Closed
Bug 718347
Opened 13 years ago
Closed 13 years ago
Assertion failure: retval == !isDummyFrame(), at ../../vm/Stack.h:445 or Crash [@ js::gc::Cell::compartment]
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
VERIFIED
FIXED
mozilla12
Tracking | Status | |
---|---|---|
firefox10 | --- | unaffected |
firefox11 | --- | unaffected |
firefox12 | --- | fixed |
firefox-esr10 | --- | unaffected |
status1.9.2 | --- | unaffected |
People
(Reporter: decoder, Assigned: bhackett1024)
References
Details
(4 keywords, Whiteboard: [sg:critical] js-triage-needed)
Crash Data
Attachments
(1 file)
717 bytes,
patch
|
dvander
:
review+
|
Details | Diff | Splinter Review |
The following test asserts on mozilla-central revision 49afabda6701 (options -m -a -n):
this.__proto__ = newGlobal('new-compartment');
eval("(toLocaleString)();");
Stepping through the assert triggers more asserts and a crash:
(gdb) run
Starting program: /srv/repos/mozilla-central/js/src/debug32/js -m -a -n min.js
[Thread debugging using libthread_db enabled]
Assertion failure: retval == !isDummyFrame(), at ../../vm/Stack.h:445
Program received signal SIGABRT, Aborted.
Assertion failure: isScriptFrame(), at ../../vm/Stack.h:579
Program received signal SIGABRT, Aborted.
Assertion failure: addr % Cell::CellSize == 0, at ../../jsgc.h:828
Program received signal SIGABRT, Aborted.
Assertion failure: Chunk::withinArenasRange(addr), at ../../jsgc.h:829
Program received signal SIGABRT, Aborted.
Program received signal SIGSEGV, Segmentation fault.
0x080599d7 in js::gc::Cell::compartment (this=0xffffff82) at ../../jsgc.h:954
954 return arenaHeader()->compartment;
(gdb) bt
#0 0x080599d7 in js::gc::Cell::compartment (this=0xffffff82) at ../../jsgc.h:954
#1 0x080a48eb in js::ContextStack::currentScript (this=0x85595c8, ppc=0xffffba9c) at /srv/repos/mozilla-central/js/src/vm/Stack-inl.h:676
#2 0x081651be in js_InferFlags (cx=0x8559588, defaultFlags=0) at /srv/repos/mozilla-central/js/src/jsobj.cpp:3293
#3 0x0816a417 in CallResolveOp (cx=0x8559588, start=0xf7410040, obj=..., id=..., flags=65535, objp=0xffffbc18, propp=0xffffbc14, recursedp=0xffffbbaf)
at /srv/repos/mozilla-central/js/src/jsobj.cpp:4963
#4 0x0816a858 in LookupPropertyWithFlagsInline (cx=0x8559588, obj=0xf7410040, id=..., flags=65535, objp=0xffffbc18, propp=0xffffbc14)
at /srv/repos/mozilla-central/js/src/jsobj.cpp:5023
#5 0x0816b6d6 in js_GetPropertyHelperInline (cx=0x8559588, obj=0xf7410040, receiver=0xf7415040, id=..., getHow=0, vp=0xf76ea0b8)
at /srv/repos/mozilla-central/js/src/jsobj.cpp:5385
#6 0x0816bb72 in js_GetProperty (cx=0x8559588, obj=0xf7410040, receiver=0xf7415040, id=..., vp=0xf76ea0b8) at /srv/repos/mozilla-central/js/src/jsobj.cpp:5478
#7 0x0805c5cf in JSObject::getGeneric (this=0xf7410040, cx=0x8559588, receiver=0xf7415040, id=..., vp=0xf76ea0b8) at ../../jsobjinlines.h:209
#8 0x0820c707 in js::Wrapper::get (this=0x853510c, cx=0x8559588, wrapper=0xf7408400, receiver=0xf7415040, id=..., vp=0xf76ea0b8)
at /srv/repos/mozilla-central/js/src/jswrapper.cpp:230
#9 0x0820e105 in js::CrossCompartmentWrapper::get (this=0x853510c, cx=0x8559588, wrapper=0xf7408400, receiver=0xf7415040, id=..., vp=0xf76ea0b8)
at /srv/repos/mozilla-central/js/src/jswrapper.cpp:597
#10 0x081a2311 in js::Proxy::get (cx=0x8559588, proxy=0xf7408400, receiver=0xf7403040, id=..., vp=0xf76ea0b8) at /srv/repos/mozilla-central/js/src/jsproxy.cpp:837
#11 0x0816ba21 in js_GetPropertyHelperInline (cx=0x8559588, obj=0xf7403040, receiver=0xf7403040, id=..., getHow=0, vp=0xf76ea0b8)
at /srv/repos/mozilla-central/js/src/jsobj.cpp:5452
#12 0x0816bb72 in js_GetProperty (cx=0x8559588, obj=0xf7403040, receiver=0xf7403040, id=..., vp=0xf76ea0b8) at /srv/repos/mozilla-central/js/src/jsobj.cpp:5478
#13 0x0805c5cf in JSObject::getGeneric (this=0xf7403040, cx=0x8559588, receiver=0xf7403040, id=..., vp=0xf76ea0b8) at ../../jsobjinlines.h:209
#14 0x0805c613 in JSObject::getGeneric (this=0xf7403040, cx=0x8559588, id=..., vp=0xf76ea0b8) at ../../jsobjinlines.h:224
#15 0x0814961a in js::NameOperation (cx=0x8559588, pc=0x8563710 <incomplete sequence \323>, vp=0xf76ea0b8) at /srv/repos/mozilla-central/js/src/jsinterpinlines.h:421
#16 0x08396049 in js::mjit::stubs::Name (f=...) at /srv/repos/mozilla-central/js/src/methodjit/StubCalls.cpp:129
#17 0x0833b48c in js::mjit::ic::GetGlobalName (f=..., ic=0x8563a54) at /srv/repos/mozilla-central/js/src/methodjit/MonoIC.cpp:107
#18 0xf73ce4f2 in ?? ()
#19 0x08525ff4 in ?? ()
Comment 1•13 years ago
|
||
decoder: crash-stats needs that extra space in the trailing " ]" to match signatures. Not that it can on hidden bugs, but eventually.
Crash Signature: [@ js::gc::Cell::compartment] → [@ js::gc::Cell::compartment ]
Whiteboard: js-triage-needed → [sg:critical] js-triage-needed
Updated•13 years ago
|
status-firefox12:
--- → affected
Comment 2•13 years ago
|
||
> decoder: crash-stats needs that extra space in the trailing " ]" to match
Apparently it does not.
Comment 3•13 years ago
|
||
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: 83898:78d17e22a223
parent: 83892:0ac1cbff2a67
user: Brian Hackett
date: Thu Jan 05 11:08:38 2012 -0800
summary: Remove JOF_CALLOP, bug 712714. r=dvander
Updated•13 years ago
|
Assignee: general → bhackett1024
status1.9.2:
--- → unaffected
status-firefox10:
--- → unaffected
status-firefox11:
--- → unaffected
Keywords: regression
Assignee | ||
Comment 5•13 years ago
|
||
The NameOperation stub used a vp pointing directly to the result of the operation, which was above the stack pointer. When doing the name lookup crossed compartment boundaries a dummy frame was pushed which was being stomped on by writes to the vp.
Attachment #590214 -
Flags: review?(dvander)
Updated•13 years ago
|
Attachment #590214 -
Flags: review?(dvander) → review+
Assignee | ||
Comment 6•13 years ago
|
||
Comment 7•13 years ago
|
||
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla12
Updated•13 years ago
|
Updated•13 years ago
|
status-firefox-esr10:
--- → unaffected
Reporter | ||
Updated•13 years ago
|
Status: RESOLVED → VERIFIED
Updated•13 years ago
|
Group: core-security
Reporter | ||
Comment 8•12 years ago
|
||
Automatically extracted testcase for this bug was committed:
https://hg.mozilla.org/mozilla-central/rev/efaf8960a929
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•