Union type can hold a nsresult or a pointer. What could go wrong?

RESOLVED INVALID

Status

()

Core
JavaScript Engine
RESOLVED INVALID
5 years ago
5 years ago

People

(Reporter: bjacob, Unassigned)

Tracking

Trunk
ARM
Gonk (Firefox OS)
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

Program received signal SIGSEGV, Segmentation fault.
0x428c0a40 in JS_NewStringCopyZ (cx=0x40440100, s=0x80004002 <Address 0x80004002 out of bounds>) at /hack/mozilla-graphics/js/src/jsapi.cpp:5900
5900        if (!s || !*s)
(gdb) p s
$1 = 0x80004002 <Address 0x80004002 out of bounds>
(gdb) bt

#0  0x428c0a40 in JS_NewStringCopyZ (cx=0x40440100, s=0x80004002 <Address 0x80004002 out of bounds>) at /hack/mozilla-graphics/js/src/jsapi.cpp:5900
#1  0x41a21942 in XPCConvert::NativeData2JS (lccx=..., d=0xbef95ab8, s=0xbef95b58, type=..., iid=0xbef95a80, pErr=0xbef95a7c)
    at /hack/mozilla-graphics/js/xpconnect/src/XPCConvert.cpp:221
#2  0x41a21226 in XPCConvert::NativeData2JS (ccx=..., d=0xbef95ab8, s=0xbef95b58, type=..., iid=0xbef95a80, pErr=0xbef95a7c)
    at /hack/mozilla-graphics/js/xpconnect/src/xpcprivate.h:3301
#3  0x41a591fe in CallMethodHelper::GatherAndConvertResults (this=0xbef95b30) at /hack/mozilla-graphics/js/xpconnect/src/XPCWrappedNative.cpp:2620
#4  0x41a5896c in CallMethodHelper::Call (this=0xbef95b30) at /hack/mozilla-graphics/js/xpconnect/src/XPCWrappedNative.cpp:2431
#5  0x41a587cc in XPCWrappedNative::CallMethod (ccx=..., mode=XPCWrappedNative::CALL_GETTER) at /hack/mozilla-graphics/js/xpconnect/src/XPCWrappedNative.cpp:2384
#6  0x41a5f1ca in XPCWrappedNative::GetAttribute (ccx=...) at /hack/mozilla-graphics/js/xpconnect/src/xpcprivate.h:2811
#7  0x41a636d2 in XPC_WN_GetterSetter (cx=0x40440100, argc=0, vp=0x44e00018) at /hack/mozilla-graphics/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:1536
#8  0x42966972 in js::CallJSNative (cx=0x40440100, native=0x41a634ad <XPC_WN_GetterSetter(JSContext*, unsigned int, JS::Value*)>, args=...)
    at /hack/mozilla-graphics/js/src/jscntxtinlines.h:353
#9  0x4296e98a in js::InvokeKernel (cx=0x40440100, args=..., construct=js::NO_CONSTRUCT) at /hack/mozilla-graphics/js/src/jsinterp.cpp:390
#10 0x428cbd18 in js::Invoke (cx=0x40440100, args=..., construct=js::NO_CONSTRUCT) at /hack/mozilla-graphics/js/src/jsinterp.h:131
#11 0x4296ec5e in js::Invoke (cx=0x40440100, thisv=..., fval=..., argc=0, argv=0x0, rval=0xbef96070) at /hack/mozilla-graphics/js/src/jsinterp.cpp:437
#12 0x4296f052 in js::InvokeGetterOrSetter (cx=0x40440100, obj=0x4571a100, fval=..., argc=0, argv=0x0, rval=0xbef96070) at /hack/mozilla-graphics/js/src/jsinterp.cpp:510
#13 0x4299551e in js::Shape::get (this=0x45718da8, cx=0x40440100, receiver=..., obj=0x4571a100, pobj=0x4571a0e0, vp=...) at /hack/mozilla-graphics/js/src/vm/Shape-inl.h:292
#14 0x429a9526 in NativeGetInline<(js::AllowGC)1> (cx=0x40440100, obj=..., receiver=..., pobj=..., shape=..., getHow=0, vp=...) at /hack/mozilla-graphics/js/src/jsobj.cpp:3675
#15 0x429a9c2c in GetPropertyHelperInline<(js::AllowGC)1> (cx=0x40440100, obj=..., receiver=..., id=..., getHow=0, vp=...) at /hack/mozilla-graphics/js/src/jsobj.cpp:3853
#16 0x429a29b0 in js::baseops::GetProperty (cx=0x40440100, obj=..., receiver=..., id=..., vp=...) at /hack/mozilla-graphics/js/src/jsobj.cpp:3869
#17 0x42895cc6 in JSObject::getGeneric (cx=0x40440100, obj=..., receiver=..., id=..., vp=...) at /hack/mozilla-graphics/js/src/jsobjinlines.h:174
#18 0x428ba34a in JS_ForwardGetPropertyTo (cx=0x40440100, objArg=0x4571a100, idArg=..., onBehalfOfArg=0x4571a100, vp=0xbef961a0) at /hack/mozilla-graphics/js/src/jsapi.cpp:4186
#19 0x428ba1e2 in JS_GetPropertyById (cx=0x40440100, objArg=0x4571a100, idArg=..., vp=0xbef961a0) at /hack/mozilla-graphics/js/src/jsapi.cpp:4169
#20 0x428ba8fe in JS_GetProperty (cx=0x40440100, objArg=0x4571a100, name=0x43516dd0 "name", vp=0xbef961a0) at /hack/mozilla-graphics/js/src/jsapi.cpp:4257
#21 0x4291a8c6 in js_ReportUncaughtException (cx=0x40440100) at /hack/mozilla-graphics/js/src/jsexn.cpp:1057
#22 0x428bdde2 in ~AutoLastFrameCheck (this=0xbef962fc, __in_chrg=<value optimized out>) at /hack/mozilla-graphics/js/src/jsapi.cpp:5107
#23 0x428c028c in JS_CallFunction (cx=0x40440100, objArg=0x4571b030, fun=0x4571c700, argc=0, argv=0x0, rval=0xbef96448) at /hack/mozilla-graphics/js/src/jsapi.cpp:5737
#24 0x41abbec8 in mozJSComponentLoader::ObjectForLocation (this=0x40422300, aComponentFile=0x4041c7d0, aURI=0x44de2370, aObject=0x44de2840, aLocation=0x44de2844, exception=0x0)
    at /hack/mozilla-graphics/js/xpconnect/loader/mozJSComponentLoader.cpp:1114
#25 0x41ab9a7e in mozJSComponentLoader::LoadModule (this=0x40422300, aFile=...) at /hack/mozilla-graphics/js/xpconnect/loader/mozJSComponentLoader.cpp:540
#26 0x422681ce in nsComponentManagerImpl::KnownModule::Load (this=0x404a3800) at /hack/mozilla-graphics/xpcom/components/nsComponentManager.cpp:698
#27 0x4226a6b6 in nsFactoryEntry::GetFactory (this=0x404fd4d0) at /hack/mozilla-graphics/xpcom/components/nsComponentManager.cpp:1748
#28 0x42268d7a in nsComponentManagerImpl::CreateInstanceByContractID (this=0x40440200, aContractID=0x40495040 "@mozilla.org/browser/directory-provider;1", aDelegate=0x0, 
    aIID=..., aResult=0xbef96714) at /hack/mozilla-graphics/xpcom/components/nsComponentManager.cpp:1030
#29 0x42269a44 in nsComponentManagerImpl::GetServiceByContractID (this=0x40440200, aContractID=0x40495040 "@mozilla.org/browser/directory-provider;1", aIID=..., 
    result=0xbef967b4) at /hack/mozilla-graphics/xpcom/components/nsComponentManager.cpp:1426
#30 0x4220b444 in CallGetService (aContractID=0x40495040 "@mozilla.org/browser/directory-provider;1", aIID=..., aResult=0xbef967b4)
    at /hack/b2g/B2G/objdir-gecko/xpcom/build/nsComponentManagerUtils.cpp:62
#31 0x4220b90a in nsGetServiceByContractID::operator() (this=0xbef967a8, aIID=..., aInstancePtr=0xbef967b4)
    at /hack/b2g/B2G/objdir-gecko/xpcom/build/nsComponentManagerUtils.cpp:246
#32 0x40b5a626 in nsCOMPtr<nsIAppStartup>::assign_from_gs_contractid (this=0xbef9682c, gs=..., aIID=...) at ../../dist/include/nsCOMPtr.h:1203
#33 0x4224a78c in nsCOMPtr (this=0xbef9682c, gs=...) at ../../dist/include/nsCOMPtr.h:588
#34 0x42249d80 in nsDirectoryService::RegisterCategoryProviders (this=0x40408fb0) at /hack/mozilla-graphics/xpcom/io/nsDirectoryService.cpp:501
#35 0x4221af84 in NS_InitXPCOM2_P (result=0x404060b4, binDirectory=0x4041c230, appFileLocationProvider=0xbef969ac) at /hack/mozilla-graphics/xpcom/build/nsXPComInit.cpp:464
#36 0x40b51684 in ScopedXPCOMStartup::Initialize (this=0x404060b4) at /hack/mozilla-graphics/toolkit/xre/nsAppRunner.cpp:1185
#37 0x40b58d92 in XREMain::XRE_main (this=0xbef96990, argc=1, argv=0xbef98ba4, aAppData=0x37174) at /hack/mozilla-graphics/toolkit/xre/nsAppRunner.cpp:3886
#38 0x40b58fce in XRE_main (argc=1, argv=0xbef98ba4, aAppData=0x37174, aFlags=0) at /hack/mozilla-graphics/toolkit/xre/nsAppRunner.cpp:4093
#39 0x00009e70 in do_main (argc=1, argv=0xbef98ba4) at /hack/mozilla-graphics/b2g/app/nsBrowserApp.cpp:164
#40 0x0000a124 in main (argc=1, argv=0xbef98ba4) at /hack/mozilla-graphics/b2g/app/nsBrowserApp.cpp:249



Things start looking interesting in this frame:

(gdb) frame
#3  0x41a591fe in CallMethodHelper::GatherAndConvertResults (this=0xbef95b30) at /hack/mozilla-graphics/js/xpconnect/src/XPCWrappedNative.cpp:2620

(gdb) p &(dp->val)
$8 = (nsXPTCMiniVariant::<anonymous union> *) 0xbef95b58
(gdb) p dp->val
$7 = {i8 = 2 '\002', i16 = 16386, i32 = -2147467262, i64 = -4685613467279802366, u8 = 2 '\002', u16 = 16386, u32 = 2147500034, u64 = 13761130606429749250, f = -2.29616766e-41, 
  d = -2.418226358719134e-05, b = 2, c = 2 '\002', wc = 16386, p = 0x80004002, j = {data = {asBits = 13761130606429749250, s = {payload = {i32 = -2147467262, u32 = 2147500034, 
          boo = -2147467262, str = 0x80004002, obj = 0x80004002, ptr = 0x80004002, why = 2147500034, word = 2147500034, uintptr = 2147500034}, tag = -1090954400}, 
      asDouble = -2.418226358719134e-05, asPtr = 0x80004002}}}

Comment 1

5 years ago
Maybe I'm dumb, but what's the punch line here?  I'm missing exactly what the bug's supposed to be in the starts-to-look-interesting part.
That union's value is NS_ERROR_NO_INTERFACE but presumably something thinks it's got some other value type, leading to the crash.

Benoit, do you have steps to reproduce?  What C++ method was being called in this case?

This doesn't seem like a JS engine bug, at first glance: either an XPConnect bug or more likely a bug in the C++ method that was called...
(Reporter)

Comment 3

5 years ago
Sorry, that was caused by a local debugging patch appending a virtual method at the end of nsISupports' vtable.
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.