If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

TM/JM: Crash [@ js_GetProperty] or [@ js::analyze::ScriptAnalysis::maybeCode] or "Assertion failure: offset < script->length," or "Assertion failure: script->code <= pc && pc < endpc,"

VERIFIED FIXED in Firefox 9

Status

()

Core
JavaScript Engine
--
critical
VERIFIED FIXED
6 years ago
5 years ago

People

(Reporter: gkw, Assigned: bhackett)

Tracking

(4 keywords)

Trunk
mozilla10
x86
Mac OS X
assertion, crash, regression, testcase
Points:
---
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(firefox7- unaffected, firefox8- unaffected, firefox9+ fixed, firefox10+ fixed, status1.9.2 unaffected)

Details

(Whiteboard: [sg:critical][qa-] js-triage-done, crash signature)

Attachments

(2 attachments, 1 obsolete attachment)

(Reporter)

Description

6 years ago
Created attachment 569501 [details]
stack

a = evalcx("lazy");
b = {}
b.__proto__ = a
a.__proto__ = String
for (var a = 0; a < 50; a++) {
    try {
        b + ""
    } catch (e) {}
}

asserts js debug shell on m-c changeset 6cd262091470 with -m and -j at Assertion failure: script->code <= pc && pc < endpc,

A variant,

o9 = evalcx("lazy");
d = {}
d.__proto__ = o9
o9.__proto__ = String.prototype.__proto__;
__proto__.__defineGetter__("toString", function() {})
for (var a = 0; a < 50; a++) {
    try {
        d + ""
    } catch (e) {}
}

asserts js debug shell on m-c changeset 6cd262091470 with -m and -j at Assertion failure: offset < script->length, and crashes js opt shell at js_GetProperty

Tested on 32-bit Mac 10.6, setting [sg:critical] because a scary memory address, 0x83000005, is being read.

(Ran autoBisect on the second testcase, not sure if it's correct)

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   77143:9ca3d16d575c
parent:      77103:06445f55f009
user:        Brian Hackett
date:        Sat Sep 17 19:14:22 2011 -0700
summary:     [INFER] Reapply c2726640029f 3330521cfa4a b68281262e15 (bug 557358), 6a8947bcc821 (bug 684943), 50d4f6fa00ce (bug 683714), f3dd7cf2d0b3 (bug 683999).
(Reporter)

Comment 1

6 years ago
Created attachment 569502 [details]
actual stack

(gdb) x/i $pc
0xc8cf0 <_Z14js_GetPropertyP9JSContextP8JSObjectS2_iPN2JS5ValueE+1040>: orl    $0x4000,(%eax)
(gdb) x/b $eax
0x83000005:     Cannot access memory at address 0x83000005

orl performs a logical or between 0x4000 and eax, which is weird address 0x83000005
Attachment #569501 - Attachment is obsolete: true
(Reporter)

Updated

6 years ago
Blocks: 630996
No longer blocks: 349611
(Reporter)

Comment 2

6 years ago
Also crashes Mac 10.6 64-bit m-c tip changeset f2fa4ae74ee1, albeit with -j only, and with js::analyze::ScriptAnalysis::maybeCode at the top of js_GetProperty on the crash stack.
Crash Signature: [@ js_GetProperty] → [@ js_GetProperty] [@ js::analyze::ScriptAnalysis::maybeCode]
Summary: TM/JM: Crash [@ js_GetProperty] or "Assertion failure: offset < script->length," or "Assertion failure: script->code <= pc && pc < endpc," → TM/JM: Crash [@ js_GetProperty] or [@ js::analyze::ScriptAnalysis::maybeCode] or "Assertion failure: offset < script->length," or "Assertion failure: script->code <= pc && pc < endpc,"
(Assignee)

Comment 3

6 years ago
Created attachment 569884 [details] [diff] [review]
patch

Bug related to imacros.  The pc returned via currentScript could be in an imacro, which confused callers that expected the script/pc to match each other.

autoBisect is wrong, the blamed revision doesn't touch anything around here.
Attachment #569884 - Flags: review?(luke)
(Reporter)

Comment 4

6 years ago
> autoBisect is wrong, the blamed revision doesn't touch anything around here.

No wonder I had different blamed revs for the 2 testcases..
(Reporter)

Updated

6 years ago
Whiteboard: [sg:critical] js-triage-needed → [sg:critical] js-triage-done

Updated

6 years ago
Attachment #569884 - Flags: review?(luke) → review+
(Assignee)

Comment 5

6 years ago
https://hg.mozilla.org/integration/mozilla-inbound/rev/9507d7ca0f58
Is this something that we could take on aurora? And my understanding is that this is TI specific, so 8 and older are unaffected. Please correct me if I'm wrong on that.
Assignee: general → bhackett1024
status-firefox10: --- → affected
status-firefox7: --- → unaffected
status-firefox8: --- → unaffected
status-firefox9: --- → affected
tracking-firefox10: ? → +
tracking-firefox7: --- → -
tracking-firefox8: --- → -
tracking-firefox9: ? → +
(Assignee)

Comment 7

6 years ago
Comment on attachment 569884 [details] [diff] [review]
patch

currentScript() was added for the TI merge so this should only affect Fx9 and later (though this only manifests with the tracer enabled).
Attachment #569884 - Flags: approval-mozilla-aurora?
emorley merged this to mozilla-central: https://hg.mozilla.org/mozilla-central/rev/9507d7ca0f58

Resolving fixed.
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla10

Comment 9

6 years ago
Comment on attachment 569884 [details] [diff] [review]
patch

[Triage Comment]
* Approving for Aurora since this is a TI regression in 9
Attachment #569884 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
(Assignee)

Comment 10

6 years ago
https://hg.mozilla.org/releases/mozilla-aurora/rev/b16983396f30

Updated

6 years ago
status-firefox10: affected → fixed
status-firefox9: affected → fixed
Can someone who is already set up to reproduce this bug please verify the fix?
Whiteboard: [sg:critical] js-triage-done → [sg:critical][qa-] js-triage-done
status1.9.2: --- → unaffected
(Reporter)

Comment 12

6 years ago
(In reply to Anthony Hughes, Mozilla QA (irc: ashughes) from comment #11)
> Can someone who is already set up to reproduce this bug please verify the
> fix?

Verified fixed on 64-bit debug and opt builds on Mac 10.6 on m-c changeset bc48009a6bbb.
(Reporter)

Updated

6 years ago
Status: RESOLVED → VERIFIED
Group: core-security
Automatically extracted testcase for this bug was committed:

https://hg.mozilla.org/mozilla-central/rev/efaf8960a929
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.