Closed
Bug 737388
Opened 12 years ago
Closed 12 years ago
Crash [@ JSString::isAtom] or Opt-Crash [@ JSCompartment::wrap]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
mozilla14
Tracking | Status | |
---|---|---|
firefox11 | --- | unaffected |
firefox12 | --- | unaffected |
firefox13 | --- | unaffected |
firefox14 | --- | unaffected |
firefox-esr10 | --- | unaffected |
People
(Reporter: decoder, Assigned: luke)
References
Details
(Keywords: crash, regression, testcase, Whiteboard: [sg:critical] js-triage-done)
Crash Data
Attachments
(1 file)
1.98 KB,
patch
|
bhackett1024
:
review+
|
Details | Diff | Splinter Review |
The following test crashes on mozilla-central revision 58a2cd0203ee (options -m -n): function toPrinted(value) { if (typeof value == "xml") value = value.toXMLString(); } function reportCompare (expected, actual, description) { if (typeof description == "undefined") description = ''; "', Actual value '" + toPrinted(actual) + "' "; } var UBound = 0; var actualvalues = []; var expect= ''; var expectedvalues = []; addThis(); test(); function addThis() { expectedvalues[UBound] = expect; UBound++; } function test() { for (var i=(0); i<UBound; i++) reportCompare(expectedvalues[i], actualvalues[i], (arguments)[i]); void Number.NEGATIVE_INFINITY || -1, test(); } Crash Trace: ==13246== Invalid read of size 8 ==13246== at 0x422C48: JSString::isAtom() const (String.h:381) ==13246== by 0x4255D5: js::CompartmentChecker::check(JSString*) (jscntxtinlines.h:184) ==13246== by 0x42566B: js::CompartmentChecker::check(JS::Value const&) (jscntxtinlines.h:192) ==13246== by 0x445F44: void js::assertSameCompartment<JS::Value>(JSContext*, JS::Value) (jscntxtinlines.h:254) ==13246== by 0x509D79: js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) (jsinterp.cpp:2992) ==13246== by 0x4FB710: js::RunScript(JSContext*, JSScript*, js::StackFrame*) (jsinterp.cpp:469) ==13246== by 0x4FC254: js::ExecuteKernel(JSContext*, JSScript*, JSObject&, JS::Value const&, js::ExecuteType, js::StackFrame*, JS::Value*) (jsinterp.cpp:667) ==13246== by 0x4FC462: js::Execute(JSContext*, JSScript*, JSObject&, JS::Value*) (jsinterp.cpp:709) ==13246== by 0x441C92: JS_ExecuteScript (jsapi.cpp:5232) ==13246== by 0x408A0B: Process(JSContext*, JSObject*, char const*, bool) (js.cpp:478) ==13246== by 0x412FF8: ProcessArgs(JSContext*, JSObject*, js::cli::OptionParser*) (js.cpp:4736) ==13246== by 0x413270: Shell(JSContext*, js::cli::OptionParser*, char**) (js.cpp:4819) ==13246== Address 0x2 is not stack'd, malloc'd or (recently) free'd Opt crash trace: ==11287== Invalid read of size 8 ==11287== at 0x437C17: JSCompartment::wrap(JSContext*, JS::Value*) (jscompartment.cpp:183) ==11287== by 0x44B7DE: AppendWrappedArg::operator()(unsigned int, JS::Value*) (jsexn.cpp:324) ==11287== by 0x44BF43: InitExnPrivate(JSContext*, JSObject*, JSString*, JSString*, unsigned int, JSErrorReport*, int) (Stack-inl.h:227) ==11287== by 0x44C369: js_ErrorToException(JSContext*, char const*, JSErrorReport*, JSErrorFormatString const* (*)(void*, char const*, unsigned int), void*) (jsexn.cpp:1179) ==11287== by 0x433CB3: ReportError(JSContext*, char const*, JSErrorReport*, JSErrorFormatString const* (*)(void*, char const*, unsigned int), void*) (jscntxt.cpp:339) ==11287== by 0x434EC7: js_ReportErrorNumberVA(JSContext*, unsigned int, JSErrorFormatString const* (*)(void*, char const*, unsigned int), void*, unsigned int, int, __va_list_tag*) (jscntxt.cpp:723) ==11287== by 0x41A184: JS_ReportErrorNumber (jsapi.cpp:6111) ==11287== by 0x5EF8CC: js::mjit::stubs::HitStackQuota(js::VMFrame&) (InvokeHelpers.cpp:203) ==11287== by 0x403CCAA: ??? ==11287== by 0x573E5B: js::mjit::EnterMethodJIT(JSContext*, js::StackFrame*, void*, JS::Value*, bool) (MethodJIT.cpp:1052) ==11287== by 0x573FA2: js::mjit::JaegerShot(JSContext*, bool) (MethodJIT.cpp:1111) ==11287== by 0x47EE8D: js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) (jsinterp.cpp:2730) ==11287== Address 0x0 is not stack'd, malloc'd or (recently) free'd
I added a print(description) statement to the top of reportCompare and then was able to bisect it to this: changeset: 89455:d2107141265f user: Luke Wagner <luke@mozilla.com> date: Tue Jan 17 16:35:12 2012 -0800 summary: Bug 730497 - create arguments object eagerly (r=bhackett) I tried the patch in bug 737575, but it didn't fix the problem. It seems like when we access arguments[i] in the JIT, we're getting the value 2 tagged as a string. Marking s-s just in case.
Group: core-security
Whiteboard: js-triage-needed → js-triage-done
Assignee | ||
Comment 2•12 years ago
|
||
Arg, I removed this https://hg.mozilla.org/mozilla-central/rev/85bef04d1258#l14.31 in the eager args earlier when I had a slightly different approach and then forgot to put it back. Brian: I don't see why being heavyweight or having an argsobj would force fp->u.numActual to be valid, so, the patch initializes fp->u.numActual in both cases. Do you know of any good reasons?
Comment 3•12 years ago
|
||
Comment on attachment 607878 [details] [diff] [review] fix and test That code was going back to when the fp's union could store either nactual or the args obj pointer itself. If the function is heavyweight then it has an args obj and that pointer should not have been scribbled over by the prologue. Optimization of arguments accesses for the script would have been avoided in such cases anyways, as it was disabled for any script which args objs have been created for.
Attachment #607878 -
Flags: review?(bhackett1024) → review+
Assignee | ||
Comment 4•12 years ago
|
||
Ah, you're right about the argsobj + the old frame union. Heavyweightness never forced an arguments object so I think your second explanation (that the optimization was off for heavyweight functions) would be the reason.
Assignee | ||
Comment 5•12 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/9ed51dce1e43
Target Milestone: --- → mozilla14
Comment 6•12 years ago
|
||
Looks like we should get this fixed on beta and aurora, but don't need it in Firefox 11 or earlier.
Blocks: 730497
status-firefox-esr10:
--- → unaffected
status-firefox11:
--- → unaffected
status-firefox12:
--- → affected
status-firefox13:
--- → affected
status-firefox14:
--- → affected
tracking-firefox12:
--- → +
tracking-firefox13:
--- → +
tracking-firefox14:
--- → +
Keywords: regression
Whiteboard: js-triage-done → [sg:critical] js-triage-done
Assignee | ||
Comment 7•12 years ago
|
||
The bug is only on m-c.
Assignee | ||
Comment 10•12 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/9ed51dce1e43
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Reporter | ||
Updated•12 years ago
|
Status: RESOLVED → VERIFIED
Updated•10 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•