[ObjShrink]: Crash on Heap with Proxy

VERIFIED FIXED in Firefox 11

Status

()

Core
JavaScript Engine
--
critical
VERIFIED FIXED
6 years ago
5 years ago

People

(Reporter: decoder, Assigned: bhackett)

Tracking

(Blocks: 2 bugs, {crash, testcase})

Other Branch
mozilla11
x86_64
Linux
crash, testcase
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(firefox11 verified, firefox12 verified, firefox13 verified)

Details

(Whiteboard: [qa!])

Attachments

(1 attachment)

(Reporter)

Description

6 years ago
The following testcase crashes on jaegermonkey branch revision a335853be219 (run with -m -n -a), tested on 64 bit:


function TestCase(n, d, e, a)
  this.name=n;
function reportCompare (expected, actual, description) {
  new TestCase
}
reportCompare(true, "isGenerator" in Function, "Function.prototype.isGenerator present");
var p = Proxy.create({
    has : function(id) {}
});
function test() {
    Object.prototype.__proto__=null
    if (new TestCase)
        Object.prototype.__proto__=p
}
test();
new TestCase;
test()
(Reporter)

Comment 1

6 years ago
Backtrace from GDB:

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7f5c909 in ?? ()
(gdb) bt
#0  0x00007ffff7f5c909 in ?? ()
#1  0x00007ffff7f5c940 in ?? ()
#2  0x0000000000000001 in ?? ()
#3  0x0000000000000000 in ?? ()
(gdb) x /4i $pc
=> 0x7ffff7f5c909:      cmp    %r11,(%r8)
   0x7ffff7f5c90c:      jne    0x7ffff7f5c937
   0x7ffff7f5c912:      movabs $0xfff9000000000000,%r10
   0x7ffff7f5c91c:      or     %r9,%r10
(gdb) info register r8 r11
r8             0x0      0
r11            0x7ffff6010d30   140737320652080
(Assignee)

Comment 2

6 years ago
Created attachment 576293 [details] [diff] [review]
patch

Regression from bug 703047.  The ADDPROP IC did not check at all for uncacheable or non-native prototypes on the prototype chain, which earlier could manifest in incorrect behavior but now can cause a NULL deref.

https://hg.mozilla.org/projects/jaegermonkey/rev/fedb520c3f3a
Assignee: general → bhackett1024
Attachment #576293 - Flags: review?(luke)

Updated

6 years ago
Attachment #576293 - Flags: review?(luke) → review+
In November 2011,

This landed on mozilla-inbound:

hg.mozilla.org/integration/mozilla-inbound/rev/fedb520c3f3a

and mozilla-central:

http://hg.mozilla.org/mozilla-central/rev/fedb520c3f3a

which should be Firefox 11 in the nightlies.
Status: NEW → RESOLVED
Last Resolved: 6 years ago
status-firefox11: --- → fixed
status-firefox12: --- → fixed
status-firefox13: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla11
Whiteboard: [qa+]
Ubuntu 11.04 64bit

I built jaegermonkey for latest beta build(rev d46a4577a631) and run the test from comment #: no crash occured.

Marking verified for Firefox 11.
status-firefox11: fixed → verified
status-firefox12: fixed → verified
Ubuntu 11.04 64bit

I built jaegermonkey for latest beta build(rev 4027017bbaba) and run the test from comment #: no crash occured.

Marking verified for Firefox 12.
Ubuntu 11.10 64bit

I built jaegermonkey for latest beta review (64ffbdd90ac0) and run the test from bug description: no crash occured.

Marking verified for Firefox 13.
Status: RESOLVED → VERIFIED
status-firefox13: fixed → verified
Whiteboard: [qa+] → [qa!]
(Reporter)

Comment 7

5 years ago
A testcase for this bug was automatically identified at js/src/jit-test/tests/jaeger/bug704138.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.