_FAILURE at address: 0x00000000
0x0014fb31 in JS_Assert (s=0x1ed938 "proto->isNative()", file=0x1e9568 "../jsobjinlines.h", ln=636) at ../jsutil.cpp:77
77          *((int *) NULL) = 0;  /* To continue from here in GDB: "return" then "continue". */
(gdb) bt
#0  0x0014fb31 in JS_Assert (s=0x1ed938 "proto->isNative()", file=0x1e9568 "../jsobjinlines.h", ln=636) at ../jsutil.cpp:77
#1  0x00104ccd in js::NewNativeClassInstance (cx=0x865200, clasp=0x20a300, proto=0x10022e0, parent=0x1002000) at jsobjinlines.h:636
#2  0x001057dd in js::JSProxyHandler::construct (this=0x210070, cx=0x865200, proxy=0x10022e0, receiver=0x1002320, argc=0, argv=0x5000e8, rval=0x50012c) at ../jsproxy.cpp:282
#3  0x00103831 in js::JSProxy::construct (cx=0x865200, proxy=0x10022e0, receiver=0x1002320, argc=0, argv=0x5000e8, rval=0x50012c) at ../jsproxy.cpp:809
#4  0x001038c4 in js::proxy_Construct (cx=0x865200, obj=0x1002320, argc=0, argv=0x5000e8, rval=0x50012c) at ../jsproxy.cpp:992
#5  0x000afc45 in js::callJSNative (cx=0x865200, native=0x103847 <js::proxy_Construct(JSContext*, JSObject*, unsigned int, long*, long*)>, thisobj=0x1002320, argc=0, argv=0x5000e8, rval=0x50012c) at jscntxtinlines.h:339
#6  0x000ac3a1 in Invoke<int (*)(JSContext*, JSObject*, unsigned int, long*, long*)> (cx=0x865200, fun=0x0, script=0x0, native=0x103847 <js::proxy_Construct(JSContext*, JSObject*, unsigned int, long*, long*)>, args=@0xbffff2dc, flags=1) at jsinterp.cpp:591
#7  0x000aecf7 in js_Invoke (cx=0x865200, args=@0xbffff2dc, flags=1) at jsinterp.cpp:715
#8  0x000af033 in js_InvokeConstructor (cx=0x865200, args=@0xbffff2dc) at jsinterp.cpp:1140
#9  0x0009b635 in js_Interpret (cx=0x865200) at jsops.cpp:1991
#10 0x000ae293 in js_Execute (cx=0x865200, chain=0x1002000, script=0x40d810, down=0x0, flags=0, result=0xbffff738) at jsinterp.cpp:891
#11 0x00015e69 in JS_ExecuteScript (cx=0x865200, obj=0x1002000, script=0x40d810, rval=0xbffff738) at ../jsapi.cpp:4751
#12 0x00009895 in Process (cx=0x865200, obj=0x1002000, filename=0x0, forceTTY=0) at ../../shell/js.cpp:522
#13 0x0000a259 in ProcessArgs (cx=0x865200, obj=0x1002000, argv=0xbffff908, argc=0) at ../../shell/js.cpp:843
#14 0x0000a372 in shell (cx=0x865200, argc=0, argv=0xbffff908, envp=0xbffff90c) at ../../shell/js.cpp:5025
#15 0x0000a496 in main (argc=0, argv=0xbffff908, envp=0xbffff90c) at ../../shell/js.cpp:5112
(Reporter)

Comment 3

8 years ago
This is likely to be fixed by the patch in bug 575208.

http://hg.mozilla.org/tracemonkey/rev/9749ef55a16b
Status: NEW → RESOLVED
Last Resolved: 8 years ago
Flags: in-testsuite?
Resolution: --- → FIXED

Updated

8 years ago
blocking2.0: ? → betaN+
Group: core-security
status1.9.1: --- → unaffected
status1.9.2: --- → unaffected
Crash Signature: [@ js::JSProxyHandler::construct]
You need to log in before you can comment on or make changes to this bug.