Closed Bug 930974 Opened 11 years ago Closed 11 years ago

Assertion failure: args[0].isObject(), at builtin/TypedObject.cpp:2401 or Crash [@ js::ObjectIsTypedHandle]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla28
Tracking Flags:
Tracking Status
firefox26 --- disabled
firefox27 --- disabled
firefox28 + fixed
firefox-esr17 --- unaffected
firefox-esr24 --- disabled
b2g18 --- unaffected
b2g-v1.1hd --- unaffected
b2g-v1.2 --- disabled

People

(Reporter: decoder, Assigned: nmatsakis)

Details

(5 keywords, Whiteboard: [jsbugmon:update])

Crash Data

Attachments

(2 files, 2 obsolete files)

Bug930974.diff
2.34 KB, patch
till
: review+
Details | Diff | Splinter Review
[crash-signature] Machine-readable crash signature
886 bytes, text/plain
Details 
The following testcase asserts on mozilla-central revision 5a9ac6fed6ff (run with --fuzzing-safe):


var T = TypedObject;
var Point = new T.ArrayType(T.float32, 3);
var Line = new T.StructType({from: Point, to: Point});
var Lines = new T.ArrayType(Line, 3);
var lines = new Lines([
      {from: [1, 2, 3], to: [4, 5, 6]},
      {from: [7, 8, 9], to: [10, 11, 12]},
      {from: [13, 14, 15], to: [16, 17, 18]}
]);
T.Handle.move() ;
Crash Signature: [@ js::ObjectIsTypedHandle]
Keywords: crash
Whiteboard: [jsbugmon:update,bisect]

        Attachment #822274 -
        Attachment is obsolete: true

    
    

    
  
Calling this sec-critical now because passing in an address as the first parameter to move causes that to be used in a class pointer (I don't know how you manage to do that^^):


var T = TypedObject;
var Point = new T.ArrayType(T.float32, 3);
var Line = new T.StructType({from: Point, to: Point});
var Lines = new T.ArrayType(Line, 3);
function runTests() {
  }
    var lines = new Lines([
      {from: [1, 2, 3], to: [4, 5, 6]},
      {from: [7, 8, 9], to: [10, 11, 12]},
      {from: [13, 14, 15], to: [16, 17, 18]}
    ]);
var handle = 0xbeef;
T.Handle.move(handle);



Program received signal SIGSEGV, Segmentation fault.
getClass (this=0xbeef) at ../vm/ObjectImpl.h:987
987             return type_->clasp;
(gdb) bt 8
#0  getClass (this=0xbeef) at ../vm/ObjectImpl.h:987
#1  is<js::TypedHandle> (this=0xbeef) at ../jsobj.h:1152
#2  js::ObjectIsTypedHandle (argc=1, vp=0xffffbd48) at /srv/repos/mozilla-central/js/src/builtin/TypedObject.cpp:2366
#3  0x081dda86 in CallJSNative (args=..., native=0x81fbe60 <JSNativeThreadSafeWrapper<&js::ObjectIsTypedHandle>(JSContext*, unsigned int, JS::Value*)>, cx=0x9083850) at ../jscntxtinlines.h:220
#4  js::Invoke (cx=0x9083850, args=..., construct=js::NO_CONSTRUCT) at /srv/repos/mozilla-central/js/src/vm/Interpreter.cpp:462
#5  0x081de31d in js::Invoke (cx=0x9083850, thisv=..., fval=..., argc=1, argv=0xffffbfac, rval=...) at /srv/repos/mozilla-central/js/src/vm/Interpreter.cpp:512
#6  0x082a80f1 in js::jit::DoCallFallback (cx=0x9083850, frame=0xffffbfdc, stub=0x9124c00, argc=1, vp=0xffffbf9c, res=...) at /srv/repos/mozilla-central/js/src/jit/BaselineIC.cpp:7672
#7  0xf7a87a8d in ?? ()
(More stack frames follow...)
(gdb) x /i $pc
=> 0x8473503 <js::ObjectIsTypedHandle(js::ThreadSafeContext*, unsigned int, JS::Value*)+19>:    mov    0x4(%edx),%ecx
(gdb) info reg edx
edx            0xbeef   48879
Group: core-security
Keywords: csec-wildptr, 
          
            sec-critical

    
    

    
  

      
      
      
      

        Attached patch
          
          
        Bug930974.diffSplinter Review
      

    


  
The naming convention `ObjectIsFoo` was SUPPOSED to make me remember to call `IsObject` first. Didn't work 100%.

        Attachment #826698 -
        Flags: review?

    
    

    
  


  

        Attachment #823281 -
        Attachment is obsolete: true

    
  

        Attachment #826698 -
        Flags: review? → review?(till)

    
  
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]

    
    

    
  
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   http://hg.mozilla.org/mozilla-central/rev/35a83682c173
user:        Nicholas D. Matsakis
date:        Wed Sep 11 16:24:23 2013 -0400
summary:     Bug 898342 - Implement movable handles for Typed Objects r=till

This iteration took 428.270 seconds to run.

    
    

    
  
Comment on attachment 826698 [details] [diff] [review]
Bug930974.diff

Review of attachment 826698 [details] [diff] [review]:
-----------------------------------------------------------------

Oh, yes. Sorry this slipped through the review.

        Attachment #826698 -
        Flags: review?(till) → review+

    
    

    
  
I'm guessing this is ready for landing... soon?
Flags: needinfo?(nmatsakis)

    
    

    
  
Yes, sorry, I forgot about this!
Flags: needinfo?(nmatsakis)

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/28ed31db6d98
Status: NEW → RESOLVED
Closed: 11 years ago

          status-b2g-v1.1hd:
          --- → unaffected

          status-b2g-v1.2:
          --- → disabled

          status-firefox28:
          affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla28

    
  
Status: RESOLVED → VERIFIED

    
    

    
  
JSBugMon: This bug has been automatically verified fixed.
Group: core-security

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: