Closed
Bug 579602
Opened 15 years ago
Closed 14 years ago
Crash [@ js::Mark] or "Assertion failure: &obj != NULL," or "Assertion failure: obj,"
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
| Tracking | Status | |
|---|---|---|
| blocking2.0 | --- | betaN+ |
| status1.9.2 | --- | unaffected |
| status1.9.1 | --- | unaffected |
People
(Reporter: gkw, Unassigned)
References
Details
(4 keywords, Whiteboard: [sg:dos][ccbr] fixed-in-tracemonkey)
Crash Data
f = function() {
x = yield
}
rv = f()
for (a in rv) function() {}
x = Proxy.create((function() {
return {
defineProperty: gc
}
})(), x)
with({
d: (({
x: Object.defineProperty(x, "", ({
set: Array.e
}))
}))
}) {}
crashes js opt shell on TM tip without -j at js::Mark and asserts js debug shell on TM tip without -j at Assertion failure: &obj != NULL, at ../jsvalue.h:356
s-s because this concerns gc.
Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_PROTECTION_FAILURE at address: 0x000fa000
0x0005708b in js::Mark ()
(gdb) bt
#0 0x0005708b in js::Mark ()
#1 0x0005adf0 in js::AutoGCRooter::trace ()
#2 0x00057e3f in js_TraceContext ()
#3 0x0005809f in js_TraceRuntime ()
#4 0x000585c5 in js_GC ()
#5 0x00010dad in JS_GC ()
#6 0x00006f63 in GC ()
#7 0x0006e273 in js::InvokeCommon<int (*)(JSContext*, JSObject*, unsigned int, js::Value*, js::Value*)> ()
#8 0x0006f00d in js::Invoke ()
#9 0x0006fa13 in js::InternalInvoke ()
#10 0x000c58b2 in js::JSScriptedProxyHandler::defineProperty ()
#11 0x000c37df in js::JSProxy::defineProperty ()
#12 0x00086b84 in DefineProperty ()
#13 0x00086e54 in js_DefineOwnProperty ()
#14 0x00088b1c in obj_defineProperty ()
#15 0x00065b4c in js::Interpret ()
#16 0x0006e72b in js::Execute ()
#17 0x00014a58 in JS_ExecuteScript ()
#18 0x0000600c in Process ()
#19 0x00009866 in shell ()
#20 0x00009d77 in main ()
(gdb) x/i $eip
0x5708b <_ZN2js4MarkEP8JSTracerPvj+171>: mov %edx,(%eax)
(gdb) x/b $edx
0x2c791 <_ZL12date_setYearP9JSContextjPN2js5ValueE+1281>: 0x29
|
Reporter | |
Comment 1•15 years ago
|
||
This asserts at Assertion failure: obj, at ../jsgc.h:545 in a 64-bit debug shell.
Summary: Crash [@ js::Mark] or "Assertion failure: &obj != NULL," → Crash [@ js::Mark] or "Assertion failure: &obj != NULL," or "Assertion failure: obj,"
|
|
Reporter | |
Comment 2•15 years ago
|
||
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: 47546:9c869e64ee26
user: Luke Wagner
date: Wed Jul 14 23:19:36 2010 -0700
summary: Bug 549143 - fatvals
Blocks: fatvals
|
|
||
Comment 3•15 years ago
|
||
http://hg.mozilla.org/tracemonkey/rev/26c99d5891c1
Same broken desc.getter/setter nullness assumption as in bug 578015 -- I should have grepped for all "desc.getter/setter" uses :-/.
Also, a null going into MarkObject is going to reliably crash in release builds in MarkIfUnmarkedGCThing when JS_TEST_BIT dereferences null, so I don't believe this is s-s.
Whiteboard: [ccbr] → [ccbr] fixed-in-tracemonkey
|
|
||
Comment 4•15 years ago
|
||
Oops, forgot to add the test case:
http://hg.mozilla.org/tracemonkey/rev/0a0154664a10
|
||
Updated•15 years ago
|
Group: core-security
Whiteboard: [ccbr] fixed-in-tracemonkey → [sg:dos][ccbr] fixed-in-tracemonkey
|
||
Comment 5•14 years ago
|
||
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
|
|
||
Updated•14 years ago
|
blocking2.0: ? → betaN+
|
||
Updated•14 years ago
|
status1.9.1:
--- → unaffected
status1.9.2:
--- → unaffected
|
||
Updated•14 years ago
|
Crash Signature: [@ js::Mark]
|
||
Comment 6•12 years ago
|
||
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/testBug579602.js.
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•