Closed Bug 667824 Opened 13 years ago Closed 13 years ago

TM: Crash [@ js::TraceRecorder::record_NativeCallComplete] or "Assertion failure: pendingSpecializedNative,"

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla8

People

(Reporter: gkw, Assigned: luke)

References

Details

(Keywords: assertion, crash, testcase, Whiteboard: [ccbr][fixed-in-tracemonkey])

Crash Data

Attachments

(2 files)

stack
5.30 KB, text/plain
Details
fix with test
1.96 KB, patch
Waldo
: review+
Details | Diff | Splinter Review
Attached file stack
var x; for (let a = 0; a < 8; a++) { Function.prototype() } asserts js debug shell on TM changeset 208160c856b7 with -j at Assertion failure: pendingSpecializedNative, and crashes js opt shell with -j at js::TraceRecorder::record_NativeCallComplete Examining the registers, seems to be a null deref but locking s-s just-to-be-safe. (gdb) x/i $pc 0x1001b927e <_ZN2js13TraceRecorder25record_NativeCallCompleteEv+78>: mov 0x18(%rcx),%edx (gdb) x/b $rcx 0x0: Cannot access memory at address 0x0(gdb) x/b $edx Value can't be converted to integer. autoBisect is running as I type.
autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: 71128:ce10e78d030d user: Luke Wagner date: Tue Jun 14 16:36:13 2011 -0700 summary: Bug 664252 - Turn lemons (LLVM-only build bustage) into lemonade (rewrite JSOP_CALL/EVAL/NEW to have less goto madness) (r=waldo)
Blocks: 664252
Null-deref, so not ss.
Group: core-security
Attached patch fix with testSplinter Review
Simple fix. Thanks for the simple test-case Gary.
Assignee: general → luke
Status: NEW → ASSIGNED
Attachment #542526 - Flags: review?(jwalden+bmo)
I reported this before in 666701. Is this the same issue?
Oops, yes, I missed that.
Attachment #542526 - Flags: review?(jwalden+bmo) → review+
http://hg.mozilla.org/tracemonkey/rev/c1afc79e7676
Whiteboard: [ccbr] → [ccbr][fixed-in-tracemonkey]
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla8
This bug is nominated tracking-firefox7 because it fixes a crash that made it to mozilla-central. [@ js::TraceRecorder::record_NativeCallComplete]
tracking-firefox7: --- → ?
(In reply to comment #9) > This bug is nominated tracking-firefox7 because it fixes a crash that made > it to mozilla-central. [@ js::TraceRecorder::record_NativeCallComplete] Brendan mentions this particular bug should be taken: http://groups.google.com/group/mozilla.dev.tech.js-engine.internals/browse_thread/thread/626c85124555c0c9 From fuzzers' perspective, it fixes a bug that fuzzers find *really* easily. Luke will have to nominate the attachment with a risk analysis.
Low-risk, should definitely take.
(But I should also point out that its unexploitable and fuzzers will probably be the only thing that finds this)
Attachment #542526 - Flags: approval-mozilla-aurora?
nm, it has been merged to aurora.
tracking-firefox7: ? → ---
Attachment #542526 - Flags: approval-mozilla-aurora?
Automatically extracted testcase for this bug was committed: https://hg.mozilla.org/mozilla-central/rev/efaf8960a929
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: