718347 - Assertion failure: retval == !isDummyFrame(), at ../../vm/Stack.h:445 or Crash [@ js::gc::Cell::compartment]

Status: VERIFIED FIXED

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

The following test asserts on mozilla-central revision 49afabda6701 (options -m -a -n):


this.__proto__ = newGlobal('new-compartment'); 
eval("(toLocaleString)();");


Stepping through the assert triggers more asserts and a crash:

(gdb) run
Starting program: /srv/repos/mozilla-central/js/src/debug32/js -m -a -n min.js
[Thread debugging using libthread_db enabled]
Assertion failure: retval == !isDummyFrame(), at ../../vm/Stack.h:445

Program received signal SIGABRT, Aborted.
Assertion failure: isScriptFrame(), at ../../vm/Stack.h:579

Program received signal SIGABRT, Aborted.
Assertion failure: addr % Cell::CellSize == 0, at ../../jsgc.h:828

Program received signal SIGABRT, Aborted.
Assertion failure: Chunk::withinArenasRange(addr), at ../../jsgc.h:829

Program received signal SIGABRT, Aborted.

Program received signal SIGSEGV, Segmentation fault.
0x080599d7 in js::gc::Cell::compartment (this=0xffffff82) at ../../jsgc.h:954
954         return arenaHeader()->compartment;
(gdb) bt
#0  0x080599d7 in js::gc::Cell::compartment (this=0xffffff82) at ../../jsgc.h:954
#1  0x080a48eb in js::ContextStack::currentScript (this=0x85595c8, ppc=0xffffba9c) at /srv/repos/mozilla-central/js/src/vm/Stack-inl.h:676
#2  0x081651be in js_InferFlags (cx=0x8559588, defaultFlags=0) at /srv/repos/mozilla-central/js/src/jsobj.cpp:3293
#3  0x0816a417 in CallResolveOp (cx=0x8559588, start=0xf7410040, obj=..., id=..., flags=65535, objp=0xffffbc18, propp=0xffffbc14, recursedp=0xffffbbaf)
    at /srv/repos/mozilla-central/js/src/jsobj.cpp:4963
#4  0x0816a858 in LookupPropertyWithFlagsInline (cx=0x8559588, obj=0xf7410040, id=..., flags=65535, objp=0xffffbc18, propp=0xffffbc14)
    at /srv/repos/mozilla-central/js/src/jsobj.cpp:5023
#5  0x0816b6d6 in js_GetPropertyHelperInline (cx=0x8559588, obj=0xf7410040, receiver=0xf7415040, id=..., getHow=0, vp=0xf76ea0b8)
    at /srv/repos/mozilla-central/js/src/jsobj.cpp:5385
#6  0x0816bb72 in js_GetProperty (cx=0x8559588, obj=0xf7410040, receiver=0xf7415040, id=..., vp=0xf76ea0b8) at /srv/repos/mozilla-central/js/src/jsobj.cpp:5478
#7  0x0805c5cf in JSObject::getGeneric (this=0xf7410040, cx=0x8559588, receiver=0xf7415040, id=..., vp=0xf76ea0b8) at ../../jsobjinlines.h:209
#8  0x0820c707 in js::Wrapper::get (this=0x853510c, cx=0x8559588, wrapper=0xf7408400, receiver=0xf7415040, id=..., vp=0xf76ea0b8)
    at /srv/repos/mozilla-central/js/src/jswrapper.cpp:230
#9  0x0820e105 in js::CrossCompartmentWrapper::get (this=0x853510c, cx=0x8559588, wrapper=0xf7408400, receiver=0xf7415040, id=..., vp=0xf76ea0b8)
    at /srv/repos/mozilla-central/js/src/jswrapper.cpp:597
#10 0x081a2311 in js::Proxy::get (cx=0x8559588, proxy=0xf7408400, receiver=0xf7403040, id=..., vp=0xf76ea0b8) at /srv/repos/mozilla-central/js/src/jsproxy.cpp:837
#11 0x0816ba21 in js_GetPropertyHelperInline (cx=0x8559588, obj=0xf7403040, receiver=0xf7403040, id=..., getHow=0, vp=0xf76ea0b8)
    at /srv/repos/mozilla-central/js/src/jsobj.cpp:5452
#12 0x0816bb72 in js_GetProperty (cx=0x8559588, obj=0xf7403040, receiver=0xf7403040, id=..., vp=0xf76ea0b8) at /srv/repos/mozilla-central/js/src/jsobj.cpp:5478
#13 0x0805c5cf in JSObject::getGeneric (this=0xf7403040, cx=0x8559588, receiver=0xf7403040, id=..., vp=0xf76ea0b8) at ../../jsobjinlines.h:209
#14 0x0805c613 in JSObject::getGeneric (this=0xf7403040, cx=0x8559588, id=..., vp=0xf76ea0b8) at ../../jsobjinlines.h:224
#15 0x0814961a in js::NameOperation (cx=0x8559588, pc=0x8563710  <incomplete sequence \323>, vp=0xf76ea0b8) at /srv/repos/mozilla-central/js/src/jsinterpinlines.h:421
#16 0x08396049 in js::mjit::stubs::Name (f=...) at /srv/repos/mozilla-central/js/src/methodjit/StubCalls.cpp:129
#17 0x0833b48c in js::mjit::ic::GetGlobalName (f=..., ic=0x8563a54) at /srv/repos/mozilla-central/js/src/methodjit/MonoIC.cpp:107
#18 0xf73ce4f2 in ?? ()
#19 0x08525ff4 in ?? ()

Comment 1

[Daniel Veditz [:dveditz]]

decoder: crash-stats needs that extra space in the trailing " ]" to match signatures. Not that it can on hidden bugs, but eventually.

Comment 2

[Daniel Veditz [:dveditz]]

> decoder: crash-stats needs that extra space in the trailing " ]" to match

Apparently it does not.

Comment 3

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   83898:78d17e22a223
parent:      83892:0ac1cbff2a67
user:        Brian Hackett
date:        Thu Jan 05 11:08:38 2012 -0800
summary:     Remove JOF_CALLOP, bug 712714. r=dvander

Comment 5

[Brian Hackett [Laid off!]]

Attachment: patch

The NameOperation stub used a vp pointing directly to the result of the operation, which was above the stack pointer.  When doing the name lookup crossed compartment boundaries a dummy frame was pushed which was being stomped on by writes to the vp.

Comment 6

[Brian Hackett [Laid off!]]

https://hg.mozilla.org/integration/mozilla-inbound/rev/7afd96e2977e

Comment 7

[Ed Morley [:emorley]]

https://hg.mozilla.org/mozilla-central/rev/7afd96e2977e

Comment 8

[Christian Holler (:decoder)]

Automatically extracted testcase for this bug was committed:

https://hg.mozilla.org/mozilla-central/rev/efaf8960a929