Last Comment Bug 677194 - Assertion failure: !JSVAL_IS_PRIMITIVE(val) in nsDOMConstructor::HasInstance
: Assertion failure: !JSVAL_IS_PRIMITIVE(val) in nsDOMConstructor::HasInstance
Status: RESOLVED FIXED
: assertion, regression, reproducible, testcase
Product: Core
Classification: Components
Component: DOM (show other bugs)
: Trunk
: All All
: -- critical (vote)
: mozilla14
Assigned To: Josh Matthews [:jdm]
:
Mentors:
: 731464 (view as bug list)
Depends on:
Blocks: 532972 new-web-workers
  Show dependency treegraph
 
Reported: 2011-08-08 05:43 PDT by Bob Clary [:bc:]
Modified: 2012-05-05 10:33 PDT (History)
10 users (show)
ryanvm: in‑testsuite+
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---
unaffected
unaffected
affected
affected
affected


Attachments
testcase (84 bytes, text/html)
2011-08-08 13:07 PDT, Bob Clary [:bc:]
no flags Details
Change assertion to an early-return bailout. (1.03 KB, patch)
2012-02-29 09:11 PST, Josh Matthews [:jdm]
jst: review+
akeybl: approval‑mozilla‑central+
Details | Diff | Splinter Review
Test (889 bytes, patch)
2012-04-21 00:47 PDT, :Ms2ger (⌚ UTC+1/+2)
jst: review+
Details | Diff | Splinter Review

Description Bob Clary [:bc:] 2011-08-08 05:43:57 PDT
1. http://www.pagewash.com/nph-index.cgi/000010A/uggc:/=2fjjj.oop.pb.hx/ivrganzrfr/ivrganz/2011/08/110805_ihivrgatbna_rkcynangvba.fugzy

2. Assertion failure: !JSVAL_IS_PRIMITIVE(val), at /work/mozilla/builds/nightly/mozilla/dom/base/nsDOMClassInfo.cpp:6051

trunk only: mac, linux, windows

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_PROTECTION_FAILURE at address: 0x00000000
0x06b6d489 in CrashInJS () at /work/mozilla/builds/nightly/mozilla/js/src/jsutil.cpp:92
92	    *((int *) NULL) = 123;  /* To continue from here in GDB: "return" then "continue". */
(gdb) bt
#0  0x06b6d489 in CrashInJS () at /work/mozilla/builds/nightly/mozilla/js/src/jsutil.cpp:92
#1  0x06b6d4f3 in JS_Assert (s=0x6de34ed "!JSVAL_IS_PRIMITIVE(val)", file=0x6de1fc4 "/work/mozilla/builds/nightly/mozilla/dom/base/nsDOMClassInfo.cpp", ln=6051) at /work/mozilla/builds/nightly/mozilla/js/src/jsutil.cpp:103
#2  0x05836d86 in nsDOMConstructor::HasInstance (this=0x256b3400, wrapper=0x256b3520, cx=0x23cb1b80, obj=0x1e4c158, v=@0x1a524248, bp=0xbfffb1e4, _retval=0xbfffb1e0) at /work/mozilla/builds/nightly/mozilla/dom/base/nsDOMClassInfo.cpp:6051
#3  0x05837441 in nsDOMConstructorSH::HasInstance (this=0x1aa881a0, wrapper=0x256b3520, cx=0x23cb1b80, obj=0x1e4c158, val=@0x1a524248, bp=0xbfffb1e4, _retval=0xbfffb1e0) at /work/mozilla/builds/nightly/mozilla/dom/base/nsDOMClassInfo.cpp:11041
#4  0x05d8ee39 in XPC_WN_Helper_HasInstance (cx=0x23cb1b80, obj=0x1e4c158, valp=0x1a524248, bp=0xbfffb60c) at /work/mozilla/builds/nightly/mozilla/js/src/xpconnect/src/xpcwrappednativejsops.cpp:1072
#5  0x06a94f0f in js::HasInstance (cx=0x23cb1b80, obj=0x1e4c158, v=0x1a524248, bp=0xbfffb60c) at jsinterp.cpp:1026
#6  0x06a8d187 in js::Interpret () at /work/mozilla/builds/nightly/mozilla/js/src/jsinterp.cpp:5393
#7  0x06a95ad2 in js::RunScript (cx=0x23cb1b80, script=0x256b7b10, fp=0x1a524020) at jsinterp.cpp:613
#8  0x06a95cc3 in js::Execute (cx=0x23cb1b80, script=0x256b7b10, scopeChain=@0x1e20038, thisv=@0xbfffc430, type=js::EXECUTE_GLOBAL, evalInFrame=0x0, result=0x0) at jsinterp.cpp:911
#9  0x06a95e73 in js::ExternalExecute (cx=0x23cb1b80, script=0x256b7b10, scopeChainArg=@0x1e20038, rval=0x0) at jsinterp.cpp:947
#10 0x069c1918 in EvaluateUCScriptForPrincipalsCommon (cx=0x23cb1b80, obj=0x1e20038, principals=0x245044f4, chars=0x2553f008, length=12704, filename=0x23ededa8 "http://www.pagewash.com///nph-index.cgi/000010H/uggc:/=2ffgngvp.oop.pb.hx/senzrjbexf/oneyrfdhr/1.8.33/=2fqrfxgbc/3/fpevcg/oneyrfdhr.wf", lineno=1, rval=0x0, compileVersion=JSVERSION_DEFAULT) at /work/mozilla/builds/nightly/mozilla/js/src/jsapi.cpp:4970
#11 0x069c1c6b in JS_EvaluateUCScriptForPrincipalsVersion (cx=0x23cb1b80, obj=0x1e20038, principals=0x245044f4, chars=0x2553f008, length=12704, filename=0x23ededa8 "http://www.pagewash.com///nph-index.cgi/000010H/uggc:/=2ffgngvp.oop.pb
Comment 1 Bob Clary [:bc:] 2011-08-08 13:07:51 PDT
Created attachment 551546 [details]
testcase

<script>
function foo(o) {
        o instanceof CSS2Properties;
}
foo({})
Comment 2 Jesse Ruderman 2011-10-15 12:17:38 PDT
Another testcase:

({}) instanceof NodeFilter;
Comment 3 Josh Matthews [:jdm] 2012-02-14 18:13:25 PST
http://mxr.mozilla.org/mozilla-central/source/dom/base/nsDOMClassInfo.cpp#5889 shows this condition is now checked, and the testcases don't reproduce the crashes for me any more.
Comment 4 Bob Clary [:bc:] 2012-02-14 23:36:39 PST
Automation can still reproduce with

http://www.pagewash.com///nph-index.cgi/000010A/uggc:/=2fjjj.obkvgia.arg/onv/32766

http://www.pagewash.com/////nph-index.cgi/000010A/uggc:/=2foebxrepurpx.svaen.bet/Fhccbeg/AbErfhygf.nfck=3fFrnepuTebhc=3dVaqvivqhny%26FrnepuGlcr=3dSerrSbez%26FrnepuGrkg=3dqbzavp%26SAnzr=3d%26ZAnzr=3d%26YAnzr=3d%26SvezAnzr=3d%26PEQAhzore=3d-1%26VaqiyOPPgtel=3d-1%26VaqiyVNPgt

On all three platforms and branches. I reproduced with 2/14's Nightly on Mac OS X 10.5 locally. I also reproduced locally with both test cases. 

You did test with a debug build?
Comment 5 Josh Matthews [:jdm] 2012-02-15 08:20:08 PST
Whoops. I was under the misguided impression that JS asserts were non-debug. We should just transform the !JSVAL_IS_PRIMITIVE assertion into an early return instead.
Comment 6 Josh Matthews [:jdm] 2012-02-28 20:16:37 PST
*** Bug 731464 has been marked as a duplicate of this bug. ***
Comment 7 Curtis Koenig [:curtisk-use curtis.koenig+bzATgmail.com]] 2012-02-29 07:55:08 PST
marked per request of Ms2ger
Comment 8 Ed Morley [:emorley] 2012-02-29 08:20:15 PST
(Removing mentored bug annotation, given s-s and so not accessible to new contributors).
Comment 9 Josh Matthews [:jdm] 2012-02-29 09:11:55 PST
Created attachment 601638 [details] [diff] [review]
Change assertion to an early-return bailout.

I threw my r? into the air / it fell to earth, I know not where.
Comment 10 :Ms2ger (⌚ UTC+1/+2) 2012-03-02 03:42:16 PST
Sorry, misread the code. This isn't actually s-s.
Comment 11 Bob Clary [:bc:] 2012-03-04 07:29:19 PST
not security sensitive per comment 10.
Comment 12 Daniel Veditz [:dveditz] 2012-04-19 23:10:47 PDT
Assigning to Josh because it's his patch.
Comment 13 Ryan VanderMeulen [:RyanVM] 2012-04-20 19:37:40 PDT
https://hg.mozilla.org/integration/mozilla-inbound/rev/e466bffc6a7b

Any chance of getting a test?
Comment 14 Josh Matthews [:jdm] 2012-04-20 22:22:20 PDT
Yes, it should be easy to create a crashtest that will fail in debug builds. I'll do that.
Comment 15 :Ms2ger (⌚ UTC+1/+2) 2012-04-21 00:47:36 PDT
Created attachment 617191 [details] [diff] [review]
Test
Comment 16 Phil Ringnalda (:philor) 2012-04-21 23:50:22 PDT
https://hg.mozilla.org/mozilla-central/rev/e466bffc6a7b
Comment 17 :Ms2ger (⌚ UTC+1/+2) 2012-05-05 10:28:16 PDT
Landed test:

https://hg.mozilla.org/mozilla-central/rev/a0488fd9207b

Note You need to log in before you can comment on or make changes to this bug.