Closed Bug 609256 Opened 9 years ago Closed 9 years ago

JM: Crash at weird instruction or [@ JSObject::getGlobal], "Assertion failure: isObject(),"

Categories

(Core :: JavaScript Engine, defect, critical)

defect
Not set
critical

Tracking

()

VERIFIED FIXED
mozilla2.0b8
Tracking Status
blocking2.0 --- beta8+

People

(Reporter: gkw, Assigned: Waldo)

References

(Blocks 1 open bug)

Details

(4 keywords, Whiteboard: [ccbr][sg:critical?] fixed-in-tracemonkey)

Crash Data

Attachments

(1 file, 1 obsolete file)

(function() {
  __defineGetter__("x",
  function() {
    return (eval = '')
  })
  x
})()
eval()

crashes js opt shell at a weird instruction and asserts js debug shell at Assertion failure: isObject(), on TM changeset 7ec0a71652a6.

Assuming s-s just to be safe.

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: 13 at address: 0x00000000
0x00651006 in ?? ()
(gdb) x/i $eip
0x651006:       add    %al,%gs:(%eax)
(gdb) x/b $al
Value can't be converted to integer.
(gdb) x/b $gs
0x37:   Cannot access memory at address 0x37
(gdb) x/b $eax
0x65006a:       0xe2
blocking2.0: --- → ?
-m is required to trigger the issue.

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   56564:6abb9e45a79a
user:        Jeff Walden
date:        Thu Oct 21 14:31:29 2010 -0700
summary:     Bug 604504 - Implement an eval kernel that obj_eval and JSOP_EVAL can each call.  r=jorendorff,dvander
Blocks: 604504
eval("\
     Object.defineProperty\
     (\
     this,\
     \"eval\",\
     ({\
     get:function(){},\
     })\
     )\
     in\
     []\
     ")
eval()

crashes js opt shell at JSObject::getGlobal instead and asserts identically.
Summary: JM: Crash at weird instruction, "Assertion failure: isObject()," → JM: Crash at weird instruction or [@ JSObject::getGlobal], "Assertion failure: isObject(),"
Assignee: general → jwalden+bmo
Status: NEW → ASSIGNED
Attached patch Patch (obsolete) — Splinter Review
I have a feeling I merged through strict-this interpreter changes yet forgot to propagate the merge fixes into the methodjit version -- my own fault for not writing enough eval tests to go with the changes in that bug.  :-\
Attachment #488542 - Flags: review?(lw)
Comment on attachment 488542 [details] [diff] [review]
Patch

>     if (!IsFunctionObject(*vp, &callee) ||
>         !IsBuiltinEvalFunction((fun = callee->getFunctionPrivate())))
>     {
>-        if (!ComputeThisFromVpInPlace(f.cx, vp) ||
>-            !Invoke(f.cx, InvokeArgsAlreadyOnTheStack(vp, argc), 0))
>-        {
>+        if (!Invoke(f.cx, InvokeArgsAlreadyOnTheStack(vp, argc), 0))
>             THROW();
>-        }
>         return;
>     }

The stubs::Eval version differs (innocuously) from the JSOP_EVAL version in that JSOP_EVAL will use an inline call (goto not_direct_eval) if IsFunctionObject but !IsBuiltinEvalFunction.  For regularity, could you change the interpreter 'goto call_using_invoke' in both cases?
Attached patch v2Splinter Review
Attachment #488542 - Attachment is obsolete: true
Attachment #488567 - Flags: review?(lw)
Attachment #488542 - Flags: review?(lw)
Attachment #488567 - Flags: review?(lw) → review+
http://hg.mozilla.org/tracemonkey/rev/edc26e88b2c4
OS: Mac OS X → All
Hardware: x86 → All
Whiteboard: [ccbr][sg:critical?] → [ccbr][sg:critical?] fixed-in-tracemonkey
Target Milestone: --- → mozilla2.0b8
http://hg.mozilla.org/mozilla-central/rev/edc26e88b2c4
Status: ASSIGNED → RESOLVED
blocking2.0: ? → beta8+
Closed: 9 years ago
Resolution: --- → FIXED
Crash Signature: [@ JSObject::getGlobal]
JSBugMon: This bug has been automatically verified fixed.
Status: RESOLVED → VERIFIED
Group: core-security
You need to log in before you can comment on or make changes to this bug.