Closed Bug 697255 Opened 8 years ago Closed 8 years ago

TM/JM: Crash [@ js_GetProperty] or [@ js::analyze::ScriptAnalysis::maybeCode] or "Assertion failure: offset < script->length," or "Assertion failure: script->code <= pc && pc < endpc,"

Categories

(Core :: JavaScript Engine, defect, critical)

x86
macOS
defect
Not set
critical

Tracking

()

VERIFIED FIXED
mozilla10
Tracking Status
firefox7 - unaffected
firefox8 - unaffected
firefox9 + fixed
firefox10 + fixed
status1.9.2 --- unaffected

People

(Reporter: gkw, Assigned: bhackett)

References

Details

(4 keywords, Whiteboard: [sg:critical][qa-] js-triage-done)

Crash Data

Attachments

(2 files, 1 obsolete file)

Attached file stack (obsolete) —
a = evalcx("lazy");
b = {}
b.__proto__ = a
a.__proto__ = String
for (var a = 0; a < 50; a++) {
    try {
        b + ""
    } catch (e) {}
}

asserts js debug shell on m-c changeset 6cd262091470 with -m and -j at Assertion failure: script->code <= pc && pc < endpc,

A variant,

o9 = evalcx("lazy");
d = {}
d.__proto__ = o9
o9.__proto__ = String.prototype.__proto__;
__proto__.__defineGetter__("toString", function() {})
for (var a = 0; a < 50; a++) {
    try {
        d + ""
    } catch (e) {}
}

asserts js debug shell on m-c changeset 6cd262091470 with -m and -j at Assertion failure: offset < script->length, and crashes js opt shell at js_GetProperty

Tested on 32-bit Mac 10.6, setting [sg:critical] because a scary memory address, 0x83000005, is being read.

(Ran autoBisect on the second testcase, not sure if it's correct)

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   77143:9ca3d16d575c
parent:      77103:06445f55f009
user:        Brian Hackett
date:        Sat Sep 17 19:14:22 2011 -0700
summary:     [INFER] Reapply c2726640029f 3330521cfa4a b68281262e15 (bug 557358), 6a8947bcc821 (bug 684943), 50d4f6fa00ce (bug 683714), f3dd7cf2d0b3 (bug 683999).
Attached file actual stack
(gdb) x/i $pc
0xc8cf0 <_Z14js_GetPropertyP9JSContextP8JSObjectS2_iPN2JS5ValueE+1040>: orl    $0x4000,(%eax)
(gdb) x/b $eax
0x83000005:     Cannot access memory at address 0x83000005

orl performs a logical or between 0x4000 and eax, which is weird address 0x83000005
Attachment #569501 - Attachment is obsolete: true
Blocks: 630996
No longer blocks: 349611
Also crashes Mac 10.6 64-bit m-c tip changeset f2fa4ae74ee1, albeit with -j only, and with js::analyze::ScriptAnalysis::maybeCode at the top of js_GetProperty on the crash stack.
Crash Signature: [@ js_GetProperty] → [@ js_GetProperty] [@ js::analyze::ScriptAnalysis::maybeCode]
Summary: TM/JM: Crash [@ js_GetProperty] or "Assertion failure: offset < script->length," or "Assertion failure: script->code <= pc && pc < endpc," → TM/JM: Crash [@ js_GetProperty] or [@ js::analyze::ScriptAnalysis::maybeCode] or "Assertion failure: offset < script->length," or "Assertion failure: script->code <= pc && pc < endpc,"
Attached patch patchSplinter Review
Bug related to imacros.  The pc returned via currentScript could be in an imacro, which confused callers that expected the script/pc to match each other.

autoBisect is wrong, the blamed revision doesn't touch anything around here.
Attachment #569884 - Flags: review?(luke)
> autoBisect is wrong, the blamed revision doesn't touch anything around here.

No wonder I had different blamed revs for the 2 testcases..
Whiteboard: [sg:critical] js-triage-needed → [sg:critical] js-triage-done
Attachment #569884 - Flags: review?(luke) → review+
Is this something that we could take on aurora? And my understanding is that this is TI specific, so 8 and older are unaffected. Please correct me if I'm wrong on that.
Assignee: general → bhackett1024
Comment on attachment 569884 [details] [diff] [review]
patch

currentScript() was added for the TI merge so this should only affect Fx9 and later (though this only manifests with the tracer enabled).
Attachment #569884 - Flags: approval-mozilla-aurora?
emorley merged this to mozilla-central: https://hg.mozilla.org/mozilla-central/rev/9507d7ca0f58

Resolving fixed.
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla10
Comment on attachment 569884 [details] [diff] [review]
patch

[Triage Comment]
* Approving for Aurora since this is a TI regression in 9
Attachment #569884 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Can someone who is already set up to reproduce this bug please verify the fix?
Whiteboard: [sg:critical] js-triage-done → [sg:critical][qa-] js-triage-done
(In reply to Anthony Hughes, Mozilla QA (irc: ashughes) from comment #11)
> Can someone who is already set up to reproduce this bug please verify the
> fix?

Verified fixed on 64-bit debug and opt builds on Mac 10.6 on m-c changeset bc48009a6bbb.
Status: RESOLVED → VERIFIED
Group: core-security
Automatically extracted testcase for this bug was committed:

https://hg.mozilla.org/mozilla-central/rev/efaf8960a929
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.