Closed Bug 576742 Opened 10 years ago Closed 10 years ago

Crash [@ js::detail::HashTable]

Categories

(Core :: JavaScript Engine, defect, critical)

x86
macOS
defect
Not set
critical

Tracking

()

RESOLVED FIXED
Tracking Status
blocking2.0 --- final+
status1.9.2 --- unaffected
status1.9.1 --- unaffected

People

(Reporter: gkw, Unassigned)

References

Details

(Keywords: crash, regression, testcase, Whiteboard: [ccbr][sg:critical?])

Crash Data

gczeal(2);
for (var a = 0; a < 4; ++a) {
    print(evalcx(''));
}

crashes js debug shell on TM tip without -j at js::detail::HashTable

Setting s-s and assuming [sg:critical?] because gdb seems to show that a weird memory address is being accessed.

===

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0x051b9d78
0x00153be9 in js::detail::HashTable<js::HashMap<long, long, js::WrapperHasher, js::SystemAllocPolicy>::Entry, js::HashMap<long, long, js::WrapperHasher, js::SystemAllocPolicy>::MapHashPolicy, js::SystemAllocPolicy>::Entry::isFree (this=0x51b9d78) at jshashtable.h:80
80              bool isFree() const           { return keyHash == sFreeKey; }
(gdb) bt
#0  0x00153be9 in js::detail::HashTable<js::HashMap<long, long, js::WrapperHasher, js::SystemAllocPolicy>::Entry, js::HashMap<long, long, js::WrapperHasher, js::SystemAllocPolicy>::MapHashPolicy, js::SystemAllocPolicy>::Entry::isFree (this=0x51b9d78) at jshashtable.h:80
#1  0x001559bc in js::detail::HashTable<js::HashMap<long, long, js::WrapperHasher, js::SystemAllocPolicy>::Entry, js::HashMap<long, long, js::WrapperHasher, js::SystemAllocPolicy>::MapHashPolicy, js::SystemAllocPolicy>::lookup (this=0x41032c, l=@0xbfffec44, keyHash=3474517494, collisionBit=0) at jshashtable.h:403
#2  0x00155bcc in js::detail::HashTable<js::HashMap<long, long, js::WrapperHasher, js::SystemAllocPolicy>::Entry, js::HashMap<long, long, js::WrapperHasher, js::SystemAllocPolicy>::MapHashPolicy, js::SystemAllocPolicy>::lookup (this=0x41032c, l=@0xbfffec44) at jshashtable.h:582
#3  0x00155c0a in js::HashMap<long, long, js::WrapperHasher, js::SystemAllocPolicy>::lookup (this=0x41032c, l=@0xbfffec44) at jshashtable.h:804
#4  0x00150e47 in JSCompartment::wrap (this=0x410320, cx=0x809200, vp=0xbfffec44) at ../jswrapper.cpp:336
#5  0x001513b6 in JSCompartment::wrapId (this=0x410320, cx=0x809200, idp=0xbfffed40) at ../jswrapper.cpp:417
#6  0x00152a3b in JSCrossCompartmentWrapper::get (this=0x210114, cx=0x809200, wrapper=0x10022a0, receiver=0x10026e0, id=16778548, vp=0xbfffee50) at ../jswrapper.cpp:652
#7  0x00103b7e in js::JSProxy::get (cx=0x809200, proxy=0x10022a0, receiver=0x10022a0, id=16778548, vp=0xbfffee50) at ../jsproxy.cpp:773
#8  0x00103bc1 in js::proxy_GetProperty (cx=0x809200, obj=0x10022a0, id=16778548, vp=0xbfffee50) at ../jsproxy.cpp:861
#9  0x0000bd89 in JSObject::getProperty (this=0x10022a0, cx=0x809200, id=16778548, vp=0xbfffee50) at jsobj.h:660
#10 0x000c69ef in js_GetMethod (cx=0x809200, obj=0x10022a0, id=16778548, getHow=2, vp=0xbfffee50) at ../jsobj.cpp:4959
#11 0x000c6ab1 in js_TryMethod (cx=0x809200, obj=0x10022a0, atom=0x1000534, argc=0, argv=0x0, rval=0xbfffeea8) at ../jsobj.cpp:5956
#12 0x000c6e32 in js_DefaultValue (cx=0x809200, obj=0x10022a0, hint=JSTYPE_STRING, vp=0xbfffef44) at ../jsobj.cpp:5403
#13 0x00139cf9 in JSObject::defaultValue (this=0x10022a0, cx=0x809200, hint=JSTYPE_STRING, vp=0xbfffef44) at jsobj.h:680
#14 0x00132474 in js_ValueToString (cx=0x809200, v=16786080) at ../jsstr.cpp:3238
#15 0x0001395e in JS_ValueToString (cx=0x809200, v=16786080) at ../jsapi.cpp:424
#16 0x00008789 in Print (cx=0x809200, argc=1, vp=0x5000e4) at ../../shell/js.cpp:1036
#17 0x0009c427 in js_Interpret (cx=0x809200) at jsops.cpp:2145
#18 0x000ae293 in js_Execute (cx=0x809200, chain=0x1002000, script=0x40cf50, down=0x0, flags=0, result=0xbffff738) at jsinterp.cpp:891
#19 0x00015e69 in JS_ExecuteScript (cx=0x809200, obj=0x1002000, script=0x40cf50, rval=0xbffff738) at ../jsapi.cpp:4751
#20 0x00009895 in Process (cx=0x809200, obj=0x1002000, filename=0x0, forceTTY=0) at ../../shell/js.cpp:522
#21 0x0000a259 in ProcessArgs (cx=0x809200, obj=0x1002000, argv=0xbffff908, argc=0) at ../../shell/js.cpp:843
#22 0x0000a372 in shell (cx=0x809200, argc=0, argv=0xbffff908, envp=0xbffff90c) at ../../shell/js.cpp:5025
#23 0x0000a496 in main (argc=0, argv=0xbffff908, envp=0xbffff90c) at ../../shell/js.cpp:5112
(gdb) x/i $eip 
0x153be9 <_ZNK2js6detail9HashTableINS_7HashMapIllNS_13WrapperHasherENS_17SystemAllocPolicyEE5EntryENS5_13MapHashPolicyES4_E5Entry6isFreeEv+9>:  mov    (%eax),%eax
(gdb) x/b $eax
0x51b9d78:      Cannot access memory at address 0x51b9d78
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   44269:3aaaa21012c8
user:        Jason Orendorff
date:        Wed Jun 23 16:35:10 2010 -0500
summary:     Bug 563099 - Compartments and wrappers API. r=gal.
blocking2.0: ? → beta1+
blocking2.0: beta1+ → final+
http://hg.mozilla.org/tracemonkey/rev/49abcb57270a :

$ ./js-dbg-32-tm-darwin ../576742.js 
Segmentation fault
$

http://hg.mozilla.org/tracemonkey/rev/cfdbd2d27b5f (the next changeset, i.e.
the patch from bug 576722) :

$ ./js-dbg-32-tm-darwin ../576742.js 
$

Seems to be fixed by bug 576722.
Status: NEW → RESOLVED
Closed: 10 years ago
Flags: in-testsuite?
Resolution: --- → FIXED
Group: core-security
Crash Signature: [@ js::detail::HashTable]
Filter on qa-project-auto-change:

Bug in removed tracer code, setting in-testsuite- flag.
Flags: in-testsuite? → in-testsuite-
You need to log in before you can comment on or make changes to this bug.