Closed Bug 627692 Opened 13 years ago Closed 13 years ago

TM: Crash [@ js_IteratorMore] or [@ js_SuppressDeletedProperty] or "Assertion failure: cx->enumerators == obj,"

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED
Tracking Flags:
Tracking Status
blocking2.0 --- final+

People

(Reporter: gkw, Assigned: jorendorff)

References

Details

(Keywords: crash, regression, testcase, Whiteboard: [ccbr][sg:critical?][hardblocker][fixed-in-tracemonkey][has patch])

Crash Data

Attachments

(2 files)

more information
2.03 KB, text/plain
Details
v1
5.83 KB, patch
dvander
: review+
Details | Diff | Splinter Review
Attached file more information 
N = typeof w == ""
t = e = false;
(function() {
  __defineGetter__("",
  function(h) {
    for (var y in this) {}
  });
  do {
    for each(var e in this) {}
  } while ( function () {})
})()

crashes js debug and opt shell on TM changeset aa618e93942e at js_IteratorMore with -j.
s-s because this seems to access a weird memory address 0x6e0075.
blocking2.0: --- → ?
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   60655:284811f39ca6
user:        David Anderson
date:        Fri Jan 14 17:15:21 2011 -0800
summary:     Get rid of value snapshotting in value iterators (bug 624421, r=luke,gal).
blocking2.0: ? → final+
Assignee: general → jorendorff
Whiteboard: [ccbr][sg:critical?] → [ccbr][sg:critical?][hardblocker]
We're deep-bailing in the middle of one enumeration, then recording another trace that does an enumeration on the same object.

Sometimes we assert during LeaveTree, with bad stuff on the operand stack, and sometimes in js_CloseIterator closing the wrong iterator.

The inner trace seems to be clobbering the outer (deep-bailed but still on the stack waiting to call LeaveTree at the first opportunity) trace's state. This test:

var obj = {
    a0: void 0,
    a1: void 0,
    a2: void 0,
    a3: void 0,
    a4: void 0,
    a5: void 0,
    a6: void 0,
    a7: void 0,
    a8: void 0,
    a9: void 0,
    get z () {
        for (var y in obj)
            print("    inner: " + y + " " + tracemonkey.onTrace);
    }};

(function() {
    for each (var e in obj)
        print("outer:" + e + " " + tracemonkey.onTrace);
 })();

produces this output:

outer:undefined false
outer:undefined false
outer:undefined false
outer:undefined false
outer:undefined false
outer:undefined false
outer:undefined false
outer:undefined false
outer:undefined false
outer:undefined true
    inner: a0 false
    inner: a1 false
    inner: a2 false
    inner: a3 false
    inner: a4 false
    inner: a5 false
    inner: a6 false
    inner: a7 false
    inner: a8 true
    inner: a9 true
    inner: z true
outer:undefined true
outer:a0 false
outer:a1 false
outer:a2 true
outer:a3 true
outer:a4 true
outer:a5 true
outer:a6 true
outer:a7 true
outer:a8 true
outer:a9 true
outer:z true
Assertion failure: cx->enumerators == obj, at d:/dev/tracemonkey/js/src/jsiter.c
pp:789

(Without -j it stops after the last "outer: undefined" line, which is correct.)
The following testcase was reduced from a similar testcase and has the same regressing changeset:

N = 0
function n() {}
s = n
function f(foo) {
    gc()
    try {
        (Function(foo))()
    } catch(r) {}
    delete this.Math
}
function g() {}
var c
function y() {}
t = b = eval
f("\
  __defineGetter__(\"\",\
    function(p){\
      for(var s in this) {}\
    }\
  )[\"\"]\
")
f("\
  do;\
  while(([\
    \"\" for each(z in this)\
  ])&0)\
")
f()

asserts debug shell with -j at Assertion failure: cx->enumerators == obj, and crashes opt shell with -j at js_SuppressDeletedProperty when passed in as a CLI argument.
Summary: TM: Crash [@ js_IteratorMore] → TM: Crash [@ js_IteratorMore] or [@ js_SuppressDeletedProperty] or "Assertion failure: cx->enumerators == obj,"
Attached patch v1Splinter Review 
I tried to get assertion coverage for this, but it was taking a long time and I never got there. I think I was trying to assert too much.

I'll try again, but the most important thing is to get the blocker fixed and see if it fixes other bugs as we expect.
Attachment #508585 - Flags: review?(dvander)
Attachment #508585 - Flags: review?(dvander) → review+
This patch makes my brane hert.

/be
Backed out in http://hg.mozilla.org/tracemonkey/rev/42bd70d77a86 since it wasn't clear to me whether it was this or the other cset in the same push that caused make check to time out during jit-test/tests/basic/bug627609.js, but the tree was completely hosed.
I very cleverly included a test that infloops. Relanded with a different test. Looks like it'll stick.

http://hg.mozilla.org/tracemonkey/rev/c56d2246df65
Whiteboard: [ccbr][sg:critical?][hardblocker] → [ccbr][sg:critical?][hardblocker][fixed-in-tracemonkey]
Whiteboard: [ccbr][sg:critical?][hardblocker][fixed-in-tracemonkey] → [ccbr][sg:critical?][hardblocker][fixed-in-tracemonkey][has patch]
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Crash Signature: [@ js_IteratorMore] [@ js_SuppressDeletedProperty]
JSBugMon: This bug has been automatically verified fixed.
Status: RESOLVED → VERIFIED
Group: core-security
Crash Signature: [@ js_IteratorMore] [@ js_SuppressDeletedProperty] → [@ js_IteratorMore] [@ js_SuppressDeletedProperty]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: