Closed Bug 578015 Opened 15 years ago Closed 15 years ago

Crash [@ PropDesc::initialize] or "Assertion failure: &obj != NULL,"

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
blocking2.0 --- betaN+

People

(Reporter: gkw, Assigned: luke)

References

Details

(4 keywords, Whiteboard: fixed-in-tracemonkey)

Crash Data

Attachments

(1 file)

fix
1.20 KB, patch
dmandelin
: review+
Details | Diff | Splinter Review
(function () { x = Proxy.createFunction((function () { return { getOwnPropertyDescriptor: function () { return this }, get: undefined } })(), Object.getOwnPropertyDescriptor) })() x(x) asserts js debug shell on moo tip changeset 60c111fc0d4b without -m or -j at Assertion failure: &obj != NULL, at ../../jsvalue.h:356 (Does not assert in 64-bit TM tip shell) Only tested on 64-bit Ubuntu 10.04.
(gdb) bt #0 0x00007ffff7bce7bb in raise (sig=<value optimized out>) at ../nptl/sysdeps/unix/sysv/linux/pt-raise.c:42 #1 0x000000000053e000 in JS_Assert (s=0x57e2d0 "&obj != NULL", file=0x57e2c0 "../../jsvalue.h", ln=356) at ../jsutil.cpp:80 #2 0x000000000040dfc6 in js::Value::setObject (this=0x7fffffffc4b0, obj=...) at ../../jsvalue.h:356 #3 0x00000000004f51ef in ObjectValue (obj=...) at ../jsvalue.h:692 #4 0x00000000004faca4 in js::CastAsObjectJsval (op=0) at ../jsobj.h:84 #5 0x00000000004f7493 in MakePropertyDescriptorObject (cx=0x82a1a0, id=..., desc=0x7fffffffc5a8, vp=0x7ffff6a8a2c0) at ../jsproxy.cpp:382 #6 0x00000000004f8f67 in js::JSProxy::getOwnPropertyDescriptor (cx=0x82a1a0, proxy=0x7ffff69012d0, id=..., vp=0x7ffff6a8a2c0) at ../jsproxy.cpp:691 #7 0x00000000004adaca in js_GetOwnPropertyDescriptor (cx=0x82a1a0, obj=0x7ffff69012d0, id=..., vp=0x7ffff6a8a2c0) at ../jsobj.cpp:1766 #8 0x00000000004adf34 in obj_getOwnPropertyDescriptor (cx=0x82a1a0, argc=1, vp=0x7ffff6a8a2c0) at ../jsobj.cpp:1842 #9 0x0000000000499a96 in js::callJSFastNative (cx=0x82a1a0, native=0x4ade23 <obj_getOwnPropertyDescriptor>, argc=1, vp=0x7ffff6a8a2c0) at ../jscntxtinlines.h:365 #10 0x000000000049869f in InvokeCommon<JSBool (*)(JSContext*, JSObject*, uintN, js::Value*, js::Value*)> (cx=0x82a1a0, fun=0x7ffff69029d8, script=0x0, native=0x4ade23 <obj_getOwnPropertyDescriptor>, args=..., flags=0) at ../jsinterp.cpp:488 #11 0x00000000004960ca in js::Invoke (cx=0x82a1a0, args=..., flags=0) at ../jsinterp.cpp:719 #12 0x0000000000496343 in js::InternalInvoke (cx=0x82a1a0, thisv=..., fval=..., flags=0, argc=1, argv=0x7ffff6a8a1b0, rval=0x7fffffffca68) at ../jsinterp.cpp:771 #13 0x00000000004f6d5e in js::JSProxyHandler::call (this=0x7fc940, cx=0x82a1a0, proxy=0x7ffff69012d0, argc=1, vp=0x7ffff6a8a1a0) at ../jsproxy.cpp:253 #14 0x00000000004f960e in js::JSProxy::call (cx=0x82a1a0, proxy=0x7ffff69012d0, argc=1, vp=0x7ffff6a8a1a0) at ../jsproxy.cpp:784 #15 0x00000000004f9d89 in js::proxy_Call (cx=0x82a1a0, argc=1, vp=0x7ffff6a8a1a0) at ../jsproxy.cpp:966 #16 0x0000000000499a96 in js::callJSFastNative (cx=0x82a1a0, native=0x4f9d23 <js::proxy_Call(JSContext*, unsigned int, js::Value*)>, argc=1, vp=0x7ffff6a8a1a0) at ../jscntxtinlines.h:365 #17 0x0000000000495d41 in callJSNative (cx=0x82a1a0, callOp=0x4f9d23 <js::proxy_Call(JSContext*, unsigned int, js::Value*)>, thisp=0x0, argc=1, argv=0x7ffff6a8a1b0, rval=0x7ffff6a8a238) at ../jsinterp.cpp:469 #18 0x00000000004995a7 in InvokeCommon<JSBool (*)(JSContext*, uintN, js::Value*)> (cx=0x82a1a0, fun=0x0, script=0x0, native=0x4f9d23 <js::proxy_Call(JSContext*, unsigned int, js::Value*)>, args=..., flags=0) at ../jsinterp.cpp:618 #19 0x0000000000496230 in js::Invoke (cx=0x82a1a0, args=..., flags=0) at ../jsinterp.cpp:748 #20 0x0000000000571797 in js::Interpret (cx=0x82a1a0) at ../jsops.cpp:2360 #21 0x0000000000495ce4 in js::RunScript (cx=0x82a1a0, script=0x835b00, fun=0x0, scopeChain=0x7ffff6901000) at ../jsinterp.cpp:462 #22 0x0000000000496a96 in js::Execute (cx=0x82a1a0, chain=0x7ffff6901000, script=0x835b00, down=0x0, flags=0, result=0x0) at ../jsinterp.cpp:923 #23 0x0000000000428656 in JS_ExecuteScript (cx=0x82a1a0, obj=0x7ffff6901000, script=0x835b00, rval=0x0) at ../jsapi.cpp:4637 #24 0x000000000040493a in Process (cx=0x82a1a0, obj=0x7ffff6901000, filename=0x7fffffffe5cb "w548-reduced.js", forceTTY=0) at ../../shell/js.cpp:440 #25 0x000000000040572a in ProcessArgs (cx=0x82a1a0, obj=0x7ffff6901000, argv=0x7fffffffe2c0, argc=1) at ../../shell/js.cpp:860 #26 0x000000000040dadd in shell (cx=0x82a1a0, argc=1, argv=0x7fffffffe2c0, envp=0x7fffffffe2d0) at ../../shell/js.cpp:5038 #27 0x000000000040dbed in main (argc=1, argv=0x7fffffffe2c0, envp=0x7fffffffe2d0) at ../../shell/js.cpp:5129
I get this assert on fatval-tip, but not tm-tip. Maybe existing bug that better asserts are catching?
Summary: JM: "Assertion failure: &obj != NULL," → "Assertion failure: &obj != NULL,"
Yeah, does seem to be fatval-related.
No longer blocks: JaegerFuzz
Summary: "Assertion failure: &obj != NULL," → FV: "Assertion failure: &obj != NULL,"
Now fatval has landed, this is now in TM: (x = Proxy.createFunction((function() { return { defineProperty: function(name, desc) { Object.defineProperty(x, name, desc) }, } })(), (eval))); Object.defineProperty(x, "", ({ get: Math.w })) causes a null crash on TM tip without -j at PropDesc::initialize on a js opt shell, and asserts similarly on a debug shell. Program received signal EXC_BAD_ACCESS, Could not access memory. Reason: KERN_PROTECTION_FAILURE at address: 0x00000000 0x00080e92 in PropDesc::initialize () (gdb) bt #0 0x00080e92 in PropDesc::initialize () #1 0x00086d26 in js_DefineOwnProperty () #2 0x00088a3c in obj_defineProperty () #3 0x00065a7c in js::Interpret () #4 0x0006e181 in js::InvokeCommon<int (*)(JSContext*, JSObject*, unsigned int, js::Value*, js::Value*)> () #5 0x0006ef3d in js::Invoke () #6 0x0006f943 in js::InternalInvoke () #7 0x000c5802 in js::JSScriptedProxyHandler::defineProperty () #8 0x000c372f in js::JSProxy::defineProperty () #9 0x00086aa4 in DefineProperty () #10 0x00086d74 in js_DefineOwnProperty () #11 0x00088a3c in obj_defineProperty () #12 0x00065a7c in js::Interpret () #13 0x0006e65b in js::Execute () #14 0x00014a18 in JS_ExecuteScript () #15 0x00005fcc in Process () #16 0x00009826 in shell () #17 0x00009d37 in main () (gdb) x/i $eip 0x80e92 <_ZN8PropDesc10initializeEP9JSContextiRKN2js5ValueE+1282>: mov (%edx),%eax (gdb) x/b $edx 0x0: Cannot access memory at address 0x0
blocking2.0: --- → ?
Keywords: crash
OS: Linux → All
Hardware: x86_64 → All
Summary: FV: "Assertion failure: &obj != NULL," → Crash [@ PropDesc::initialize] or "Assertion failure: &obj != NULL,"
autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: 47546:9c869e64ee26 user: Luke Wagner date: Wed Jul 14 23:19:36 2010 -0700 summary: Bug 549143 - fatvals
Blocks: fatvals
Attached patch fixSplinter Review
Ah, desc.getter can be null.
Assignee: general → lw
Status: NEW → ASSIGNED
Attachment #457902 - Flags: review?(dmandelin)
Attachment #457902 - Flags: review?(dmandelin) → review+
Whiteboard: fixed-in-tracemonkey
http://hg.mozilla.org/mozilla-central/rev/8956606e0b49
Status: ASSIGNED → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
blocking2.0: ? → betaN+
Crash Signature: [@ PropDesc::initialize]
Automatically extracted testcase for this bug was committed: https://hg.mozilla.org/mozilla-central/rev/efaf8960a929
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: