Closed Bug 579602 Opened 14 years ago Closed 14 years ago

Crash [@ js::Mark] or "Assertion failure: &obj != NULL," or "Assertion failure: obj,"

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
blocking2.0 --- betaN+
status1.9.2 --- unaffected
status1.9.1 --- unaffected

People

(Reporter: gkw, Unassigned)

References

Details

(4 keywords, Whiteboard: [sg:dos][ccbr] fixed-in-tracemonkey)

Crash Data

f = function() {
  x = yield
}
rv = f()
for (a in rv) function() {}
x = Proxy.create((function() {
  return {
    defineProperty: gc
  }
})(), x)
with({
  d: (({
    x: Object.defineProperty(x, "", ({
      set: Array.e
    }))
  }))
}) {}

crashes js opt shell on TM tip without -j at js::Mark and asserts js debug shell on TM tip without -j at Assertion failure: &obj != NULL, at ../jsvalue.h:356

s-s because this concerns gc.

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_PROTECTION_FAILURE at address: 0x000fa000
0x0005708b in js::Mark ()
(gdb) bt
#0  0x0005708b in js::Mark ()
#1  0x0005adf0 in js::AutoGCRooter::trace ()
#2  0x00057e3f in js_TraceContext ()
#3  0x0005809f in js_TraceRuntime ()
#4  0x000585c5 in js_GC ()
#5  0x00010dad in JS_GC ()
#6  0x00006f63 in GC ()
#7  0x0006e273 in js::InvokeCommon<int (*)(JSContext*, JSObject*, unsigned int, js::Value*, js::Value*)> ()
#8  0x0006f00d in js::Invoke ()
#9  0x0006fa13 in js::InternalInvoke ()
#10 0x000c58b2 in js::JSScriptedProxyHandler::defineProperty ()
#11 0x000c37df in js::JSProxy::defineProperty ()
#12 0x00086b84 in DefineProperty ()
#13 0x00086e54 in js_DefineOwnProperty ()
#14 0x00088b1c in obj_defineProperty ()
#15 0x00065b4c in js::Interpret ()
#16 0x0006e72b in js::Execute ()
#17 0x00014a58 in JS_ExecuteScript ()
#18 0x0000600c in Process ()
#19 0x00009866 in shell ()
#20 0x00009d77 in main ()
(gdb) x/i $eip
0x5708b <_ZN2js4MarkEP8JSTracerPvj+171>:        mov    %edx,(%eax)
(gdb) x/b $edx
0x2c791 <_ZL12date_setYearP9JSContextjPN2js5ValueE+1281>:       0x29
This asserts at Assertion failure: obj, at ../jsgc.h:545 in a 64-bit debug shell.
Summary: Crash [@ js::Mark] or "Assertion failure: &obj != NULL," → Crash [@ js::Mark] or "Assertion failure: &obj != NULL," or "Assertion failure: obj,"
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   47546:9c869e64ee26
user:        Luke Wagner
date:        Wed Jul 14 23:19:36 2010 -0700
summary:     Bug 549143 - fatvals
Blocks: fatvals
http://hg.mozilla.org/tracemonkey/rev/26c99d5891c1

Same broken desc.getter/setter nullness assumption as in bug 578015 -- I should have grepped for all "desc.getter/setter" uses :-/.

Also, a null going into MarkObject is going to reliably crash in release builds in MarkIfUnmarkedGCThing when JS_TEST_BIT dereferences null, so I don't believe this is s-s.
Whiteboard: [ccbr] → [ccbr] fixed-in-tracemonkey
Oops, forgot to add the test case:

http://hg.mozilla.org/tracemonkey/rev/0a0154664a10
Group: core-security
Whiteboard: [ccbr] fixed-in-tracemonkey → [sg:dos][ccbr] fixed-in-tracemonkey
http://hg.mozilla.org/mozilla-central/rev/26c99d5891c1
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
blocking2.0: ? → betaN+
Crash Signature: [@ js::Mark]
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/testBug579602.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.