576744 - TM: Crash [@ JSObject::isNative] or "Assertion failure: hasProperty(sprop),"

Status: VERIFIED FIXED

(Core :: JavaScript Engine, defect)

Description

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

try {
    gczeal(2) = {}
} catch(e) {}
try {
    switch ("") {
    case w:
    }
} catch(e) {}
try { (function() {
        for (y in [('')('')[(0)]]) {}
    })()
} catch(e) {}
try {
    new([], *::*)
} catch(e) {}
try {
    evalcx('')
} catch(e) {}

crashes js debug shell on TM tip with -j at JSObject::isNative

s-s and assuming [sg:critical?] because this concerns gczeal.

===

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0x800040d8
0x0000c7df in JSObject::isNative (this=0x1004e01) at jsobj.h:266
266         bool isNative() const { return map->ops->isNative(); }
(gdb) bt
#0  0x0000c7df in JSObject::isNative (this=0x1004e01) at jsobj.h:266
#1  0x0008062c in JSObject::scope (this=0x1004e01) at jsscope.h:573
#2  0x000c1865 in js_AllocSlot (cx=0x809200, obj=0x1004e01, slotp=0xbfffe8c0) at ../jsobj.cpp:3973
#3  0x0012a079 in JSScope::getChildProperty (this=0x40d730, cx=0x809200, parent=0x866bb0, child=@0xbfffe8b4) at ../jsscope.cpp:565
#4  0x0012a3ee in JSScope::addPropertyHelper (this=0x40d730, cx=0x809200, id=16779124, getter=0, setter=0, slot=4294967295, attrs=0, flags=0, shortid=0, spp=0x866bc4) at ../jsscope.cpp:874
#5  0x0012a624 in JSScope::putProperty (this=0x40d730, cx=0x809200, id=16779124, getter=0xf962 <JS_PropertyStub>, setter=0xf962 <JS_PropertyStub>, slot=4294967295, attrs=0, flags=0, shortid=0) at ../jsscope.cpp:931
#6  0x000c4a33 in js_DefineNativeProperty (cx=0x809200, obj=0x1004e70, id=16779124, value=16798088, getter=0xf962 <JS_PropertyStub>, setter=0xf962 <JS_PropertyStub>, attrs=0, flags=0, shortid=0, propp=0x0, defineHow=0) at ../jsobj.cpp:4306
#7  0x000c4cde in js_DefineProperty (cx=0x809200, obj=0x1004e70, id=16779124, value=16798088, getter=0xf962 <JS_PropertyStub>, setter=0xf962 <JS_PropertyStub>, attrs=0) at ../jsobj.cpp:4170
#8  0x00025fa4 in JSObject::defineProperty (this=0x1004e70, cx=0x809200, id=16779124, value=16798088, getter=0xf962 <JS_PropertyStub>, setter=0xf962 <JS_PropertyStub>, attrs=0) at jsobj.h:656
#9  0x0006de3e in js_DefineFunction (cx=0x809200, obj=0x1004e70, atom=0x1000774, native=0xcaa19 <obj_getPrototypeOf(JSContext*, unsigned int, long*)>, nargs=1, attrs=2048) at ../jsfun.cpp:2552
#10 0x00016dbd in JS_DefineFunction (cx=0x809200, obj=0x1004e70, name=0x1ef6ed "getPrototypeOf", call=0xcaa19 <obj_getPrototypeOf(JSContext*, unsigned int, long*)>, nargs=1, attrs=6144) at ../jsapi.cpp:4373
#11 0x00018379 in JS_DefineFunctions (cx=0x809200, obj=0x1004e70, fs=0x20a620) at ../jsapi.cpp:4358
#12 0x000c7602 in js_InitClass (cx=0x809200, obj=0x10022a0, parent_proto=0x0, clasp=0x20a300, constructor=0xc7db0 <js_Object>, nargs=1, ps=0x20a520, fs=0x20a540, static_ps=0x0, static_fs=0x20a620) at ../jsobj.cpp:3542
#13 0x000c776e in js_InitObjectClass (cx=0x809200, obj=0x10022a0) at ../jsobj.cpp:3351
#14 0x00019ac7 in js_InitFunctionAndObjectClasses (cx=0x809200, obj=0x10022a0) at ../jsapi.cpp:1226
#15 0x00019cca in JS_InitStandardClasses (cx=0x809200, obj=0x10022a0) at ../jsapi.cpp:1271
#16 0x0000596b in NewSandbox (cx=0x809200, lazy=false, split=false) at ../../shell/js.cpp:2939
#17 0x00005c56 in EvalInContext (cx=0x809200, obj=0x1002000, argc=1, argv=0x5000e8, rval=0x500130) at ../../shell/js.cpp:2981
#18 0x000afc45 in js::callJSNative (cx=0x809200, native=0x5b01 <EvalInContext(JSContext*, JSObject*, unsigned int, long*, long*)>, thisobj=0x1002000, argc=1, argv=0x5000e8, rval=0x500130) at jscntxtinlines.h:339
#19 0x000ac3a1 in Invoke<int (*)(JSContext*, JSObject*, unsigned int, long*, long*)> (cx=0x809200, fun=0x1003e00, script=0x0, native=0x5b01 <EvalInContext(JSContext*, JSObject*, unsigned int, long*, long*)>, args=@0xbffff2cc, flags=2) at jsinterp.cpp:591
#20 0x000aebfa in js_Invoke (cx=0x809200, args=@0xbffff2cc, flags=2) at jsinterp.cpp:693
#21 0x0009c595 in js_Interpret (cx=0x809200) at jsops.cpp:2155
#22 0x000ae293 in js_Execute (cx=0x809200, chain=0x1002000, script=0x40cf60, down=0x0, flags=0, result=0x0) at jsinterp.cpp:891
#23 0x00015e69 in JS_ExecuteScript (cx=0x809200, obj=0x1002000, script=0x40cf60, rval=0x0) at ../jsapi.cpp:4751
#24 0x00009526 in Process (cx=0x809200, obj=0x1002000, filename=0xbffff9cd "w1536-cj-in.js", forceTTY=0) at ../../shell/js.cpp:429
#25 0x0000a259 in ProcessArgs (cx=0x809200, obj=0x1002000, argv=0xbffff8e0, argc=2) at ../../shell/js.cpp:843
#26 0x0000a372 in shell (cx=0x809200, argc=2, argv=0xbffff8e0, envp=0xbffff8ec) at ../../shell/js.cpp:5025
#27 0x0000a496 in main (argc=2, argv=0xbffff8e0, envp=0xbffff8ec) at ../../shell/js.cpp:5112
(gdb) x/i $eip
0xc7df <_ZNK8JSObject8isNativeEv+11>:   mov    (%eax),%eax
(gdb) x/b $eax 
0x800040d8:     Cannot access memory at address 0x800040d8

Comment 1

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

try {
    a = (gczeal(2) = {})();
} catch(e) {}
try {
    switch ("".@f) {
    case indow:
    }
} catch(e) {}
try {
    with({
        a: x
    }) {    }
} catch(e) {}
try {
    (function() {
        for each(let y in [
            "", , "", , , , "", , ,
            [0], [0], , , , , , , "",
            [o], g("")
            ]) {
            yield;
        }
    } ());
    e = (new eval([z], *::*))();
} catch(e) {}
try {
    switch (evalcx("")) {    }
} catch(e) {}


asserts js debug shell on TM tip with -j at Assertion failure: hasProperty(sprop), at ../jsscopeinlines.h:204 when passed in as a CLI argument.

Comment 2

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Tested with TM changeset:

http://hg.mozilla.org/tracemonkey/rev/28de8731f08c

Comment 3

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

See comment #1 for the testcase:

Assertion failure: hasProperty(sprop), at ../jsscopeinlines.h:204

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_PROTECTION_FAILURE at address: 0x00000000
0x0014fb31 in JS_Assert (s=0x1f799e "hasProperty(sprop)", file=0x1e6d38 "../jsscopeinlines.h", ln=204) at ../jsutil.cpp:77
77          *((int *) NULL) = 0;  /* To continue from here in GDB: "return" then "continue". */
(gdb) bt
#0  0x0014fb31 in JS_Assert (s=0x1f799e "hasProperty(sprop)", file=0x1e6d38 "../jsscopeinlines.h", ln=204) at ../jsutil.cpp:77
#1  0x000cef8f in JSScope::trace (this=0x40dee0, trc=0xbfffe8a0) at jsscopeinlines.h:204
#2  0x000c147a in js_TraceObject (trc=0xbfffe8a0, obj=0x1005ea8) at ../jsobj.cpp:6153
#3  0x00078569 in JS_TraceChildren (trc=0xbfffe8a0, thing=0x1005ea8, kind=0) at ../jsgc.cpp:2086
#4  0x00078bcb in js_CallGCMarker (trc=0xbfffe8a0, thing=0x1005ea8, kind=0) at ../jsgc.cpp:2356
#5  0x000c1682 in js_TraceObject (trc=0xbfffe8a0, obj=0x10022c0) at ../jsobj.cpp:6191
#6  0x00078569 in JS_TraceChildren (trc=0xbfffe8a0, thing=0x10022c0, kind=0) at ../jsgc.cpp:2086
#7  0x00078bcb in js_CallGCMarker (trc=0xbfffe8a0, thing=0x10022c0, kind=0) at ../jsgc.cpp:2356
#8  0x00012d71 in JS_CallTracer (trc=0xbfffe8a0, thing=0x10022c0, kind=0) at ../jsapi.cpp:2037
#9  0x000cf0bd in JSObject::traceProtoAndParent (this=0x10023c0, trc=0xbfffe8a0) at jsobj.h:395
#10 0x000c154a in js_TraceObject (trc=0xbfffe8a0, obj=0x10023c0) at ../jsobj.cpp:6171
#11 0x00078569 in JS_TraceChildren (trc=0xbfffe8a0, thing=0x10023c0, kind=0) at ../jsgc.cpp:2086
#12 0x00078bcb in js_CallGCMarker (trc=0xbfffe8a0, thing=0x10023c0, kind=0) at ../jsgc.cpp:2356
#13 0x00012d71 in JS_CallTracer (trc=0xbfffe8a0, thing=0x10023c0, kind=0) at ../jsapi.cpp:2037
#14 0x00078dd8 in JSWeakRoots::mark (this=0xbfffe988, trc=0xbfffe8a0) at ../jsgc.cpp:2527
#15 0x00083f75 in js::AutoGCRooter::trace (this=0xbfffe97c, trc=0xbfffe8a0) at ../jsgc.cpp:2552
#16 0x0007906b in js_TraceContext (trc=0xbfffe8a0, acx=0x809200) at ../jsgc.cpp:2652
#17 0x0007aee0 in js_TraceRuntime (trc=0xbfffe8a0) at ../jsgc.cpp:2688
#18 0x0007b0c5 in GC (cx=0x809200) at ../jsgc.cpp:3269
#19 0x0007b3ee in GCUntilDone (cx=0x809200, gckind=GC_LOCK_HELD) at ../jsgc.cpp:3653
#20 0x0007b534 in js_GC (cx=0x809200, gckind=GC_LOCK_HELD) at ../jsgc.cpp:3707
#21 0x0007b641 in LastDitchGC (cx=0x809200) at ../jsgc.cpp:1737
#22 0x0007bf92 in RefillFinalizableFreeList (cx=0x809200, thingKind=0) at ../jsgc.cpp:1761
#23 0x0007c204 in js_NewFinalizableGCThing (cx=0x809200, thingKind=0) at ../jsgc.cpp:1849
#24 0x000beeb9 in js_NewGCObject (cx=0x809200) at jsgc.h:279
#25 0x000c0e15 in js::NewObjectWithGivenProto (cx=0x809200, clasp=0x2083a0, proto=0x10023c0, parent=0x10022c0) at jsobjinlines.h:756
#26 0x000c7156 in js::NewObject (cx=0x809200, clasp=0x2083a0, proto=0x10023c0, parent=0x10022c0) at jsobjinlines.h:829
#27 0x000c7237 in js_InitClass (cx=0x809200, obj=0x10022c0, parent_proto=0x10023c0, clasp=0x2083a0, constructor=0x2b466 <js_Array>, nargs=1, ps=0x0, fs=0x208460, static_ps=0x0, static_fs=0x2085e0) at ../jsobj.cpp:3473
#28 0x00018ae6 in JS_InitClass (cx=0x809200, obj=0x10022c0, parent_proto=0x0, clasp=0x2083a0, constructor=0x2b466 <js_Array>, nargs=1, ps=0x0, fs=0x208460, static_ps=0x0, static_fs=0x2085e0) at ../jsapi.cpp:2778
#29 0x0002afc1 in js_InitArrayClass (cx=0x809200, obj=0x10022c0) at ../jsarray.cpp:3166
#30 0x00019cf1 in JS_InitStandardClasses (cx=0x809200, obj=0x10022c0) at ../jsapi.cpp:1291
#31 0x0000596b in NewSandbox (cx=0x809200, lazy=false, split=false) at ../../shell/js.cpp:2939
#32 0x00005c56 in EvalInContext (cx=0x809200, obj=0x1002000, argc=1, argv=0x5000e8, rval=0x500130) at ../../shell/js.cpp:2981
#33 0x000afc45 in js::callJSNative (cx=0x809200, native=0x5b01 <EvalInContext(JSContext*, JSObject*, unsigned int, long*, long*)>, thisobj=0x1002000, argc=1, argv=0x5000e8, rval=0x500130) at jscntxtinlines.h:339
#34 0x000ac3a1 in Invoke<int (*)(JSContext*, JSObject*, unsigned int, long*, long*)> (cx=0x809200, fun=0x1003e00, script=0x0, native=0x5b01 <EvalInContext(JSContext*, JSObject*, unsigned int, long*, long*)>, args=@0xbffff2cc, flags=2) at jsinterp.cpp:591
#35 0x000aebfa in js_Invoke (cx=0x809200, args=@0xbffff2cc, flags=2) at jsinterp.cpp:693
#36 0x0009c595 in js_Interpret (cx=0x809200) at jsops.cpp:2155
#37 0x000ae293 in js_Execute (cx=0x809200, chain=0x1002000, script=0x800c00, down=0x0, flags=0, result=0x0) at jsinterp.cpp:891
#38 0x00015e69 in JS_ExecuteScript (cx=0x809200, obj=0x1002000, script=0x800c00, rval=0x0) at ../jsapi.cpp:4751
#39 0x00009526 in Process (cx=0x809200, obj=0x1002000, filename=0xbffff9d5 "1536red.js", forceTTY=0) at ../../shell/js.cpp:429
#40 0x0000a259 in ProcessArgs (cx=0x809200, obj=0x1002000, argv=0xbffff8e8, argc=2) at ../../shell/js.cpp:843
#41 0x0000a372 in shell (cx=0x809200, argc=2, argv=0xbffff8e8, envp=0xbffff8f4) at ../../shell/js.cpp:5025
#42 0x0000a496 in main (argc=2, argv=0xbffff8e8, envp=0xbffff8f4) at ../../shell/js.cpp:5112

Comment 4

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

This asserts differently on JM branch with -j and -m:

Assertion failure: !(addr & GC_CELL_MASK), at ../jsgc.cpp:417

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_PROTECTION_FAILURE at address: 0x00000000
0x0015f9ad in JS_Assert (s=0x24294b "!(addr & GC_CELL_MASK)", file=0x242834 "../jsgc.cpp", ln=417) at ../jsutil.cpp:77
77          *((int *) NULL) = 0;  /* To continue from here in GDB: "return" then "continue". */
(gdb) bt
#0  0x0015f9ad in JS_Assert (s=0x24294b "!(addr & GC_CELL_MASK)", file=0x242834 "../jsgc.cpp", ln=417) at ../jsutil.cpp:77
#1  0x0008387e in CheckValidGCThingPtr (thing=0x705001) at ../jsgc.cpp:417
#2  0x000838c5 in JSGCArenaInfo::fromGCThing (thing=0x705001) at ../jsgc.cpp:426
#3  0x0007a964 in GetFinalizableThingTraceKind (thing=0x705001) at ../jsgc.cpp:805
#4  0x0007e5c7 in js::Mark (trc=0xbfffdeb0, thing=0x705001, kind=0) at ../jsgc.cpp:2147
#5  0x000c83be in js::MarkValueRaw (trc=0xbfffdeb0, v=@0x50d768) at jsgc.h:568
#6  0x000cb140 in js_TraceObject (trc=0xbfffdeb0, obj=0x7014d0) at ../jsobj.cpp:6146
#7  0x0007e004 in JS_TraceChildren (trc=0xbfffdeb0, thing=0x7014d0, kind=0) at ../jsgc.cpp:1900
#8  0x0007e645 in js::Mark (trc=0xbfffdeb0, thing=0x7014d0, kind=0) at ../jsgc.cpp:2166
#9  0x00015656 in JS_CallTracer (trc=0xbfffdeb0, thing=0x7014d0, kind=0) at ../jsapi.cpp:1963
#10 0x0007eced in JSWeakRoots::mark (this=0xbfffdf8c, trc=0xbfffdeb0) at ../jsgc.cpp:2311
#11 0x000899ac in js::AutoGCRooter::trace (this=0xbfffdf80, trc=0xbfffdeb0) at ../jsgc.cpp:2333
#12 0x0007ee2b in js_TraceContext (trc=0xbfffdeb0, acx=0x809200) at ../jsgc.cpp:2441
#13 0x00080abd in js_TraceRuntime (trc=0xbfffdeb0) at ../jsgc.cpp:2476
#14 0x00080ca2 in GC (cx=0x809200) at ../jsgc.cpp:3022
#15 0x00080fc0 in GCUntilDone (cx=0x809200, gckind=GC_LOCK_HELD) at ../jsgc.cpp:3403
#16 0x00081106 in js_GC (cx=0x809200, gckind=GC_LOCK_HELD) at ../jsgc.cpp:3457
#17 0x00081213 in LastDitchGC (cx=0x809200) at ../jsgc.cpp:1718
#18 0x0008179d in RefillFinalizableFreeList (cx=0x809200, thingKind=0) at ../jsgc.cpp:1742
#19 0x00081a17 in js_NewFinalizableGCThing (cx=0x809200, thingKind=0) at ../jsgc.cpp:1830
#20 0x000c8a07 in js_NewGCObject (cx=0x809200) at jsgc.h:254
#21 0x000ca940 in js::NewObjectWithGivenProto (cx=0x809200, clasp=0x265d40, proto=0x7014d0, parent=0x701498) at jsobjinlines.h:751
#22 0x000d0b03 in js::NewObject (cx=0x809200, clasp=0x265d40, proto=0x7014d0, parent=0x701498) at jsobjinlines.h:824
#23 0x000d0bf3 in js_InitClass (cx=0x809200, obj=0x701498, parent_proto=0x7014d0, clasp=0x265d40, constructor=0x2eda7 <js_Array(JSContext*, JSObject*, unsigned int, js::Value*, js::Value*)>, nargs=1, ps=0x0, fs=0x265e40, static_ps=0x0, static_fs=0x265fc0) at ../jsobj.cpp:3459
#24 0x0002ed46 in js_InitArrayClass (cx=0x809200, obj=0x701498) at ../jsarray.cpp:3098
#25 0x0001ca56 in JS_InitStandardClasses (cx=0x809200, obj=0x701498) at ../jsapi.cpp:1260
#26 0x000081e9 in NewSandbox (cx=0x809200, lazy=false, split=false) at ../../shell/js.cpp:2950
#27 0x000084de in EvalInContext (cx=0x809200, obj=0x701000, argc=1, argv=0x1000130, rval=0x1000180) at ../../shell/js.cpp:2992
#28 0x000b7898 in js::callJSNative (cx=0x809200, native=0x8389 <EvalInContext(JSContext*, JSObject*, unsigned int, jsval_layout*, jsval_layout*)>, thisobj=0x701000, argc=1, argv=0x1000130, rval=0x1000180) at jscntxtinlines.h:355
#29 0x000b5939 in js::InvokeCommon<int (*)(JSContext*, JSObject*, unsigned int, js::Value*, js::Value*)> (cx=0x809200, fun=0x703410, script=0x0, native=0x8389 <EvalInContext(JSContext*, JSObject*, unsigned int, jsval_layout*, jsval_layout*)>, args=@0xbfffed28, flags=0) at jsinterp.cpp:626
#30 0x000b6601 in js::Invoke (cx=0x809200, args=@0xbfffed28, flags=0) at jsinterp.cpp:727
#31 0x000a2a96 in js::Interpret (cx=0x809200) at jsops.cpp:2368
#32 0x000b4aaa in js::RunScript (cx=0x809200, script=0x50d190, fun=0x0, scopeChain=0x701000) at jsinterp.cpp:469
#33 0x000b6002 in js::Execute (cx=0x809200, chain=0x701000, script=0x50d190, down=0x0, flags=0, result=0x0) at jsinterp.cpp:931
#34 0x000173d6 in JS_ExecuteScript (cx=0x809200, obj=0x701000, script=0x50d190, rval=0x0) at ../jsapi.cpp:4637
#35 0x0000be19 in Process (cx=0x809200, obj=0x701000, filename=0xbffff986 "576744.js", forceTTY=0) at ../../shell/js.cpp:440
#36 0x0000cb8b in ProcessArgs (cx=0x809200, obj=0x701000, argv=0xbffff86c, argc=3) at ../../shell/js.cpp:860
#37 0x0000cca4 in shell (cx=0x809200, argc=3, argv=0xbffff86c, envp=0xbffff87c) at ../../shell/js.cpp:5038
#38 0x0000cdc8 in main (argc=3, argv=0xbffff86c, envp=0xbffff87c) at ../../shell/js.cpp:5129

Comment 5

[Robert Sayre]

does this affect the branches or not?

Comment 6

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

http://hg.mozilla.org/tracemonkey/rev/49abcb57270a :

$ ./js-dbg-32-tm-darwin ../576744.js 
Segmentation fault
$

http://hg.mozilla.org/tracemonkey/rev/cfdbd2d27b5f (the next changeset, i.e.
the patch from bug 576722) :

$ ./js-dbg-32-tm-darwin ../576744.js 
$

Seems to be fixed by bug 576722.

Comment 7

[Daniel Veditz [:dveditz]]

(In reply to comment #5)
> does this affect the branches or not?

Doesn't seem to affect 1.9.2/1.9.1, but I'd be happier with the "regression" keyword if it pinned down a regression range.

Comment 8

[Jesse Ruderman]

The first bad revision is:
changeset:   dd5f9c7c8c0f
user:        Jeff Walden
date:        Sat Jun 26 14:08:58 2010 -0700
summary:     Bug 574992 - Make Date.prototype.toGMTString a normal, non-enumerable, non-alias property; also fixes a failure (with Object.getOwnPropertyNames support) in the MS ES5 tests.  r=brendan

Seems like strange blame to me.

Comment 9

[Christian Holler (:decoder)]

Verified 1.9.x to be unaffected by the test in comment 0 and comment 1.

Comment 10

[Christian Holler (:decoder)]

Filter on qa-project-auto-change:

Bug in removed tracer code, setting in-testsuite- flag.