Closed Bug 576734 Opened 14 years ago Closed 14 years ago

Crash [@ JSObjectOps::isNative] or [@ JS_TraceChildren] or "Assertion failure: !entered," or "Assertion failure: table," or "Assertion failure: scope->object == obj,"

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
blocking2.0 --- betaN+
status1.9.2 --- unaffected
status1.9.1 --- unaffected

People

(Reporter: gkw, Unassigned)

References

Details

(4 keywords, Whiteboard: [ccbr][sg:dupe 576722])

Crash Data

gczeal(2)
try {
    <x/>()
} catch(e) {}
x = evalcx('')

crashes js debug shell without -j at JSObjectOps::isNative or asserts at Assertion failure: !entered, at ../jstl.h:199 when pasted into the shell without -j or asserts at Assertion failure: table, at ../jshashtable.h:395 when pasted into the shell with -j

s-s and assuming [sg:critical?] because this involves gczeal and also seems to be accessing memory at the strange location.

===

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0x68e00000
0x000805fc in JSObjectOps::isNative (this=0x68e00000) at jsobj.h:187
187         return JS_LIKELY(this == &js_ObjectOps) || !objectMap;
(gdb) bt
#0  0x000805fc in JSObjectOps::isNative (this=0x68e00000) at jsobj.h:187
#1  0x0000c7e9 in JSObject::isNative (this=0x1002201) at jsobj.h:266
#2  0x0008062c in JSObject::scope (this=0x1002201) at jsscope.h:573
#3  0x000c1865 in js_AllocSlot (cx=0x809400, obj=0x1002201, slotp=0xbfffe970) at ../jsobj.cpp:3973
#4  0x0012a079 in JSScope::getChildProperty (this=0x40da30, cx=0x809400, parent=0x0, child=@0xbfffe964) at ../jsscope.cpp:565
#5  0x0012a3ee in JSScope::addPropertyHelper (this=0x40da30, cx=0x809400, id=16778132, getter=0xbfdba <CheckCtorGetAccess(JSContext*, JSObject*, long, long*)>, setter=0xbfce9 <CheckCtorSetAccess(JSContext*, JSObject*, long, long*)>, slot=4294967295, attrs=0, flags=0, shortid=0, spp=0x40da54) at ../jsscope.cpp:874
#6  0x0012a624 in JSScope::putProperty (this=0x40da30, cx=0x809400, id=16778132, getter=0xbfdba <CheckCtorGetAccess(JSContext*, JSObject*, long, long*)>, setter=0xbfce9 <CheckCtorSetAccess(JSContext*, JSObject*, long, long*)>, slot=4294967295, attrs=0, flags=0, shortid=0) at ../jsscope.cpp:931
#7  0x000c4a33 in js_DefineNativeProperty (cx=0x809400, obj=0x10022c0, id=16778132, value=16799824, getter=0xbfdba <CheckCtorGetAccess(JSContext*, JSObject*, long, long*)>, setter=0xbfce9 <CheckCtorSetAccess(JSContext*, JSObject*, long, long*)>, attrs=0, flags=0, shortid=0, propp=0x0, defineHow=0) at ../jsobj.cpp:4306
#8  0x000c4cde in js_DefineProperty (cx=0x809400, obj=0x10022c0, id=16778132, value=16799824, getter=0xbfdba <CheckCtorGetAccess(JSContext*, JSObject*, long, long*)>, setter=0xbfce9 <CheckCtorSetAccess(JSContext*, JSObject*, long, long*)>, attrs=0) at ../jsobj.cpp:4170
#9  0x00025fa4 in JSObject::defineProperty (this=0x10022c0, cx=0x809400, id=16778132, value=16799824, getter=0xbfdba <CheckCtorGetAccess(JSContext*, JSObject*, long, long*)>, setter=0xbfce9 <CheckCtorSetAccess(JSContext*, JSObject*, long, long*)>, attrs=0) at jsobj.h:656
#10 0x000bc52f in js_SetClassPrototype (cx=0x809400, ctor=0x1005850, proto=0x10022c0, attrs=6) at ../jsobj.cpp:5862
#11 0x000c7524 in js_InitClass (cx=0x809400, obj=0x10022e0, parent_proto=0x0, clasp=0x20a300, constructor=0xc7db0 <js_Object>, nargs=1, ps=0x20a520, fs=0x20a540, static_ps=0x0, static_fs=0x20a620) at ../jsobj.cpp:3531
#12 0x000c776e in js_InitObjectClass (cx=0x809400, obj=0x10022e0) at ../jsobj.cpp:3351
#13 0x00019ac7 in js_InitFunctionAndObjectClasses (cx=0x809400, obj=0x10022e0) at ../jsapi.cpp:1226
#14 0x00019cca in JS_InitStandardClasses (cx=0x809400, obj=0x10022e0) at ../jsapi.cpp:1271
#15 0x0000596b in NewSandbox (cx=0x809400, lazy=false, split=false) at ../../shell/js.cpp:2939
#16 0x00005c56 in EvalInContext (cx=0x809400, obj=0x1002000, argc=1, argv=0x5000ec, rval=0x500134) at ../../shell/js.cpp:2981
#17 0x000afc45 in js::callJSNative (cx=0x809400, native=0x5b01 <EvalInContext(JSContext*, JSObject*, unsigned int, long*, long*)>, thisobj=0x1002000, argc=1, argv=0x5000ec, rval=0x500134) at jscntxtinlines.h:339
#18 0x000ac3a1 in Invoke<int (*)(JSContext*, JSObject*, unsigned int, long*, long*)> (cx=0x809400, fun=0x1003e00, script=0x0, native=0x5b01 <EvalInContext(JSContext*, JSObject*, unsigned int, long*, long*)>, args=@0xbffff2cc, flags=2) at jsinterp.cpp:591
#19 0x000aebfa in js_Invoke (cx=0x809400, args=@0xbffff2cc, flags=2) at jsinterp.cpp:693
#20 0x0009c595 in js_Interpret (cx=0x809400) at jsops.cpp:2155
#21 0x000ae293 in js_Execute (cx=0x809400, chain=0x1002000, script=0x40ca90, down=0x0, flags=0, result=0x0) at jsinterp.cpp:891
#22 0x00015e69 in JS_ExecuteScript (cx=0x809400, obj=0x1002000, script=0x40ca90, rval=0x0) at ../jsapi.cpp:4751
#23 0x00009526 in Process (cx=0x809400, obj=0x1002000, filename=0xbffff9ca "w9207-cj-in.js", forceTTY=0) at ../../shell/js.cpp:429
#24 0x0000a259 in ProcessArgs (cx=0x809400, obj=0x1002000, argv=0xbffff8e4, argc=1) at ../../shell/js.cpp:843
#25 0x0000a372 in shell (cx=0x809400, argc=1, argv=0xbffff8e4, envp=0xbffff8ec) at ../../shell/js.cpp:5025
#26 0x0000a496 in main (argc=1, argv=0xbffff8e4, envp=0xbffff8ec) at ../../shell/js.cpp:5112
(gdb) x/i $eip
0x805fc <_ZNK11JSObjectOps8isNativeEv+36>:      mov    (%eax),%eax
(gdb) x/b $eax
0x68e00000:     Cannot access memory at address 0x68e00000
Tested with TM changeset:

http://hg.mozilla.org/tracemonkey/rev/28de8731f08c

===

Assertion failure: !entered, at ../jstl.h:199

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_PROTECTION_FAILURE at address: 0x00000000
0x0014fb31 in JS_Assert (s=0x1e6404 "!entered", file=0x1e026c "../jstl.h", ln=199) at ../jsutil.cpp:77
77          *((int *) NULL) = 0;  /* To continue from here in GDB: "return" then "continue". */
(gdb) bt
#0  0x0014fb31 in JS_Assert (s=0x1e6404 "!entered", file=0x1e026c "../jstl.h", ln=199) at ../jsutil.cpp:77
#1  0x00154ace in js::ReentrancyGuard::ReentrancyGuard<js::detail::HashTable<js::HashMap<long, long, js::WrapperHasher, js::SystemAllocPolicy>::Entry, js::HashMap<long, long, js::WrapperHasher, js::SystemAllocPolicy>::MapHashPolicy, js::SystemAllocPolicy> const> (this=0xbffff364, obj=@0x40db0c) at jstl.h:199
#2  0x00155b9d in js::detail::HashTable<js::HashMap<long, long, js::WrapperHasher, js::SystemAllocPolicy>::Entry, js::HashMap<long, long, js::WrapperHasher, js::SystemAllocPolicy>::MapHashPolicy, js::SystemAllocPolicy>::lookup (this=0x40db0c, l=@0xbffff434) at jshashtable.h:580
#3  0x00155c0a in js::HashMap<long, long, js::WrapperHasher, js::SystemAllocPolicy>::lookup (this=0x40db0c, l=@0xbffff434) at jshashtable.h:804
#4  0x00150e47 in JSCompartment::wrap (this=0x40db00, cx=0x865200, vp=0xbffff434) at ../jswrapper.cpp:336
#5  0x001513b6 in JSCompartment::wrapId (this=0x40db00, cx=0x865200, idp=0xbffff530) at ../jswrapper.cpp:417
#6  0x00152a3b in JSCrossCompartmentWrapper::get (this=0x210114, cx=0x865200, wrapper=0x1002760, receiver=0x1002220, id=16778532, vp=0xbffff640) at ../jswrapper.cpp:652
#7  0x00103b7e in js::JSProxy::get (cx=0x865200, proxy=0x1002760, receiver=0x1002760, id=16778532, vp=0xbffff640) at ../jsproxy.cpp:773
#8  0x00103bc1 in js::proxy_GetProperty (cx=0x865200, obj=0x1002760, id=16778532, vp=0xbffff640) at ../jsproxy.cpp:861
#9  0x0000bd89 in JSObject::getProperty (this=0x1002760, cx=0x865200, id=16778532, vp=0xbffff640) at jsobj.h:660
#10 0x000c69ef in js_GetMethod (cx=0x865200, obj=0x1002760, id=16778532, getHow=2, vp=0xbffff640) at ../jsobj.cpp:4959
#11 0x000c6ab1 in js_TryMethod (cx=0x865200, obj=0x1002760, atom=0x1000524, argc=0, argv=0x0, rval=0xbffff6a0) at ../jsobj.cpp:5956
#12 0x001337dc in js_ValueToSource (cx=0x865200, v=16787296) at ../jsstr.cpp:3311
#13 0x000253d4 in JS_ValueToSource (cx=0x865200, v=16787296) at ../jsapi.cpp:432
#14 0x000098ce in Process (cx=0x865200, obj=0x1002000, filename=0x0, forceTTY=0) at ../../shell/js.cpp:524
#15 0x0000a259 in ProcessArgs (cx=0x865200, obj=0x1002000, argv=0xbffff908, argc=0) at ../../shell/js.cpp:843
#16 0x0000a372 in shell (cx=0x865200, argc=0, argv=0xbffff908, envp=0xbffff90c) at ../../shell/js.cpp:5025
#17 0x0000a496 in main (argc=0, argv=0xbffff908, envp=0xbffff90c) at ../../shell/js.cpp:5112
Testing with TM changeset http://hg.mozilla.org/tracemonkey/rev/9749ef55a16b :

This assert may also be related:

Assertion failure: scope->object == obj, at ../jsobj.cpp:3974
Summary: Crash [@ JSObjectOps::isNative] or "Assertion failure: !entered," or "Assertion failure: table," → Crash [@ JSObjectOps::isNative] or "Assertion failure: !entered," or "Assertion failure: table," or "Assertion failure: scope->object == obj,"
Variants crash at JS_TraceChildren:

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_PROTECTION_FAILURE at address: 0x0000002c
0x00078667 in JS_TraceChildren (trc=0xbfffe8c0, thing=0x1002840, kind=0) at ../jsgc.cpp:2086
2086            obj->map->ops->trace(trc, obj);
(gdb) bt
#0  0x00078667 in JS_TraceChildren (trc=0xbfffe8c0, thing=0x1002840, kind=0) at ../jsgc.cpp:2086
#1  0x00078cdb in js_CallGCMarker (trc=0xbfffe8c0, thing=0x1002840, kind=0) at ../jsgc.cpp:2356
#2  0x000c1792 in js_TraceObject (trc=0xbfffe8c0, obj=0x1006070) at ../jsobj.cpp:6191
#3  0x00078679 in JS_TraceChildren (trc=0xbfffe8c0, thing=0x1006070, kind=0) at ../jsgc.cpp:2086
#4  0x00078cdb in js_CallGCMarker (trc=0xbfffe8c0, thing=0x1006070, kind=0) at ../jsgc.cpp:2356
#5  0x000c1792 in js_TraceObject (trc=0xbfffe8c0, obj=0x1002000) at ../jsobj.cpp:6191
#6  0x00078679 in JS_TraceChildren (trc=0xbfffe8c0, thing=0x1002000, kind=0) at ../jsgc.cpp:2086
#7  0x00078cdb in js_CallGCMarker (trc=0xbfffe8c0, thing=0x1002000, kind=0) at ../jsgc.cpp:2356
#8  0x00012e81 in JS_CallTracer (trc=0xbfffe8c0, thing=0x1002000, kind=0) at ../jsapi.cpp:2037
#9  0x000790b1 in js_TraceContext (trc=0xbfffe8c0, acx=0x809200) at ../jsgc.cpp:2642
#10 0x0007aff0 in js_TraceRuntime (trc=0xbfffe8c0) at ../jsgc.cpp:2688
#11 0x0007b1d5 in GC (cx=0x809200) at ../jsgc.cpp:3269
#12 0x0007b4fe in GCUntilDone (cx=0x809200, gckind=GC_LOCK_HELD) at ../jsgc.cpp:3653
#13 0x0007b644 in js_GC (cx=0x809200, gckind=GC_LOCK_HELD) at ../jsgc.cpp:3707
#14 0x0007b751 in LastDitchGC (cx=0x809200) at ../jsgc.cpp:1737
#15 0x0007c0a2 in RefillFinalizableFreeList (cx=0x809200, thingKind=1) at ../jsgc.cpp:1761
#16 0x0007c314 in js_NewFinalizableGCThing (cx=0x809200, thingKind=1) at ../jsgc.cpp:1849
#17 0x0006d12b in js_NewGCFunction (cx=0x809200) at jsgc.h:299
#18 0x0006d978 in js::NewObjectWithGivenProto (cx=0x809200, clasp=0x209880, proto=0x1008c08, parent=0x1002540) at jsobjinlines.h:748
#19 0x0006dc2c in js::NewObject (cx=0x809200, clasp=0x209880, proto=0x1008c08, parent=0x1002540) at jsobjinlines.h:829
#20 0x0006dcaa in js_NewFunction (cx=0x809200, funobj=0x0, native=0x6acb9 <Exception(JSContext*, JSObject*, unsigned int, long*, long*)>, nargs=3, flags=0, parent=0x1002540, atom=0x1000224) at ../jsfun.cpp:2396
#21 0x0006dec2 in js_DefineFunction (cx=0x809200, obj=0x1002540, atom=0x1000224, native=0x6acb9 <Exception(JSContext*, JSObject*, unsigned int, long*, long*)>, nargs=3, attrs=0) at ../jsfun.cpp:2549
#22 0x00068864 in js_InitExceptionClasses (cx=0x809200, obj=0x1002540) at ../jsexn.cpp:1022
#23 0x00019e35 in JS_InitStandardClasses (cx=0x809200, obj=0x1002540) at ../jsapi.cpp:1291
#24 0x00005a7b in NewSandbox (cx=0x809200, lazy=false, split=false) at ../../shell/js.cpp:2939
#25 0x00005d66 in EvalInContext (cx=0x809200, obj=0x1002000, argc=1, argv=0x500144, rval=0x50018c) at ../../shell/js.cpp:2981
#26 0x000afd55 in js::callJSNative (cx=0x809200, native=0x5c11 <EvalInContext(JSContext*, JSObject*, unsigned int, long*, long*)>, thisobj=0x1002000, argc=1, argv=0x500144, rval=0x50018c) at jscntxtinlines.h:339
#27 0x000ac4b1 in Invoke<int (*)(JSContext*, JSObject*, unsigned int, long*, long*)> (cx=0x809200, fun=0x1003e00, script=0x0, native=0x5c11 <EvalInContext(JSContext*, JSObject*, unsigned int, long*, long*)>, args=@0xbffff2bc, flags=2) at jsinterp.cpp:591
#28 0x000aed0a in js_Invoke (cx=0x809200, args=@0xbffff2bc, flags=2) at jsinterp.cpp:693
#29 0x0009c6a5 in js_Interpret (cx=0x809200) at jsops.cpp:2155
#30 0x000ae3a3 in js_Execute (cx=0x809200, chain=0x1002000, script=0x86f200, down=0x0, flags=0, result=0x0) at jsinterp.cpp:891
#31 0x00015f79 in JS_ExecuteScript (cx=0x809200, obj=0x1002000, script=0x86f200, rval=0x0) at ../jsapi.cpp:4751
#32 0x00009636 in Process (cx=0x809200, obj=0x1002000, filename=0xbffff9bd "test/w5645-cj-in.js", forceTTY=0) at ../../shell/js.cpp:429
#33 0x0000a369 in ProcessArgs (cx=0x809200, obj=0x1002000, argv=0xbffff8d0, argc=2) at ../../shell/js.cpp:843
#34 0x0000a482 in shell (cx=0x809200, argc=2, argv=0xbffff8d0, envp=0xbffff8dc) at ../../shell/js.cpp:5025
#35 0x0000a5a6 in main (argc=2, argv=0xbffff8d0, envp=0xbffff8dc) at ../../shell/js.cpp:5112
(gdb) x/i $eip
0x78667 <JS_TraceChildren+72>:  mov    0x2c(%eax),%edx
(gdb) x/b $eax
0x0:    Cannot access memory at address 0x0
Summary: Crash [@ JSObjectOps::isNative] or "Assertion failure: !entered," or "Assertion failure: table," or "Assertion failure: scope->object == obj," → Crash [@ JSObjectOps::isNative] or [@ JS_TraceChildren] or "Assertion failure: !entered," or "Assertion failure: table," or "Assertion failure: scope->object == obj,"
I also see possibly related asserts and crashes at Assertion failure: collision_flag, at ../jsscope.cpp:470 and js_CallGCMarker
could we bisect to be sure?
(In reply to comment #6)
> could we bisect to be sure?

http://hg.mozilla.org/tracemonkey/rev/49abcb57270a :

$ ./js-dbg-32-tm-linux ../576734.js 
Segmentation fault
$

http://hg.mozilla.org/tracemonkey/rev/cfdbd2d27b5f (the next changeset, i.e. the patch from bug 576722) :

$ ./js-dbg-32-tm-linux ../576734.js 
$

Fixed by bug 576722. (or might be a dupe, not sure)
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
blocking2.0: ? → betaN+
Group: core-security
status1.9.1: --- → unaffected
status1.9.2: --- → unaffected
Depends on: 576722
Whiteboard: [ccbr][sg:critical?] → [ccbr][sg:dupe 576722]
Crash Signature: [@ JSObjectOps::isNative] [@ JS_TraceChildren]
You need to log in before you can comment on or make changes to this bug.