Closed Bug 968097 Opened 10 years ago Closed 10 years ago

Object.preventExtensions(marquee) crash

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla30
Tracking Flags:
Tracking Status
firefox27 --- unaffected
firefox28 --- unaffected
firefox29 --- fixed
firefox30 --- fixed
firefox-esr24 --- unaffected
b2g18 --- unaffected
b2g-v1.1hd --- unaffected
b2g-v1.2 --- unaffected
b2g-v1.3 --- unaffected
b2g-v1.4 --- fixed

People

(Reporter: jruderman, Assigned: efaust)

References

Details

(Keywords: crash, regression, testcase)

Crash Data

Attachments

(2 files)

testcase (crashes ASAN Firefox when loaded)
313 bytes, text/html
Details
Fix?
438 bytes, patch
Waldo
: review+
jruderman
: feedback+
Sylvestre
: approval-mozilla-aurora+
Details | Diff | Splinter Review 
>==79416==ERROR: AddressSanitizer: SEGV on unknown address 0x120000000000 (pc 0x0001000506b1 sp 0x7fff5fbf29e0 bp 0x7fff5fbf2a10 T0)
>AddressSanitizer can not provide additional info.
>    #0 0x1000506b0 in wrap_strlen (/Users/jruderman/llvm/build/Release/lib/clang/3.4/lib/darwin/libclang_rt.asan_osx_dynamic.dylib+0x136b0)
>    #1 0x11ee7c828 in js_ExpandErrorArguments(js::ExclusiveContext*, JSErrorFormatString const* (*)(void*, char const*, unsigned int), void*, unsigned int, char**, JSErrorReport*, js::ErrorArgumentsType, __va_list_tag*) (/Users/jruderman/builds/mozilla-central-asan-debug-slow/dist/NightlyDebug.app/Contents/MacOS/XUL+0x1996c828)
>    #2 0x11ee5c947 in js_ReportErrorNumberVA(JSContext*, unsigned int, JSErrorFormatString const* (*)(void*, char const*, unsigned int), void*, unsigned int, js::ErrorArgumentsType, __va_list_tag*) (/Users/jruderman/builds/mozilla-central-asan-debug-slow/dist/NightlyDebug.app/Contents/MacOS/XUL+0x1994c947)
>    #3 0x11ee5c0fe in JS_ReportErrorNumberVA(JSContext*, JSErrorFormatString const* (*)(void*, char const*, unsigned int), void*, unsigned int, __va_list_tag*) (/Users/jruderman/builds/mozilla-central-asan-debug-slow/dist/NightlyDebug.app/Contents/MacOS/XUL+0x1994c0fe)
>    #4 0x11ed8bbc4 in JS_ReportErrorNumber(JSContext*, JSErrorFormatString const* (*)(void*, char const*, unsigned int), void*, unsigned int, ...) (/Users/jruderman/builds/mozilla-central-asan-debug-slow/dist/NightlyDebug.app/Contents/MacOS/XUL+0x1987bbc4)
>    #5 0x11ede5372 in JS_SetPrototype(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSObject*>) (/Users/jruderman/builds/mozilla-central-asan-debug-slow/dist/NightlyDebug.app/Contents/MacOS/XUL+0x198d5372)
>    #6 0x11027dfef in nsXBLBinding::DoInitJSClass(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSObject*>, nsCString const&, nsXBLPrototypeBinding*, JS::MutableHandle<JSObject*>, bool*) (/Users/jruderman/builds/mozilla-central-asan-debug-slow/dist/NightlyDebug.app/Contents/MacOS/XUL+0xad6dfef)
>    #7 0x1102cda1c in nsXBLPrototypeBinding::InitClass(nsCString const&, JSContext*, JS::Handle<JSObject*>, JS::Handle<JSObject*>, JS::MutableHandle<JSObject*>, bool*) (/Users/jruderman/builds/mozilla-central-asan-debug-slow/dist/NightlyDebug.app/Contents/MacOS/XUL+0xadbda1c)
>    #8 0x1102c8dfe in nsXBLProtoImpl::InitTargetObjects(nsXBLPrototypeBinding*, nsIContent*, JS::MutableHandle<JSObject*>, bool*) (/Users/jruderman/builds/mozilla-central-asan-debug-slow/dist/NightlyDebug.app/Contents/MacOS/XUL+0xadb8dfe)
>    #9 0x1102c52c0 in nsXBLProtoImpl::InstallImplementation(nsXBLPrototypeBinding*, nsXBLBinding*) (/Users/jruderman/builds/mozilla-central-asan-debug-slow/dist/NightlyDebug.app/Contents/MacOS/XUL+0xadb52c0)
>    #10 0x1102781f7 in nsXBLPrototypeBinding::InstallImplementation(nsXBLBinding*) (/Users/jruderman/builds/mozilla-central-asan-debug-slow/dist/NightlyDebug.app/Contents/MacOS/XUL+0xad681f7)
>    #11 0x110277f2f in nsXBLBinding::InstallImplementation() (/Users/jruderman/builds/mozilla-central-asan-debug-slow/dist/NightlyDebug.app/Contents/MacOS/XUL+0xad67f2f)
>    #12 0x110277b92 in nsXBLBinding::InstallImplementation() (/Users/jruderman/builds/mozilla-central-asan-debug-slow/dist/NightlyDebug.app/Contents/MacOS/XUL+0xad67b92)
>    #13 0x1103288ee in nsXBLService::LoadBindings(nsIContent*, nsIURI*, nsIPrincipal*, nsXBLBinding**, bool*) (/Users/jruderman/builds/mozilla-central-asan-debug-slow/dist/NightlyDebug.app/Contents/MacOS/XUL+0xae188ee)
>    #14 0x11370a7f8 in nsCSSFrameConstructor::AddFrameConstructionItemsInternal(nsFrameConstructorState&, nsIContent*, nsIFrame*, nsIAtom*, int, bool, nsStyleContext*, unsigned int, nsTArray<nsIAnonymousContentCreator::ContentInfo>*, nsCSSFrameConstructor::FrameConstructionItemList&) (/Users/jruderman/builds/mozilla-central-asan-debug-slow/dist/NightlyDebug.app/Contents/MacOS/XUL+0xe1fa7f8)
>    #15 0x1137442b2 in nsCSSFrameConstructor::AddFrameConstructionItems(nsFrameConstructorState&, nsIContent*, bool, nsIFrame*, nsCSSFrameConstructor::FrameConstructionItemList&) (/Users/jruderman/builds/mozilla-central-asan-debug-slow/dist/NightlyDebug.app/Contents/MacOS/XUL+0xe2342b2)
>    #16 0x1137611fc in nsCSSFrameConstructor::ContentAppended(nsIContent*, nsIContent*, bool) (/Users/jruderman/builds/mozilla-central-asan-debug-slow/dist/NightlyDebug.app/Contents/MacOS/XUL+0xe2511fc)
>    #17 0x113756317 in nsCSSFrameConstructor::CreateNeededFrames(nsIContent*) (/Users/jruderman/builds/mozilla-central-asan-debug-slow/dist/NightlyDebug.app/Contents/MacOS/XUL+0xe246317)
>    #18 0x1137628fa in nsCSSFrameConstructor::CreateNeededFrames() (/Users/jruderman/builds/mozilla-central-asan-debug-slow/dist/NightlyDebug.app/Contents/MacOS/XUL+0xe2528fa)
>    #19 0x113562ec5 in PresShell::FlushPendingNotifications(mozilla::ChangesToFlush) (/Users/jruderman/builds/mozilla-central-asan-debug-slow/dist/NightlyDebug.app/Contents/MacOS/XUL+0xe052ec5)
>    #20 0x1135a5626 in PresShell::WillPaint() (/Users/jruderman/builds/mozilla-central-asan-debug-slow/dist/NightlyDebug.app/Contents/MacOS/XUL+0xe095626)
>    #21 0x1106e7d0f in nsViewManager::CallWillPaintOnObservers() (/Users/jruderman/builds/mozilla-central-asan-debug-slow/dist/NightlyDebug.app/Contents/MacOS/XUL+0xb1d7d0f)
>    #22 0x1106e21db in nsViewManager::ProcessPendingUpdates() (/Users/jruderman/builds/mozilla-central-asan-debug-slow/dist/NightlyDebug.app/Contents/MacOS/XUL+0xb1d21db)
>    #23 0x11360d4a9 in nsRefreshDriver::Tick(long long, mozilla::TimeStamp) (/Users/jruderman/builds/mozilla-central-asan-debug-slow/dist/NightlyDebug.app/Contents/MacOS/XUL+0xe0fd4a9)
>    #24 0x1136283bc in mozilla::RefreshDriverTimer::TickDriver(nsRefreshDriver*, long long, mozilla::TimeStamp) (/Users/jruderman/builds/mozilla-central-asan-debug-slow/dist/NightlyDebug.app/Contents/MacOS/XUL+0xe1183bc)
>    #25 0x113627b50 in mozilla::RefreshDriverTimer::Tick() (/Users/jruderman/builds/mozilla-central-asan-debug-slow/dist/NightlyDebug.app/Contents/MacOS/XUL+0xe117b50)
>    #26 0x1136270d0 in mozilla::RefreshDriverTimer::TimerTick(nsITimer*, void*) (/Users/jruderman/builds/mozilla-central-asan-debug-slow/dist/NightlyDebug.app/Contents/MacOS/XUL+0xe1170d0)
>    #27 0x105b3b6d4 in nsTimerImpl::Fire() (/Users/jruderman/builds/mozilla-central-asan-debug-slow/dist/NightlyDebug.app/Contents/MacOS/XUL+0x62b6d4)
>    #28 0x105b3c9fa in nsTimerEvent::Run() (/Users/jruderman/builds/mozilla-central-asan-debug-slow/dist/NightlyDebug.app/Contents/MacOS/XUL+0x62c9fa)
>    #29 0x105b25b69 in nsThread::ProcessNextEvent(bool, bool*) (/Users/jruderman/builds/mozilla-central-asan-debug-slow/dist/NightlyDebug.app/Contents/MacOS/XUL+0x615b69)
>    #30 0x1055ef096 in NS_ProcessNextEvent(nsIThread*, bool) (/Users/jruderman/builds/mozilla-central-asan-debug-slow/dist/NightlyDebug.app/Contents/MacOS/XUL+0xdf096)
>    #31 0x105b23fbb in nsThread::Shutdown() (/Users/jruderman/builds/mozilla-central-asan-debug-slow/dist/NightlyDebug.app/Contents/MacOS/XUL+0x613fbb)
>    #32 0x10a60ad21 in gfxFontInfoLoader::CancelLoader() (/Users/jruderman/builds/mozilla-central-asan-debug-slow/dist/NightlyDebug.app/Contents/MacOS/XUL+0x50fad21)
>    #33 0x10a60bf14 in gfxFontInfoLoader::FinalizeLoader(FontInfoData*) (/Users/jruderman/builds/mozilla-central-asan-debug-slow/dist/NightlyDebug.app/Contents/MacOS/XUL+0x50fbf14)
>    #34 0x10a60822c in FontInfoLoadCompleteEvent::Run() (/Users/jruderman/builds/mozilla-central-asan-debug-slow/dist/NightlyDebug.app/Contents/MacOS/XUL+0x50f822c)
>    #35 0x105b25b69 in nsThread::ProcessNextEvent(bool, bool*) (/Users/jruderman/builds/mozilla-central-asan-debug-slow/dist/NightlyDebug.app/Contents/MacOS/XUL+0x615b69)
>    #36 0x1055ee81f in NS_ProcessPendingEvents(nsIThread*, unsigned int) (/Users/jruderman/builds/mozilla-central-asan-debug-slow/dist/NightlyDebug.app/Contents/MacOS/XUL+0xde81f)
>    #37 0x10e2ac7a5 in nsBaseAppShell::NativeEventCallback() (/Users/jruderman/builds/mozilla-central-asan-debug-slow/dist/NightlyDebug.app/Contents/MacOS/XUL+0x8d9c7a5)
>    #38 0x10e070fa7 in nsAppShell::ProcessGeckoEvents(void*) (/Users/jruderman/builds/mozilla-central-asan-debug-slow/dist/NightlyDebug.app/Contents/MacOS/XUL+0x8b60fa7)
>    #39 0x7fff873998f0 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x7f8f0)
>    #40 0x7fff8738b061 in __CFRunLoopDoSources0 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x71061)
>    #41 0x7fff8738a7ee in __CFRunLoopRun (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x707ee)
>    #42 0x7fff8738a274 in CFRunLoopRunSpecific (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x70274)
>    #43 0x7fff83742f0c in RunCurrentEventLoopInMode (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox+0x2ef0c)
>    #44 0x7fff83742cb6 in ReceiveNextEventCommon (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox+0x2ecb6)
>    #45 0x7fff83742abb in _BlockUntilNextEventMatchingListInModeWithFilter (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox+0x2eabb)
>    #46 0x7fff8877928d in _DPSNextEvent (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x2428d)
>    #47 0x7fff887788da in -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x238da)
>    #48 0x10e06c942 in -[GeckoNSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] (/Users/jruderman/builds/mozilla-central-asan-debug-slow/dist/NightlyDebug.app/Contents/MacOS/XUL+0x8b5c942)
>    #49 0x7fff8876c9cb in -[NSApplication run] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x179cb)
>    #50 0x10e07494c in nsAppShell::Run() (/Users/jruderman/builds/mozilla-central-asan-debug-slow/dist/NightlyDebug.app/Contents/MacOS/XUL+0x8b6494c)
>    #51 0x1171bdc37 in nsAppStartup::Run() (/Users/jruderman/builds/mozilla-central-asan-debug-slow/dist/NightlyDebug.app/Contents/MacOS/XUL+0x11cadc37)
>    #52 0x116b7c34f in XREMain::XRE_mainRun() (/Users/jruderman/builds/mozilla-central-asan-debug-slow/dist/NightlyDebug.app/Contents/MacOS/XUL+0x1166c34f)
>    #53 0x116b7eb61 in XREMain::XRE_main(int, char**, nsXREAppData const*) (/Users/jruderman/builds/mozilla-central-asan-debug-slow/dist/NightlyDebug.app/Contents/MacOS/XUL+0x1166eb61)
>    #54 0x116b7febd in XRE_main (/Users/jruderman/builds/mozilla-central-asan-debug-slow/dist/NightlyDebug.app/Contents/MacOS/XUL+0x1166febd)
>    #55 0x1000067fb in do_main(int, char**, nsIFile*) (/Users/jruderman/builds/mozilla-central-asan-debug-slow/dist/NightlyDebug.app/Contents/MacOS/firefox-bin+0x1000067fb)
>    #56 0x1000038a8 in main (/Users/jruderman/builds/mozilla-central-asan-debug-slow/dist/NightlyDebug.app/Contents/MacOS/firefox-bin+0x1000038a8)
>    #57 0x100000bf3 in start (/Users/jruderman/builds/mozilla-central-asan-debug-slow/dist/NightlyDebug.app/Contents/MacOS/firefox-bin+0x100000bf3)
>    #58 0x5 (/Users/jruderman/builds/mozilla-central-asan-debug-slow/dist/NightlyDebug.app/Contents/MacOS/firefox-bin+0x5)
Comment on attachment 8370624 [details]
testcase (crashes ASAN Firefox when loaded)

I'm not getting a crash in a release nightly, requires ASAN to see
Attachment #8370624 - Attachment description: testcase (crashes Firefox when loaded) → testcase (crashes ASAN Firefox when loaded)
Odd, non-debug ASan was the only configuration I couldn't get to crash.  Nightly, debug, and debug+ASan all crashed for me.
The first bad revision is:
changeset:   http://hg.mozilla.org/mozilla-central/rev/b97134e81798
user:        Eric Faust
date:        Thu Jan 16 15:09:52 2014 -0800
summary:     Bug 950407 Followup - Add a parameter to JSMSG_SETPROTOTYPEOF_FAIL. (r=Waldo on IRC)
Blocks: 950407
Keywords: regression
Attached patch Fix?Splinter Review 
Assignee: nobody → efaustbmo
Status: NEW → ASSIGNED

        Attachment #8371019 -
        Flags: feedback?(jruderman)

    
  

        Attachment #8371019 -
        Flags: review+

    
    

    
  
Comment on attachment 8371019 [details] [diff] [review]
Fix?

Fixes the crash for me :)

        Attachment #8371019 -
        Flags: feedback?(jruderman) → feedback+

    
    

    
  
Comment on attachment 8371019 [details] [diff] [review]
Fix?

[Approval Request Comment]
Bug caused by (feature/regressing bug #): 950407
User impact if declined: Crash on certain JS C++ API call (setting object prototype)
Testing completed (on m-c, etc.): tested by jesse
Risk to taking this patch (and alternatives if risky): Tiny. Just changes an error handling case 
String or IDL/UUID changes made by this patch: N/A

        Attachment #8371019 -
        Flags: approval-mozilla-aurora?

        Attachment #8371019 -
        Flags: approval-mozilla-aurora? → approval-mozilla-aurora+

    
    

    
  
Please don't land on release branches until the patch has stuck on trunk. Believe me, multi-tree bustages can and have occurred and it just makes for bigger messes to clean up.

Also, this affects more than trunk and doesn't have a security rating. AFAIK, that means it should have gotten security approval before landing.

          status-firefox29:
          --- → fixed
Flags: needinfo?(efaustbmo)

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/8b551a3c4fe0
Status: ASSIGNED → RESOLVED
Closed: 10 years ago

          status-b2g18:
          --- → unaffected

          status-b2g-v1.1hd:
          --- → unaffected

          status-b2g-v1.2:
          --- → unaffected

          status-b2g-v1.3:
          --- → unaffected

          status-b2g-v1.4:
          --- → fixed

          status-firefox27:
          --- → unaffected

          status-firefox28:
          --- → unaffected

          status-firefox30:
          --- → fixed

          status-firefox-esr24:
          --- → unaffected
Flags: needinfo?(efaustbmo)
Resolution: --- → FIXED
Target Milestone: --- → mozilla30
Group: core-security

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: