Closed
Bug 569384
Opened 15 years ago
Closed 14 years ago
TM: Crash [@ JSObject::dropProperty] or [@ js::TraceRecorder::record_JSOP_IN] or "Assertion failure: status == ARECORD_ERROR,"
Categories
(Core :: JavaScript Engine, defect, P2)
Core
JavaScript Engine
Tracking
()
VERIFIED
FIXED
Tracking | Status | |
---|---|---|
blocking2.0 | --- | betaN+ |
blocking1.9.2 | --- | .14+ |
status1.9.2 | --- | .14-fixed |
status1.9.1 | --- | unaffected |
People
(Reporter: gkw, Assigned: gal)
References
Details
(4 keywords, Whiteboard: [ccbr][sg:critical], fixed-in-tracemonkey [critsmash:patch] [qa-ntd-192])
Crash Data
Attachments
(1 file)
(deleted),
patch
|
luke
:
review+
|
Details | Diff | Splinter Review |
for (b = 0; b < 1; ++b) {
var d = b
}
(function () {
x = Proxy.create(function () {
return {
getPropertyDescriptor: function () {
+""
}
}
}(), 5)
}())
for (a = 0; a < 3; ++a) {
if (a == 1) {
d in x
}
}
crashes js opt shell with -j on TM tip at JSObject::dropProperty and asserts js debug shell with -j on TM tip at Assertion failure: status == ARECORD_ERROR, at ../jsops.cpp:7
s-s because this seems like a scary address (prior to reduction the edx instruction was at a weird 0x128 location). Assuming [sg:critical?] unless otherwise noted.
Program received signal SIGSEGV, Segmentation fault.
0x080bfef7 in JSObject::dropProperty(JSContext*, JSProperty*) ()
(gdb) bt
#0 0x080bfef7 in JSObject::dropProperty(JSContext*, JSProperty*) ()
#1 0x08216644 in ?? ()
Backtrace stopped: previous frame inner to this frame (corrupt stack?)
(gdb) x/i $eip
=> 0x80bfef7 <_ZN8JSObject12dropPropertyEP9JSContextP10JSProperty+7>: mov (%edx),%eax
(gdb) x/b $edx
0x1: Cannot access memory at address 0x1
Reporter | ||
Comment 1•15 years ago
|
||
(Also assuming related to harmony:proxies, setting dependency)
Updated•15 years ago
|
Assignee: general → gal
Updated•15 years ago
|
Whiteboard: [ccbr][sg:critical?] → [ccbr][sg:critical?][critsmash:investigating]
Assignee | ||
Comment 2•15 years ago
|
||
#0 0x00000000014021c0 in ?? ()
Cannot access memory at address 0x14021c0
#1 0x00000001001a3007 in js::TraceRecorder::record_JSOP_IN (this=0x100415410) at ../jstracer.cpp:14019
#2 0x00000001001a73e7 in js::TraceRecorder::monitorRecording (this=0x100415410, op=JSOP_IN) at jsopcode.tbl:281
#3 0x000000010008557d in js_Interpret (cx=0x10083c800) at jsops.cpp:78
#4 0x00000001000ae19a in js_Execute (cx=0x10083c800, chain=0x101402000, script=0x100414f90, down=0x0, flags=0, result=0x0) at jsinterp.cpp:837
#5 0x00000001000123af in JS_ExecuteScript (cx=0x10083c800, obj=0x101402000, script=0x100414f90, rval=0x0) at ../jsapi.cpp:4831
#6 0x000000010000a168 in Process (cx=0x10083c800, obj=0x101402000, filename=0x7fff5fbffa90 "x2.js", forceTTY=0) at ../../shell/js.cpp:422
#7 0x000000010000adad in ProcessArgs (cx=0x10083c800, obj=0x101402000, argv=0x7fff5fbff938, argc=2) at ../../shell/js.cpp:836
#8 0x000000010000af28 in main (argc=2, argv=0x7fff5fbff938, envp=0x7fff5fbff950) at ../../shell/js.cpp:5082
Assignee | ||
Comment 3•15 years ago
|
||
not proxy related, just proxy triggered, probably needs branch fixing too, patch soon
Assignee | ||
Comment 4•15 years ago
|
||
Assignee | ||
Updated•15 years ago
|
Attachment #448619 -
Flags: review?(lw)
Assignee | ||
Updated•15 years ago
|
No longer blocks: harmony:proxies
OS: Linux → All
Priority: -- → P2
Hardware: x86 → All
Whiteboard: [ccbr][sg:critical?][critsmash:investigating] → [ccbr][sg:critical]
Comment 5•15 years ago
|
||
Comment on attachment 448619 [details] [diff] [review]
patch
Ew, lame; thanks for finding and fixing that.
Attachment #448619 -
Flags: review?(lw) → review+
Assignee | ||
Comment 6•15 years ago
|
||
Whiteboard: [ccbr][sg:critical] → [ccbr][sg:critical], fixed-in-tracemonkey
Reporter | ||
Comment 7•15 years ago
|
||
for (let n = 0; n < 7; ++n) {
x = Proxy.create(function() {
return {
getPropertyDescriptor: function() {
+ ""
}
}
} (), /x/)
}
for (z = 0; z < 5; ++z) {
var a = z
}
for (var m = 0; m < 9; ++m) {
if (m % 5 == 0) {} else {
print(let(y = a in x) 7)
}
}
is a 64-bit crash testcase (both in debug and opt shells) that got fixed by this patch, and it also crashes at js::TraceRecorder::record_JSOP_IN
Summary: TM: Crash [@ JSObject::dropProperty] or "Assertion failure: status == ARECORD_ERROR," → TM: Crash [@ JSObject::dropProperty] or [@ js::TraceRecorder::record_JSOP_IN] or "Assertion failure: status == ARECORD_ERROR,"
Updated•15 years ago
|
Whiteboard: [ccbr][sg:critical], fixed-in-tracemonkey → [ccbr][sg:critical], fixed-in-tracemonkey [critsmash:patch]
Comment 8•14 years ago
|
||
Status: NEW → RESOLVED
Closed: 14 years ago
status1.9.1:
--- → ?
status1.9.2:
--- → ?
Resolution: --- → FIXED
Updated•14 years ago
|
blocking2.0: ? → betaN+
Comment 9•14 years ago
|
||
a non-proxy testcase that could be used to verify the branches would be great. The patch itself needs only minor merging for the branches (Macro/#define name changes).
Updated•14 years ago
|
blocking1.9.1: ? → .17+
blocking1.9.2: ? → .14+
Assignee | ||
Comment 10•14 years ago
|
||
The bug doesn't exist in 1.9.1 (I tried the test case on 1.9.1, no crash). Landed on 1.9.2.
http://hg.mozilla.org/releases/mozilla-1.9.2/rev/98467bef1347
Comment 11•14 years ago
|
||
(In reply to comment #0)
> for (b = 0; b < 1; ++b) {
> var d = b
> }
> (function () {
> x = Proxy.create(function () {
> return {
> getPropertyDescriptor: function () {
> +""
> }
> }
> }(), 5)
> }())
> for (a = 0; a < 3; ++a) {
> if (a == 1) {
> d in x
> }
> }
When I run this in my own 1.9.2 debug build (pre-fix) or 1.9.2.13, I get "ReferenceError on line 5: Proxy is not defined".
I'm not a JS shell expert but I expect I'm doing something wrong here.
Assignee | ||
Comment 12•14 years ago
|
||
1.9.2 doesn't have proxies. You would need some other non-native object to make this happen (i.e. liveconnect).
Comment 13•14 years ago
|
||
Marking this at NTD (nothing to do) for QA for branch since there are no steps to reproduce or testcases.
Whiteboard: [ccbr][sg:critical], fixed-in-tracemonkey [critsmash:patch] → [ccbr][sg:critical], fixed-in-tracemonkey [critsmash:patch] [qa-ntd-192]
Updated•14 years ago
|
Group: core-security
Updated•14 years ago
|
Crash Signature: [@ JSObject::dropProperty]
[@ js::TraceRecorder::record_JSOP_IN]
Comment 14•13 years ago
|
||
Tracer has been long gone on trunk, marking verified.
Status: RESOLVED → VERIFIED
Crash Signature: [@ JSObject::dropProperty]
[@ js::TraceRecorder::record_JSOP_IN] → [@ JSObject::dropProperty]
[@ js::TraceRecorder::record_JSOP_IN]
Comment 15•12 years ago
|
||
Bug in removed tracer code, setting in-testsuite- flag.
Flags: in-testsuite-
Updated•9 years ago
|
Keywords: testcase-wanted
You need to log in
before you can comment on or make changes to this bug.
Description
•