Assertion failure: retval == !isDummyFrame(), at ../../vm/Stack.h:445 or Crash [@ js::gc::Cell::compartment]

VERIFIED FIXED in Firefox 12

Status

()

--
critical
VERIFIED FIXED
7 years ago
6 years ago

People

(Reporter: decoder, Assigned: bhackett)

Tracking

(Blocks: 1 bug, 4 keywords)

Trunk
mozilla12
assertion, crash, regression, testcase
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(firefox10 unaffected, firefox11 unaffected, firefox12 fixed, firefox-esr10 unaffected, status1.9.2 unaffected)

Details

(Whiteboard: [sg:critical] js-triage-needed, crash signature)

Attachments

(1 attachment)

(Reporter)

Description

7 years ago
The following test asserts on mozilla-central revision 49afabda6701 (options -m -a -n):


this.__proto__ = newGlobal('new-compartment'); 
eval("(toLocaleString)();");


Stepping through the assert triggers more asserts and a crash:

(gdb) run
Starting program: /srv/repos/mozilla-central/js/src/debug32/js -m -a -n min.js
[Thread debugging using libthread_db enabled]
Assertion failure: retval == !isDummyFrame(), at ../../vm/Stack.h:445

Program received signal SIGABRT, Aborted.
Assertion failure: isScriptFrame(), at ../../vm/Stack.h:579

Program received signal SIGABRT, Aborted.
Assertion failure: addr % Cell::CellSize == 0, at ../../jsgc.h:828

Program received signal SIGABRT, Aborted.
Assertion failure: Chunk::withinArenasRange(addr), at ../../jsgc.h:829

Program received signal SIGABRT, Aborted.

Program received signal SIGSEGV, Segmentation fault.
0x080599d7 in js::gc::Cell::compartment (this=0xffffff82) at ../../jsgc.h:954
954         return arenaHeader()->compartment;
(gdb) bt
#0  0x080599d7 in js::gc::Cell::compartment (this=0xffffff82) at ../../jsgc.h:954
#1  0x080a48eb in js::ContextStack::currentScript (this=0x85595c8, ppc=0xffffba9c) at /srv/repos/mozilla-central/js/src/vm/Stack-inl.h:676
#2  0x081651be in js_InferFlags (cx=0x8559588, defaultFlags=0) at /srv/repos/mozilla-central/js/src/jsobj.cpp:3293
#3  0x0816a417 in CallResolveOp (cx=0x8559588, start=0xf7410040, obj=..., id=..., flags=65535, objp=0xffffbc18, propp=0xffffbc14, recursedp=0xffffbbaf)
    at /srv/repos/mozilla-central/js/src/jsobj.cpp:4963
#4  0x0816a858 in LookupPropertyWithFlagsInline (cx=0x8559588, obj=0xf7410040, id=..., flags=65535, objp=0xffffbc18, propp=0xffffbc14)
    at /srv/repos/mozilla-central/js/src/jsobj.cpp:5023
#5  0x0816b6d6 in js_GetPropertyHelperInline (cx=0x8559588, obj=0xf7410040, receiver=0xf7415040, id=..., getHow=0, vp=0xf76ea0b8)
    at /srv/repos/mozilla-central/js/src/jsobj.cpp:5385
#6  0x0816bb72 in js_GetProperty (cx=0x8559588, obj=0xf7410040, receiver=0xf7415040, id=..., vp=0xf76ea0b8) at /srv/repos/mozilla-central/js/src/jsobj.cpp:5478
#7  0x0805c5cf in JSObject::getGeneric (this=0xf7410040, cx=0x8559588, receiver=0xf7415040, id=..., vp=0xf76ea0b8) at ../../jsobjinlines.h:209
#8  0x0820c707 in js::Wrapper::get (this=0x853510c, cx=0x8559588, wrapper=0xf7408400, receiver=0xf7415040, id=..., vp=0xf76ea0b8)
    at /srv/repos/mozilla-central/js/src/jswrapper.cpp:230
#9  0x0820e105 in js::CrossCompartmentWrapper::get (this=0x853510c, cx=0x8559588, wrapper=0xf7408400, receiver=0xf7415040, id=..., vp=0xf76ea0b8)
    at /srv/repos/mozilla-central/js/src/jswrapper.cpp:597
#10 0x081a2311 in js::Proxy::get (cx=0x8559588, proxy=0xf7408400, receiver=0xf7403040, id=..., vp=0xf76ea0b8) at /srv/repos/mozilla-central/js/src/jsproxy.cpp:837
#11 0x0816ba21 in js_GetPropertyHelperInline (cx=0x8559588, obj=0xf7403040, receiver=0xf7403040, id=..., getHow=0, vp=0xf76ea0b8)
    at /srv/repos/mozilla-central/js/src/jsobj.cpp:5452
#12 0x0816bb72 in js_GetProperty (cx=0x8559588, obj=0xf7403040, receiver=0xf7403040, id=..., vp=0xf76ea0b8) at /srv/repos/mozilla-central/js/src/jsobj.cpp:5478
#13 0x0805c5cf in JSObject::getGeneric (this=0xf7403040, cx=0x8559588, receiver=0xf7403040, id=..., vp=0xf76ea0b8) at ../../jsobjinlines.h:209
#14 0x0805c613 in JSObject::getGeneric (this=0xf7403040, cx=0x8559588, id=..., vp=0xf76ea0b8) at ../../jsobjinlines.h:224
#15 0x0814961a in js::NameOperation (cx=0x8559588, pc=0x8563710  <incomplete sequence \323>, vp=0xf76ea0b8) at /srv/repos/mozilla-central/js/src/jsinterpinlines.h:421
#16 0x08396049 in js::mjit::stubs::Name (f=...) at /srv/repos/mozilla-central/js/src/methodjit/StubCalls.cpp:129
#17 0x0833b48c in js::mjit::ic::GetGlobalName (f=..., ic=0x8563a54) at /srv/repos/mozilla-central/js/src/methodjit/MonoIC.cpp:107
#18 0xf73ce4f2 in ?? ()
#19 0x08525ff4 in ?? ()
decoder: crash-stats needs that extra space in the trailing " ]" to match signatures. Not that it can on hidden bugs, but eventually.
Crash Signature: [@ js::gc::Cell::compartment] → [@ js::gc::Cell::compartment ]
Whiteboard: js-triage-needed → [sg:critical] js-triage-needed
status-firefox12: --- → affected
> decoder: crash-stats needs that extra space in the trailing " ]" to match

Apparently it does not.
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   83898:78d17e22a223
parent:      83892:0ac1cbff2a67
user:        Brian Hackett
date:        Thu Jan 05 11:08:38 2012 -0800
summary:     Remove JOF_CALLOP, bug 712714. r=dvander
Blocks: 712714
OS: Linux → All
Hardware: x86 → All
Assignee: general → bhackett1024
status1.9.2: --- → unaffected
status-firefox10: --- → unaffected
status-firefox11: --- → unaffected
Keywords: regression
(Assignee)

Updated

7 years ago
Duplicate of this bug: 718823
(Assignee)

Comment 5

7 years ago
Created attachment 590214 [details] [diff] [review]
patch

The NameOperation stub used a vp pointing directly to the result of the operation, which was above the stack pointer.  When doing the name lookup crossed compartment boundaries a dummy frame was pushed which was being stomped on by writes to the vp.
Attachment #590214 - Flags: review?(dvander)
Attachment #590214 - Flags: review?(dvander) → review+

Comment 7

7 years ago
https://hg.mozilla.org/mozilla-central/rev/7afd96e2977e
Status: NEW → RESOLVED
Last Resolved: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla12

Updated

7 years ago
status-firefox12: affected → fixed
status-firefox-esr10: --- → unaffected
(Reporter)

Updated

7 years ago
Status: RESOLVED → VERIFIED
Group: core-security
(Reporter)

Comment 8

6 years ago
Automatically extracted testcase for this bug was committed:

https://hg.mozilla.org/mozilla-central/rev/efaf8960a929
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.