Closed Bug 578015 Opened 14 years ago Closed 14 years ago

Crash [@ PropDesc::initialize] or "Assertion failure: &obj != NULL,"

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
blocking2.0 --- betaN+

People

(Reporter: gkw, Assigned: luke)

References

Details

(4 keywords, Whiteboard: fixed-in-tracemonkey)

Crash Data

Attachments

(1 file)

fix
1.20 KB, patch
dmandelin
: review+
Details | Diff | Splinter Review 
(function () {
    x = Proxy.createFunction((function () {
        return {
            getOwnPropertyDescriptor: function () {
                return this
            },
            get: undefined
        }
    })(), Object.getOwnPropertyDescriptor)
})()
x(x)

asserts js debug shell on moo tip changeset 60c111fc0d4b without -m or -j at Assertion failure: &obj != NULL, at ../../jsvalue.h:356

(Does not assert in 64-bit TM tip shell)

Only tested on 64-bit Ubuntu 10.04.
(gdb) bt
#0  0x00007ffff7bce7bb in raise (sig=<value optimized out>) at ../nptl/sysdeps/unix/sysv/linux/pt-raise.c:42
#1  0x000000000053e000 in JS_Assert (s=0x57e2d0 "&obj != NULL", file=0x57e2c0 "../../jsvalue.h", ln=356) at ../jsutil.cpp:80
#2  0x000000000040dfc6 in js::Value::setObject (this=0x7fffffffc4b0, obj=...) at ../../jsvalue.h:356
#3  0x00000000004f51ef in ObjectValue (obj=...) at ../jsvalue.h:692
#4  0x00000000004faca4 in js::CastAsObjectJsval (op=0) at ../jsobj.h:84
#5  0x00000000004f7493 in MakePropertyDescriptorObject (cx=0x82a1a0, id=..., desc=0x7fffffffc5a8, vp=0x7ffff6a8a2c0) at ../jsproxy.cpp:382
#6  0x00000000004f8f67 in js::JSProxy::getOwnPropertyDescriptor (cx=0x82a1a0, proxy=0x7ffff69012d0, id=..., vp=0x7ffff6a8a2c0) at ../jsproxy.cpp:691
#7  0x00000000004adaca in js_GetOwnPropertyDescriptor (cx=0x82a1a0, obj=0x7ffff69012d0, id=..., vp=0x7ffff6a8a2c0) at ../jsobj.cpp:1766
#8  0x00000000004adf34 in obj_getOwnPropertyDescriptor (cx=0x82a1a0, argc=1, vp=0x7ffff6a8a2c0) at ../jsobj.cpp:1842
#9  0x0000000000499a96 in js::callJSFastNative (cx=0x82a1a0, native=0x4ade23 <obj_getOwnPropertyDescriptor>, argc=1, vp=0x7ffff6a8a2c0) at ../jscntxtinlines.h:365
#10 0x000000000049869f in InvokeCommon<JSBool (*)(JSContext*, JSObject*, uintN, js::Value*, js::Value*)> (cx=0x82a1a0, fun=0x7ffff69029d8, script=0x0, native=0x4ade23 <obj_getOwnPropertyDescriptor>, args=..., flags=0)
    at ../jsinterp.cpp:488
#11 0x00000000004960ca in js::Invoke (cx=0x82a1a0, args=..., flags=0) at ../jsinterp.cpp:719
#12 0x0000000000496343 in js::InternalInvoke (cx=0x82a1a0, thisv=..., fval=..., flags=0, argc=1, argv=0x7ffff6a8a1b0, rval=0x7fffffffca68) at ../jsinterp.cpp:771
#13 0x00000000004f6d5e in js::JSProxyHandler::call (this=0x7fc940, cx=0x82a1a0, proxy=0x7ffff69012d0, argc=1, vp=0x7ffff6a8a1a0) at ../jsproxy.cpp:253
#14 0x00000000004f960e in js::JSProxy::call (cx=0x82a1a0, proxy=0x7ffff69012d0, argc=1, vp=0x7ffff6a8a1a0) at ../jsproxy.cpp:784
#15 0x00000000004f9d89 in js::proxy_Call (cx=0x82a1a0, argc=1, vp=0x7ffff6a8a1a0) at ../jsproxy.cpp:966
#16 0x0000000000499a96 in js::callJSFastNative (cx=0x82a1a0, native=0x4f9d23 <js::proxy_Call(JSContext*, unsigned int, js::Value*)>, argc=1, vp=0x7ffff6a8a1a0) at ../jscntxtinlines.h:365
#17 0x0000000000495d41 in callJSNative (cx=0x82a1a0, callOp=0x4f9d23 <js::proxy_Call(JSContext*, unsigned int, js::Value*)>, thisp=0x0, argc=1, argv=0x7ffff6a8a1b0, rval=0x7ffff6a8a238) at ../jsinterp.cpp:469
#18 0x00000000004995a7 in InvokeCommon<JSBool (*)(JSContext*, uintN, js::Value*)> (cx=0x82a1a0, fun=0x0, script=0x0, native=0x4f9d23 <js::proxy_Call(JSContext*, unsigned int, js::Value*)>, args=..., flags=0) at ../jsinterp.cpp:618
#19 0x0000000000496230 in js::Invoke (cx=0x82a1a0, args=..., flags=0) at ../jsinterp.cpp:748
#20 0x0000000000571797 in js::Interpret (cx=0x82a1a0) at ../jsops.cpp:2360
#21 0x0000000000495ce4 in js::RunScript (cx=0x82a1a0, script=0x835b00, fun=0x0, scopeChain=0x7ffff6901000) at ../jsinterp.cpp:462
#22 0x0000000000496a96 in js::Execute (cx=0x82a1a0, chain=0x7ffff6901000, script=0x835b00, down=0x0, flags=0, result=0x0) at ../jsinterp.cpp:923
#23 0x0000000000428656 in JS_ExecuteScript (cx=0x82a1a0, obj=0x7ffff6901000, script=0x835b00, rval=0x0) at ../jsapi.cpp:4637
#24 0x000000000040493a in Process (cx=0x82a1a0, obj=0x7ffff6901000, filename=0x7fffffffe5cb "w548-reduced.js", forceTTY=0) at ../../shell/js.cpp:440
#25 0x000000000040572a in ProcessArgs (cx=0x82a1a0, obj=0x7ffff6901000, argv=0x7fffffffe2c0, argc=1) at ../../shell/js.cpp:860
#26 0x000000000040dadd in shell (cx=0x82a1a0, argc=1, argv=0x7fffffffe2c0, envp=0x7fffffffe2d0) at ../../shell/js.cpp:5038
#27 0x000000000040dbed in main (argc=1, argv=0x7fffffffe2c0, envp=0x7fffffffe2d0) at ../../shell/js.cpp:5129
I get this assert on fatval-tip, but not tm-tip. Maybe existing bug that better asserts are catching?
Summary: JM: "Assertion failure: &obj != NULL," → "Assertion failure: &obj != NULL,"
Yeah, does seem to be fatval-related.
No longer blocks: JaegerFuzz
Summary: "Assertion failure: &obj != NULL," → FV: "Assertion failure: &obj != NULL,"
Now fatval has landed, this is now in TM:

(x = Proxy.createFunction((function() {
  return {
    defineProperty: function(name, desc) {
      Object.defineProperty(x, name, desc)
    },
  }
})(), (eval)));
Object.defineProperty(x, "", ({
  get: Math.w
}))

causes a null crash on TM tip without -j at PropDesc::initialize on a js opt shell, and asserts similarly on a debug shell.

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_PROTECTION_FAILURE at address: 0x00000000
0x00080e92 in PropDesc::initialize ()
(gdb) bt
#0  0x00080e92 in PropDesc::initialize ()
#1  0x00086d26 in js_DefineOwnProperty ()
#2  0x00088a3c in obj_defineProperty ()
#3  0x00065a7c in js::Interpret ()
#4  0x0006e181 in js::InvokeCommon<int (*)(JSContext*, JSObject*, unsigned int, js::Value*, js::Value*)> ()
#5  0x0006ef3d in js::Invoke ()
#6  0x0006f943 in js::InternalInvoke ()
#7  0x000c5802 in js::JSScriptedProxyHandler::defineProperty ()
#8  0x000c372f in js::JSProxy::defineProperty ()
#9  0x00086aa4 in DefineProperty ()
#10 0x00086d74 in js_DefineOwnProperty ()
#11 0x00088a3c in obj_defineProperty ()
#12 0x00065a7c in js::Interpret ()
#13 0x0006e65b in js::Execute ()
#14 0x00014a18 in JS_ExecuteScript ()
#15 0x00005fcc in Process ()
#16 0x00009826 in shell ()
#17 0x00009d37 in main ()
(gdb) x/i $eip
0x80e92 <_ZN8PropDesc10initializeEP9JSContextiRKN2js5ValueE+1282>:      mov    (%edx),%eax
(gdb) x/b $edx
0x0:    Cannot access memory at address 0x0
blocking2.0: --- → ?
Keywords: crash
OS: Linux → All
Hardware: x86_64 → All
Summary: FV: "Assertion failure: &obj != NULL," → Crash [@ PropDesc::initialize] or "Assertion failure: &obj != NULL,"
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   47546:9c869e64ee26
user:        Luke Wagner
date:        Wed Jul 14 23:19:36 2010 -0700
summary:     Bug 549143 - fatvals
Blocks: fatvals
Attached patch fixSplinter Review 
Ah, desc.getter can be null.
Assignee: general → lw
Status: NEW → ASSIGNED
Attachment #457902 - Flags: review?(dmandelin)
Attachment #457902 - Flags: review?(dmandelin) → review+
Whiteboard: fixed-in-tracemonkey
http://hg.mozilla.org/mozilla-central/rev/8956606e0b49
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
blocking2.0: ? → betaN+
Crash Signature: [@ PropDesc::initialize]
Automatically extracted testcase for this bug was committed:

https://hg.mozilla.org/mozilla-central/rev/efaf8960a929
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: