Assertion failure: !JSVAL_IS_PRIMITIVE(val) in nsDOMConstructor::HasInstance

RESOLVED FIXED in mozilla14

Status

()

Core
DOM
--
critical
RESOLVED FIXED
6 years ago
5 years ago

People

(Reporter: bc, Assigned: jdm)

Tracking

(Blocks: 1 bug, 4 keywords)

Trunk
mozilla14
assertion, regression, reproducible, testcase
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(firefox6 unaffected, firefox7 unaffected, firefox8 affected, firefox9 affected, firefox10 affected)

Details

Attachments

(3 attachments)

(Reporter)

Description

6 years ago
1. http://www.pagewash.com/nph-index.cgi/000010A/uggc:/=2fjjj.oop.pb.hx/ivrganzrfr/ivrganz/2011/08/110805_ihivrgatbna_rkcynangvba.fugzy

2. Assertion failure: !JSVAL_IS_PRIMITIVE(val), at /work/mozilla/builds/nightly/mozilla/dom/base/nsDOMClassInfo.cpp:6051

trunk only: mac, linux, windows

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_PROTECTION_FAILURE at address: 0x00000000
0x06b6d489 in CrashInJS () at /work/mozilla/builds/nightly/mozilla/js/src/jsutil.cpp:92
92	    *((int *) NULL) = 123;  /* To continue from here in GDB: "return" then "continue". */
(gdb) bt
#0  0x06b6d489 in CrashInJS () at /work/mozilla/builds/nightly/mozilla/js/src/jsutil.cpp:92
#1  0x06b6d4f3 in JS_Assert (s=0x6de34ed "!JSVAL_IS_PRIMITIVE(val)", file=0x6de1fc4 "/work/mozilla/builds/nightly/mozilla/dom/base/nsDOMClassInfo.cpp", ln=6051) at /work/mozilla/builds/nightly/mozilla/js/src/jsutil.cpp:103
#2  0x05836d86 in nsDOMConstructor::HasInstance (this=0x256b3400, wrapper=0x256b3520, cx=0x23cb1b80, obj=0x1e4c158, v=@0x1a524248, bp=0xbfffb1e4, _retval=0xbfffb1e0) at /work/mozilla/builds/nightly/mozilla/dom/base/nsDOMClassInfo.cpp:6051
#3  0x05837441 in nsDOMConstructorSH::HasInstance (this=0x1aa881a0, wrapper=0x256b3520, cx=0x23cb1b80, obj=0x1e4c158, val=@0x1a524248, bp=0xbfffb1e4, _retval=0xbfffb1e0) at /work/mozilla/builds/nightly/mozilla/dom/base/nsDOMClassInfo.cpp:11041
#4  0x05d8ee39 in XPC_WN_Helper_HasInstance (cx=0x23cb1b80, obj=0x1e4c158, valp=0x1a524248, bp=0xbfffb60c) at /work/mozilla/builds/nightly/mozilla/js/src/xpconnect/src/xpcwrappednativejsops.cpp:1072
#5  0x06a94f0f in js::HasInstance (cx=0x23cb1b80, obj=0x1e4c158, v=0x1a524248, bp=0xbfffb60c) at jsinterp.cpp:1026
#6  0x06a8d187 in js::Interpret () at /work/mozilla/builds/nightly/mozilla/js/src/jsinterp.cpp:5393
#7  0x06a95ad2 in js::RunScript (cx=0x23cb1b80, script=0x256b7b10, fp=0x1a524020) at jsinterp.cpp:613
#8  0x06a95cc3 in js::Execute (cx=0x23cb1b80, script=0x256b7b10, scopeChain=@0x1e20038, thisv=@0xbfffc430, type=js::EXECUTE_GLOBAL, evalInFrame=0x0, result=0x0) at jsinterp.cpp:911
#9  0x06a95e73 in js::ExternalExecute (cx=0x23cb1b80, script=0x256b7b10, scopeChainArg=@0x1e20038, rval=0x0) at jsinterp.cpp:947
#10 0x069c1918 in EvaluateUCScriptForPrincipalsCommon (cx=0x23cb1b80, obj=0x1e20038, principals=0x245044f4, chars=0x2553f008, length=12704, filename=0x23ededa8 "http://www.pagewash.com///nph-index.cgi/000010H/uggc:/=2ffgngvp.oop.pb.hx/senzrjbexf/oneyrfdhr/1.8.33/=2fqrfxgbc/3/fpevcg/oneyrfdhr.wf", lineno=1, rval=0x0, compileVersion=JSVERSION_DEFAULT) at /work/mozilla/builds/nightly/mozilla/js/src/jsapi.cpp:4970
#11 0x069c1c6b in JS_EvaluateUCScriptForPrincipalsVersion (cx=0x23cb1b80, obj=0x1e20038, principals=0x245044f4, chars=0x2553f008, length=12704, filename=0x23ededa8 "http://www.pagewash.com///nph-index.cgi/000010H/uggc:/=2ffgngvp.oop.pb
(Reporter)

Comment 1

6 years ago
Created attachment 551546 [details]
testcase

<script>
function foo(o) {
        o instanceof CSS2Properties;
}
foo({})
(Reporter)

Updated

6 years ago
Keywords: testcase-wanted → testcase
(Reporter)

Updated

6 years ago
status-firefox9: --- → affected
(Reporter)

Updated

6 years ago
status-firefox10: --- → affected

Comment 2

6 years ago
Another testcase:

({}) instanceof NodeFilter;
(Assignee)

Comment 3

5 years ago
http://mxr.mozilla.org/mozilla-central/source/dom/base/nsDOMClassInfo.cpp#5889 shows this condition is now checked, and the testcases don't reproduce the crashes for me any more.
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → WORKSFORME
(Reporter)

Comment 4

5 years ago
Automation can still reproduce with

http://www.pagewash.com///nph-index.cgi/000010A/uggc:/=2fjjj.obkvgia.arg/onv/32766

http://www.pagewash.com/////nph-index.cgi/000010A/uggc:/=2foebxrepurpx.svaen.bet/Fhccbeg/AbErfhygf.nfck=3fFrnepuTebhc=3dVaqvivqhny%26FrnepuGlcr=3dSerrSbez%26FrnepuGrkg=3dqbzavp%26SAnzr=3d%26ZAnzr=3d%26YAnzr=3d%26SvezAnzr=3d%26PEQAhzore=3d-1%26VaqiyOPPgtel=3d-1%26VaqiyVNPgt

On all three platforms and branches. I reproduced with 2/14's Nightly on Mac OS X 10.5 locally. I also reproduced locally with both test cases. 

You did test with a debug build?
Status: RESOLVED → REOPENED
Resolution: WORKSFORME → ---
(Assignee)

Comment 5

5 years ago
Whoops. I was under the misguided impression that JS asserts were non-debug. We should just transform the !JSVAL_IS_PRIMITIVE assertion into an early return instead.
Whiteboard: [mentor=jdm][lang=c++]
(Assignee)

Updated

5 years ago
Duplicate of this bug: 731464
Group: core-security
marked per request of Ms2ger
(Removing mentored bug annotation, given s-s and so not accessible to new contributors).
Whiteboard: [mentor=jdm][lang=c++]
(Assignee)

Comment 9

5 years ago
Created attachment 601638 [details] [diff] [review]
Change assertion to an early-return bailout.

I threw my r? into the air / it fell to earth, I know not where.
Attachment #601638 - Flags: review?(jst)

Updated

5 years ago
Attachment #601638 - Flags: review?(jst) → review+
Sorry, misread the code. This isn't actually s-s.
(Reporter)

Comment 11

5 years ago
not security sensitive per comment 10.
Group: core-security
Assigning to Josh because it's his patch.
Assignee: nobody → josh
Blocks: 649537
Keywords: checkin-needed
Attachment #601638 - Flags: approval-mozilla-central?

Updated

5 years ago
Attachment #601638 - Flags: approval-mozilla-central? → approval-mozilla-central+
https://hg.mozilla.org/integration/mozilla-inbound/rev/e466bffc6a7b

Any chance of getting a test?
Flags: in-testsuite?
Keywords: checkin-needed
Target Milestone: --- → mozilla14
(Assignee)

Comment 14

5 years ago
Yes, it should be easy to create a crashtest that will fail in debug builds. I'll do that.
Created attachment 617191 [details] [diff] [review]
Test
Attachment #617191 - Flags: review?(jst)
https://hg.mozilla.org/mozilla-central/rev/e466bffc6a7b
Status: REOPENED → RESOLVED
Last Resolved: 5 years ago5 years ago
Resolution: --- → FIXED

Updated

5 years ago
Attachment #617191 - Flags: review?(jst) → review+
Landed test:

https://hg.mozilla.org/mozilla-central/rev/a0488fd9207b
Flags: in-testsuite? → in-testsuite+
You need to log in before you can comment on or make changes to this bug.