Closed Bug 578044 Opened 14 years ago Closed 14 years ago

Crash [@ JSObject::wrappedObject] or "Assertion failure: (ptrBits & 0x7) == 0,"

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED
Tracking Flags:
Tracking Status
blocking2.0 --- betaN+
status1.9.2 --- unaffected
status1.9.1 --- unaffected

People

(Reporter: gkw, Assigned: luke)

References

Details

(4 keywords, Whiteboard: [ccbr] [sg:critical] fixed-in-tracemonkey [critsmash:patch])

Crash Data

Attachments

(1 file, 1 obsolete file)

remove spurious newline
(deleted), patch
Waldo
: review+
Details | Diff | Splinter Review 
try {
    try {
        gczeal(2)
    } finally {
        r
    }
} catch (e) {}
try {
    (Float32Array)(evalcx(''))
} catch (e) {}

asserts js debug shell on moo tip changeset 60c111fc0d4b without -m at Assertion failure: (ptrBits & 0x7) == 0, at ../jsval.h:624

(Tested only on 64-bit Ubuntu 10.04, pass in the testcase as a CLI argument to reproduce)

Program received signal SIGABRT, Aborted.
0x00007ffff7bce7bb in raise (sig=<value optimized out>) at ../nptl/sysdeps/unix/sysv/linux/pt-raise.c:42
42	../nptl/sysdeps/unix/sysv/linux/pt-raise.c: No such file or directory.
	in ../nptl/sysdeps/unix/sysv/linux/pt-raise.c
(gdb) bt
#0  0x00007ffff7bce7bb in raise (sig=<value optimized out>) at ../nptl/sysdeps/unix/sysv/linux/pt-raise.c:42
#1  0x000000000053e000 in JS_Assert (s=0x580802 "(ptrBits & 0x7) == 0", file=0x58072b "../jsval.h", ln=624) at ../jsutil.cpp:80
#2  0x0000000000411c32 in JSVAL_TO_GCTHING_IMPL (l=...) at ../jsval.h:624
#3  0x000000000042a768 in js::Value::asGCThing (this=0x8335a0) at ../jsvalue.h:538
#4  0x00000000004a881e in MarkValueRaw (trc=0x7fffffffc1f0, v=...) at ../jsgc.h:568
#5  0x00000000004b9272 in js_TraceObject (trc=0x7fffffffc1f0, obj=0x7ffff69077f8) at ../jsobj.cpp:6146
#6  0x0000000000486374 in JS_TraceChildren (trc=0x7fffffffc1f0, thing=0x7ffff69077f8, kind=0) at ../jsgc.cpp:1900
#7  0x0000000000486c5e in js::Mark (trc=0x7fffffffc1f0, thing=0x7ffff69077f8, kind=0) at ../jsgc.cpp:2166
#8  0x00000000004a8832 in MarkValueRaw (trc=0x7fffffffc1f0, v=...) at ../jsgc.h:568
#9  0x00000000004b9272 in js_TraceObject (trc=0x7fffffffc1f0, obj=0x7ffff6901750) at ../jsobj.cpp:6146
#10 0x0000000000486374 in JS_TraceChildren (trc=0x7fffffffc1f0, thing=0x7ffff6901750, kind=0) at ../jsgc.cpp:1900
#11 0x0000000000486c5e in js::Mark (trc=0x7fffffffc1f0, thing=0x7ffff6901750, kind=0) at ../jsgc.cpp:2166
#12 0x0000000000421719 in JS_CallTracer (trc=0x7fffffffc1f0, thing=0x7ffff6901750, kind=0) at ../jsapi.cpp:1963
#13 0x00000000004396a2 in JSObject::traceProtoAndParent (this=0x7ffff6901798, trc=0x7fffffffc1f0) at ../jsobj.h:428
#14 0x00000000004b9186 in js_TraceObject (trc=0x7fffffffc1f0, obj=0x7ffff6901798) at ../jsobj.cpp:6127
#15 0x0000000000486374 in JS_TraceChildren (trc=0x7fffffffc1f0, thing=0x7ffff6901798, kind=0) at ../jsgc.cpp:1900
#16 0x0000000000486c5e in js::Mark (trc=0x7fffffffc1f0, thing=0x7ffff6901798, kind=0) at ../jsgc.cpp:2166
#17 0x0000000000421719 in JS_CallTracer (trc=0x7fffffffc1f0, thing=0x7ffff6901798, kind=0) at ../jsapi.cpp:1963
#18 0x00000000004872af in JSWeakRoots::mark (this=0x7fffffffc338, trc=0x7fffffffc1f0) at ../jsgc.cpp:2311
#19 0x000000000048b8a1 in js::AutoGCRooter::trace (this=0x7fffffffc320, trc=0x7fffffffc1f0) at ../jsgc.cpp:2333
#20 0x0000000000487424 in js_TraceContext (trc=0x7fffffffc1f0, acx=0x82a1a0) at ../jsgc.cpp:2441
#21 0x0000000000487675 in js_TraceRuntime (trc=0x7fffffffc1f0) at ../jsgc.cpp:2476
#22 0x0000000000487dcc in GC (cx=0x82a1a0) at ../jsgc.cpp:3022
#23 0x000000000048814e in GCUntilDone (cx=0x82a1a0, gckind=GC_LOCK_HELD) at ../jsgc.cpp:3403
#24 0x00000000004882b2 in js_GC (cx=0x82a1a0, gckind=GC_LOCK_HELD) at ../jsgc.cpp:3457
#25 0x0000000000485b0b in LastDitchGC (cx=0x82a1a0) at ../jsgc.cpp:1718
#26 0x0000000000485c5c in RefillFinalizableFreeList (cx=0x82a1a0, thingKind=1) at ../jsgc.cpp:1742
#27 0x000000000048605a in js_NewFinalizableGCThing (cx=0x82a1a0, thingKind=1) at ../jsgc.cpp:1830
#28 0x0000000000478e1e in js_NewGCFunction (cx=0x82a1a0) at ../jsgc.h:274
#29 0x000000000047951d in NewObjectWithGivenProto (cx=0x82a1a0, clasp=0x7f2e00, proto=0x7ffff6907528, parent=0x7ffff69077f8) at ../jsobjinlines.h:743
#30 0x0000000000479866 in NewObject (cx=0x82a1a0, clasp=0x7f2e00, proto=0x7ffff6907528, parent=0x7ffff69077f8) at ../jsobjinlines.h:824
#31 0x000000000047feb0 in js_NewFunction (cx=0x82a1a0, funobj=0x0, native=0x4aff23 <obj_defineProperty>, nargs=3, flags=2048, parent=0x7ffff69077f8, atom=0x7ffff6900c80) at ../jsfun.cpp:2388
#32 0x0000000000480468 in js_DefineFunction (cx=0x82a1a0, obj=0x7ffff69077f8, atom=0x7ffff6900c80, native=0x4aff23 <obj_defineProperty>, nargs=3, attrs=2048) at ../jsfun.cpp:2541
#33 0x000000000042765c in JS_DefineFunction (cx=0x82a1a0, obj=0x7ffff69077f8, name=0x596472 "defineProperty", call=0x4aff23 <obj_defineProperty>, nargs=3, attrs=6144) at ../jsapi.cpp:4259
#34 0x0000000000427577 in JS_DefineFunctions (cx=0x82a1a0, obj=0x7ffff69077f8, fs=0x7f3c28) at ../jsapi.cpp:4244
#35 0x00000000004b2e79 in js_InitClass (cx=0x82a1a0, obj=0x7ffff6901750, parent_proto=0x0, clasp=0x7f39a0, constructor=0x4b0d40 <js_Object(JSContext*, JSObject*, unsigned int, js::Value*, js::Value*)>, nargs=1, ps=0x7f3a40, 
    fs=0x7f3a80, static_ps=0x0, static_fs=0x7f3be0) at ../jsobj.cpp:3529
#36 0x00000000004b26fb in js_InitObjectClass (cx=0x82a1a0, obj=0x7ffff6901750) at ../jsobj.cpp:3339
#37 0x00000000004200c1 in js_InitFunctionAndObjectClasses (cx=0x82a1a0, obj=0x7ffff6901750) at ../jsapi.cpp:1197
#38 0x0000000000420283 in JS_InitStandardClasses (cx=0x82a1a0, obj=0x7ffff6901750) at ../jsapi.cpp:1240
#39 0x000000000040aa3a in NewSandbox (cx=0x82a1a0, lazy=false, split=false) at ../../shell/js.cpp:2950
#40 0x000000000040ad73 in EvalInContext (cx=0x82a1a0, obj=0x7ffff6901000, argc=1, argv=0x7ffff6a8a1c0, rval=0x7ffff6a8a248) at ../../shell/js.cpp:2992
#41 0x0000000000499a10 in js::callJSNative (cx=0x82a1a0, native=0x40abea <EvalInContext>, thisobj=0x7ffff6901000, argc=1, argv=0x7ffff6a8a1c0, rval=0x7ffff6a8a248) at ../jscntxtinlines.h:355
#42 0x0000000000498d09 in InvokeCommon<JSBool (*)(JSContext*, JSObject*, uintN, js::Value*, js::Value*)> (cx=0x82a1a0, fun=0x7ffff6904e10, script=0x0, native=0x40abea <EvalInContext>, args=..., flags=0) at ../jsinterp.cpp:618
#43 0x00000000004960ca in js::Invoke (cx=0x82a1a0, args=..., flags=0) at ../jsinterp.cpp:719
#44 0x0000000000571797 in js::Interpret (cx=0x82a1a0) at ../jsops.cpp:2360
#45 0x0000000000495ce4 in js::RunScript (cx=0x82a1a0, script=0x834c10, fun=0x0, scopeChain=0x7ffff6901000) at ../jsinterp.cpp:462
#46 0x0000000000496a96 in js::Execute (cx=0x82a1a0, chain=0x7ffff6901000, script=0x834c10, down=0x0, flags=0, result=0x0) at ../jsinterp.cpp:923
#47 0x0000000000428656 in JS_ExecuteScript (cx=0x82a1a0, obj=0x7ffff6901000, script=0x834c10, rval=0x0) at ../jsapi.cpp:4637
#48 0x000000000040493a in Process (cx=0x82a1a0, obj=0x7ffff6901000, filename=0x7fffffffe5cd "w640-cj-in.js", forceTTY=0) at ../../shell/js.cpp:440
#49 0x000000000040572a in ProcessArgs (cx=0x82a1a0, obj=0x7ffff6901000, argv=0x7fffffffe2c0, argc=1) at ../../shell/js.cpp:860
#50 0x000000000040dadd in shell (cx=0x82a1a0, argc=1, argv=0x7fffffffe2c0, envp=0x7fffffffe2d0) at ../../shell/js.cpp:5038
#51 0x000000000040dbed in main (argc=1, argv=0x7fffffffe2c0, envp=0x7fffffffe2d0) at ../../shell/js.cpp:5129
WFM on moo-tip, Linux. Anyone else?
(In reply to comment #1)
> WFM on moo-tip, Linux. Anyone else?

Nope, still fails for me.

moo changeset f567bb6aca45:

$./js-dbg-64-jm-linux 578044.js
Assertion failure: (ptrBits & 0x7) == 0, at ../jsval.h:631
Aborted
The assertion is only tripped on a 64-bit build.
Seems to be fatval-related.
No longer blocks: JaegerFuzz
Summary: JM: "Assertion failure: (ptrBits & 0x7) == 0," → FV: "Assertion failure: (ptrBits & 0x7) == 0,"
I can reproduce this on a debug 64-bit OSX TM tip build, so not a fatval bug.
Summary: FV: "Assertion failure: (ptrBits & 0x7) == 0," → TM: "Assertion failure: (ptrBits & 0x7) == 0,"
comment #0 no longer reproduces, but I have another testcase (-j not required) that asserts similarly in a 64-bit debug shell:

this.watch("x", Object.create)
try {
  (function() {
    __defineGetter__("x",
    function() {
      return this
    })
  })()
} catch(e) {}
Object.defineProperty(x, "x", ({
  set: Uint16Array
}))

Assertion failure: (ptrBits & 0x7) == 0, at ../jsval.h:614

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0x0000000000000000
0x0000000100166725 in JS_Assert (s=0x1001ff264 "(ptrBits & 0x7) == 0", file=0x100201118 "../jsval.h", ln=614) at ../jsutil.cpp:81
81          *((int *) NULL) = 0;  /* To continue from here in GDB: "return" then "continue". */
(gdb) bt
#0  0x0000000100166725 in JS_Assert (s=0x1001ff264 "(ptrBits & 0x7) == 0", file=0x100201118 "../jsval.h", ln=614) at ../jsutil.cpp:81
#1  0x000000010015413b in JSVAL_TO_OBJECT_IMPL (l={asBits = 18445477440609627295, debugView = {payload47 = 4295273631, tag = JSVAL_TAG_OBJECT}, s = {payload = {i32 = 306335, u32 = 306335, why = 306335}}, asDouble = -nan(0xb80010004ac9f)}) at jsval.h:614
#2  0x0000000100159544 in js::Value::toObject (this=0x7fff5fbfd680) at jsvalue.h:532
#3  0x00000001000b6dd3 in js::StrictlyEqual (cx=0x1005119d0, lref=@0x7fff5fbfd908, rref=@0x7fff5fbfd7d0) at jsinterp.cpp:1026
#4  0x00000001000b6f9a in js::SameValue (v1=@0x7fff5fbfd908, v2=@0x7fff5fbfd7d0, cx=0x1005119d0) at jsinterp.cpp:1065
#5  0x00000001000d3bc8 in DefinePropertyOnObject (cx=0x1005119d0, obj=0x101401000, desc=@0x7fff5fbfd8e8, throwError=true, rval=0x7fff5fbfd927) at ../jsobj.cpp:2105
#6  0x00000001000d4a21 in DefineProperty (cx=0x1005119d0, obj=0x101401000, desc=@0x7fff5fbfd8e8, throwError=true, rval=0x7fff5fbfd927) at ../jsobj.cpp:2370
#7  0x00000001000d57bc in js_DefineOwnProperty (cx=0x1005119d0, obj=0x101401000, id={asBits = 4297674992}, descriptor=@0x7fff5fbfd9e0, bp=0x7fff5fbfd9a4) at ../jsobj.cpp:2383
#8  0x00000001000d5955 in obj_defineProperty (cx=0x1005119d0, argc=3, vp=0x1010001b0) at ../jsobj.cpp:2409
#9  0x00000001000a3d34 in js::Interpret (cx=0x1005119d0) at ../jsinterp.cpp:4741
#10 0x00000001000b7a5b in js::Execute (cx=0x1005119d0, chain=0x101401000, script=0x100514820, down=0x0, flags=0, result=0x0) at jsinterp.cpp:880
#11 0x00000001000164be in JS_ExecuteScript (cx=0x1005119d0, obj=0x101401000, script=0x100514820, rval=0x0) at ../jsapi.cpp:4655
#12 0x000000010000aaad in Process (cx=0x1005119d0, obj=0x101401000, filename=0x7fff5fbff948 "w798-reduced.js", forceTTY=0) at ../../shell/js.cpp:439
#13 0x000000010000b6e7 in ProcessArgs (cx=0x1005119d0, obj=0x101401000, argv=0x7fff5fbff7b8, argc=1) at ../../shell/js.cpp:853
#14 0x000000010000b7cf in shell (cx=0x1005119d0, argc=1, argv=0x7fff5fbff7b8, envp=0x7fff5fbff7c8) at ../../shell/js.cpp:5029
#15 0x000000010000b8cb in main (argc=1, argv=0x7fff5fbff7b8, envp=0x7fff5fbff7c8) at ../../shell/js.cpp:5116


It crashes in 32-bit debug build at JSObject::wrappedObject:

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0xd0ec8157
0x000c280d in JSObject::wrappedObject (this=0x4b30c, cx=0x809400) at ../jsobj.cpp:6219
6219        if (clasp->flags & JSCLASS_IS_EXTENDED) {
(gdb) bt
#0  0x000c280d in JSObject::wrappedObject (this=0x4b30c, cx=0x809400) at ../jsobj.cpp:6219
#1  0x000b28e9 in js::EqualObjects (cx=0x809400, lobj=0x604e60, robj=0x4b30c) at jsinterp.cpp:1013
#2  0x000b29f9 in js::StrictlyEqual (cx=0x809400, lref=@0xbfffe4f4, rref=@0xbfffe3f8) at jsinterp.cpp:1026
#3  0x000b2ba9 in js::SameValue (v1=@0xbfffe4f4, v2=@0xbfffe3f8, cx=0x809400) at jsinterp.cpp:1065
#4  0x000cfc1f in DefinePropertyOnObject (cx=0x809400, obj=0x601000, desc=@0xbfffe4d4, throwError=true, rval=0xbfffe50b) at ../jsobj.cpp:2105
#5  0x000d0a56 in DefineProperty (cx=0x809400, obj=0x601000, desc=@0xbfffe4d4, throwError=true, rval=0xbfffe50b) at ../jsobj.cpp:2370
#6  0x000d184e in js_DefineOwnProperty (cx=0x809400, obj=0x601000, id={asBits = 2206352}, descriptor=@0xbfffe580, bp=0xbfffe554) at ../jsobj.cpp:2383
#7  0x000d19d8 in obj_defineProperty (cx=0x809400, argc=3, vp=0x10000f0) at ../jsobj.cpp:2409
#8  0x000a0756 in js::Interpret (cx=0x809400) at ../jsinterp.cpp:4741
#9  0x000b352e in js::Execute (cx=0x809400, chain=0x601000, script=0x40deb0, down=0x0, flags=0, result=0xbffff680) at jsinterp.cpp:880
#10 0x000171c8 in JS_ExecuteScript (cx=0x809400, obj=0x601000, script=0x40deb0, rval=0xbffff680) at ../jsapi.cpp:4655
#11 0x0000c072 in Process (cx=0x809400, obj=0x601000, filename=0x0, forceTTY=0) at ../../shell/js.cpp:532
#12 0x0000ca49 in ProcessArgs (cx=0x809400, obj=0x601000, argv=0xbffff858, argc=0) at ../../shell/js.cpp:853
#13 0x0000cb62 in shell (cx=0x809400, argc=0, argv=0xbffff858, envp=0xbffff85c) at ../../shell/js.cpp:5029
#14 0x0000cc86 in main (argc=0, argv=0xbffff858, envp=0xbffff85c) at ../../shell/js.cpp:5116
(gdb) x/i $eip
0xc280d <_ZNK8JSObject13wrappedObjectEP9JSContext+23>:  mov    0x4(%eax),%eax
(gdb) x/b $eax
0xd0ec8153:     Cannot access memory at address 0xd0ec8153

It also crashes at JSObject::wrappedObject in 32-bit or 64-bit opt builds at weird memory locations. (turning this s-s)
Group: core-security
blocking2.0: --- → ?
Flags: in-testsuite?
OS: Linux → All
Hardware: x86_64 → All
Summary: TM: "Assertion failure: (ptrBits & 0x7) == 0," → Crash [@ JSObject::wrappedObject] or "Assertion failure: (ptrBits & 0x7) == 0,"
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   47546:9c869e64ee26
user:        Luke Wagner
date:        Wed Jul 14 23:19:36 2010 -0700
summary:     Bug 549143 - fatvals
Blocks: fatvals
Keywords: crash
Whiteboard: [ccbr]
Assignee: general → lw
blocking2.0: ? → betaN+
status1.9.1: --- → unaffected
status1.9.2: --- → unaffected
Whiteboard: [ccbr] → [ccbr] [sg:critical]
Attached patch fix (obsolete) (deleted) — Splinter Review 
getterOrUndefined() was doing the right thing but setterOrUndefined() is just a copy of setterValue().  Merge failure or stupid mistake.
Attachment #458774 - Flags: review?(jwalden+bmo)
Attached patch remove spurious newline (deleted) — Splinter Review 

        Attachment #458774 -
        Attachment is obsolete: true

        Attachment #458775 -
        Flags: review?(jwalden+bmo)

        Attachment #458774 -
        Flags: review?(jwalden+bmo)

    
  

        Attachment #458775 -
        Flags: review?(jwalden+bmo) → review+

    
    

    
  
http://hg.mozilla.org/tracemonkey/rev/605610554494
Whiteboard: [ccbr] [sg:critical] → [ccbr] [sg:critical] fixed-in-tracemonkey
Whiteboard: [ccbr] [sg:critical] fixed-in-tracemonkey → [ccbr] [sg:critical] fixed-in-tracemonkey [critsmash:patch]

    
    

    
  
http://hg.mozilla.org/mozilla-central/rev/605610554494
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Group: core-security
Crash Signature: [@ JSObject::wrappedObject]

    
    

    
  
Tracer has been long gone on trunk, marking verified.
Status: RESOLVED → VERIFIED

    
    

    
  
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/testBug578044.js.
Flags: in-testsuite? → in-testsuite+

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: