Closed Bug 667824 Opened 9 years ago Closed 9 years ago

TM: Crash [@ js::TraceRecorder::record_NativeCallComplete] or "Assertion failure: pendingSpecializedNative,"

Categories

(Core :: JavaScript Engine, defect, critical)

x86
macOS
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla8

People

(Reporter: gkw, Assigned: luke)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, crash, testcase, Whiteboard: [ccbr][fixed-in-tracemonkey])

Crash Data

Attachments

(2 files)

Attached file stack
var x;
for (let a = 0; a < 8; a++) {
    Function.prototype()
}

asserts js debug shell on TM changeset 208160c856b7 with -j at Assertion failure: pendingSpecializedNative, and crashes js opt shell with -j at js::TraceRecorder::record_NativeCallComplete

Examining the registers, seems to be a null deref but locking s-s just-to-be-safe.

(gdb) x/i $pc
0x1001b927e <_ZN2js13TraceRecorder25record_NativeCallCompleteEv+78>:    mov    0x18(%rcx),%edx
(gdb) x/b $rcx
0x0:    Cannot access memory at address 0x0(gdb) x/b $edx
Value can't be converted to integer.

autoBisect is running as I type.
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   71128:ce10e78d030d
user:        Luke Wagner
date:        Tue Jun 14 16:36:13 2011 -0700
summary:     Bug 664252 - Turn lemons (LLVM-only build bustage) into lemonade (rewrite JSOP_CALL/EVAL/NEW to have less goto madness) (r=waldo)
Blocks: 664252
Null-deref, so not ss.
Group: core-security
Attached patch fix with testSplinter Review
Simple fix.  Thanks for the simple test-case Gary.
Assignee: general → luke
Status: NEW → ASSIGNED
Attachment #542526 - Flags: review?(jwalden+bmo)
I reported this before in 666701. Is this the same issue?
Duplicate of this bug: 666701
Oops, yes, I missed that.
Attachment #542526 - Flags: review?(jwalden+bmo) → review+
http://hg.mozilla.org/tracemonkey/rev/c1afc79e7676
Whiteboard: [ccbr] → [ccbr][fixed-in-tracemonkey]
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla8
This bug is nominated tracking-firefox7 because it fixes a crash that made it to mozilla-central. [@ js::TraceRecorder::record_NativeCallComplete]
(In reply to comment #9)
> This bug is nominated tracking-firefox7 because it fixes a crash that made
> it to mozilla-central. [@ js::TraceRecorder::record_NativeCallComplete]

Brendan mentions this particular bug should be taken:

http://groups.google.com/group/mozilla.dev.tech.js-engine.internals/browse_thread/thread/626c85124555c0c9

From fuzzers' perspective, it fixes a bug that fuzzers find *really* easily.

Luke will have to nominate the attachment with a risk analysis.
Low-risk, should definitely take.
(But I should also point out that its unexploitable and fuzzers will probably be the only thing that finds this)
Attachment #542526 - Flags: approval-mozilla-aurora?
nm, it has been merged to aurora.
Attachment #542526 - Flags: approval-mozilla-aurora?
Automatically extracted testcase for this bug was committed:

https://hg.mozilla.org/mozilla-central/rev/efaf8960a929
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.