Closed
Bug 968097
Opened 11 years ago
Closed 11 years ago
Object.preventExtensions(marquee) crash
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla30
| Tracking | Status | |
|---|---|---|
| firefox27 | --- | unaffected |
| firefox28 | --- | unaffected |
| firefox29 | --- | fixed |
| firefox30 | --- | fixed |
| firefox-esr24 | --- | unaffected |
| b2g18 | --- | unaffected |
| b2g-v1.1hd | --- | unaffected |
| b2g-v1.2 | --- | unaffected |
| b2g-v1.3 | --- | unaffected |
| b2g-v1.4 | --- | fixed |
People
(Reporter: jruderman, Assigned: efaust)
References
Details
(Keywords: crash, regression, testcase)
Crash Data
Attachments
(2 files)
|
(deleted),
text/html
|
Details | |
|
(deleted),
patch
|
Waldo
:
review+
jruderman
:
feedback+
Sylvestre
:
approval-mozilla-aurora+
|
Details | Diff | Splinter Review |
>==79416==ERROR: AddressSanitizer: SEGV on unknown address 0x120000000000 (pc 0x0001000506b1 sp 0x7fff5fbf29e0 bp 0x7fff5fbf2a10 T0)
>AddressSanitizer can not provide additional info.
> #0 0x1000506b0 in wrap_strlen (/Users/jruderman/llvm/build/Release/lib/clang/3.4/lib/darwin/libclang_rt.asan_osx_dynamic.dylib+0x136b0)
> #1 0x11ee7c828 in js_ExpandErrorArguments(js::ExclusiveContext*, JSErrorFormatString const* (*)(void*, char const*, unsigned int), void*, unsigned int, char**, JSErrorReport*, js::ErrorArgumentsType, __va_list_tag*) (/Users/jruderman/builds/mozilla-central-asan-debug-slow/dist/NightlyDebug.app/Contents/MacOS/XUL+0x1996c828)
> #2 0x11ee5c947 in js_ReportErrorNumberVA(JSContext*, unsigned int, JSErrorFormatString const* (*)(void*, char const*, unsigned int), void*, unsigned int, js::ErrorArgumentsType, __va_list_tag*) (/Users/jruderman/builds/mozilla-central-asan-debug-slow/dist/NightlyDebug.app/Contents/MacOS/XUL+0x1994c947)
> #3 0x11ee5c0fe in JS_ReportErrorNumberVA(JSContext*, JSErrorFormatString const* (*)(void*, char const*, unsigned int), void*, unsigned int, __va_list_tag*) (/Users/jruderman/builds/mozilla-central-asan-debug-slow/dist/NightlyDebug.app/Contents/MacOS/XUL+0x1994c0fe)
> #4 0x11ed8bbc4 in JS_ReportErrorNumber(JSContext*, JSErrorFormatString const* (*)(void*, char const*, unsigned int), void*, unsigned int, ...) (/Users/jruderman/builds/mozilla-central-asan-debug-slow/dist/NightlyDebug.app/Contents/MacOS/XUL+0x1987bbc4)
> #5 0x11ede5372 in JS_SetPrototype(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSObject*>) (/Users/jruderman/builds/mozilla-central-asan-debug-slow/dist/NightlyDebug.app/Contents/MacOS/XUL+0x198d5372)
> #6 0x11027dfef in nsXBLBinding::DoInitJSClass(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSObject*>, nsCString const&, nsXBLPrototypeBinding*, JS::MutableHandle<JSObject*>, bool*) (/Users/jruderman/builds/mozilla-central-asan-debug-slow/dist/NightlyDebug.app/Contents/MacOS/XUL+0xad6dfef)
> #7 0x1102cda1c in nsXBLPrototypeBinding::InitClass(nsCString const&, JSContext*, JS::Handle<JSObject*>, JS::Handle<JSObject*>, JS::MutableHandle<JSObject*>, bool*) (/Users/jruderman/builds/mozilla-central-asan-debug-slow/dist/NightlyDebug.app/Contents/MacOS/XUL+0xadbda1c)
> #8 0x1102c8dfe in nsXBLProtoImpl::InitTargetObjects(nsXBLPrototypeBinding*, nsIContent*, JS::MutableHandle<JSObject*>, bool*) (/Users/jruderman/builds/mozilla-central-asan-debug-slow/dist/NightlyDebug.app/Contents/MacOS/XUL+0xadb8dfe)
> #9 0x1102c52c0 in nsXBLProtoImpl::InstallImplementation(nsXBLPrototypeBinding*, nsXBLBinding*) (/Users/jruderman/builds/mozilla-central-asan-debug-slow/dist/NightlyDebug.app/Contents/MacOS/XUL+0xadb52c0)
> #10 0x1102781f7 in nsXBLPrototypeBinding::InstallImplementation(nsXBLBinding*) (/Users/jruderman/builds/mozilla-central-asan-debug-slow/dist/NightlyDebug.app/Contents/MacOS/XUL+0xad681f7)
> #11 0x110277f2f in nsXBLBinding::InstallImplementation() (/Users/jruderman/builds/mozilla-central-asan-debug-slow/dist/NightlyDebug.app/Contents/MacOS/XUL+0xad67f2f)
> #12 0x110277b92 in nsXBLBinding::InstallImplementation() (/Users/jruderman/builds/mozilla-central-asan-debug-slow/dist/NightlyDebug.app/Contents/MacOS/XUL+0xad67b92)
> #13 0x1103288ee in nsXBLService::LoadBindings(nsIContent*, nsIURI*, nsIPrincipal*, nsXBLBinding**, bool*) (/Users/jruderman/builds/mozilla-central-asan-debug-slow/dist/NightlyDebug.app/Contents/MacOS/XUL+0xae188ee)
> #14 0x11370a7f8 in nsCSSFrameConstructor::AddFrameConstructionItemsInternal(nsFrameConstructorState&, nsIContent*, nsIFrame*, nsIAtom*, int, bool, nsStyleContext*, unsigned int, nsTArray<nsIAnonymousContentCreator::ContentInfo>*, nsCSSFrameConstructor::FrameConstructionItemList&) (/Users/jruderman/builds/mozilla-central-asan-debug-slow/dist/NightlyDebug.app/Contents/MacOS/XUL+0xe1fa7f8)
> #15 0x1137442b2 in nsCSSFrameConstructor::AddFrameConstructionItems(nsFrameConstructorState&, nsIContent*, bool, nsIFrame*, nsCSSFrameConstructor::FrameConstructionItemList&) (/Users/jruderman/builds/mozilla-central-asan-debug-slow/dist/NightlyDebug.app/Contents/MacOS/XUL+0xe2342b2)
> #16 0x1137611fc in nsCSSFrameConstructor::ContentAppended(nsIContent*, nsIContent*, bool) (/Users/jruderman/builds/mozilla-central-asan-debug-slow/dist/NightlyDebug.app/Contents/MacOS/XUL+0xe2511fc)
> #17 0x113756317 in nsCSSFrameConstructor::CreateNeededFrames(nsIContent*) (/Users/jruderman/builds/mozilla-central-asan-debug-slow/dist/NightlyDebug.app/Contents/MacOS/XUL+0xe246317)
> #18 0x1137628fa in nsCSSFrameConstructor::CreateNeededFrames() (/Users/jruderman/builds/mozilla-central-asan-debug-slow/dist/NightlyDebug.app/Contents/MacOS/XUL+0xe2528fa)
> #19 0x113562ec5 in PresShell::FlushPendingNotifications(mozilla::ChangesToFlush) (/Users/jruderman/builds/mozilla-central-asan-debug-slow/dist/NightlyDebug.app/Contents/MacOS/XUL+0xe052ec5)
> #20 0x1135a5626 in PresShell::WillPaint() (/Users/jruderman/builds/mozilla-central-asan-debug-slow/dist/NightlyDebug.app/Contents/MacOS/XUL+0xe095626)
> #21 0x1106e7d0f in nsViewManager::CallWillPaintOnObservers() (/Users/jruderman/builds/mozilla-central-asan-debug-slow/dist/NightlyDebug.app/Contents/MacOS/XUL+0xb1d7d0f)
> #22 0x1106e21db in nsViewManager::ProcessPendingUpdates() (/Users/jruderman/builds/mozilla-central-asan-debug-slow/dist/NightlyDebug.app/Contents/MacOS/XUL+0xb1d21db)
> #23 0x11360d4a9 in nsRefreshDriver::Tick(long long, mozilla::TimeStamp) (/Users/jruderman/builds/mozilla-central-asan-debug-slow/dist/NightlyDebug.app/Contents/MacOS/XUL+0xe0fd4a9)
> #24 0x1136283bc in mozilla::RefreshDriverTimer::TickDriver(nsRefreshDriver*, long long, mozilla::TimeStamp) (/Users/jruderman/builds/mozilla-central-asan-debug-slow/dist/NightlyDebug.app/Contents/MacOS/XUL+0xe1183bc)
> #25 0x113627b50 in mozilla::RefreshDriverTimer::Tick() (/Users/jruderman/builds/mozilla-central-asan-debug-slow/dist/NightlyDebug.app/Contents/MacOS/XUL+0xe117b50)
> #26 0x1136270d0 in mozilla::RefreshDriverTimer::TimerTick(nsITimer*, void*) (/Users/jruderman/builds/mozilla-central-asan-debug-slow/dist/NightlyDebug.app/Contents/MacOS/XUL+0xe1170d0)
> #27 0x105b3b6d4 in nsTimerImpl::Fire() (/Users/jruderman/builds/mozilla-central-asan-debug-slow/dist/NightlyDebug.app/Contents/MacOS/XUL+0x62b6d4)
> #28 0x105b3c9fa in nsTimerEvent::Run() (/Users/jruderman/builds/mozilla-central-asan-debug-slow/dist/NightlyDebug.app/Contents/MacOS/XUL+0x62c9fa)
> #29 0x105b25b69 in nsThread::ProcessNextEvent(bool, bool*) (/Users/jruderman/builds/mozilla-central-asan-debug-slow/dist/NightlyDebug.app/Contents/MacOS/XUL+0x615b69)
> #30 0x1055ef096 in NS_ProcessNextEvent(nsIThread*, bool) (/Users/jruderman/builds/mozilla-central-asan-debug-slow/dist/NightlyDebug.app/Contents/MacOS/XUL+0xdf096)
> #31 0x105b23fbb in nsThread::Shutdown() (/Users/jruderman/builds/mozilla-central-asan-debug-slow/dist/NightlyDebug.app/Contents/MacOS/XUL+0x613fbb)
> #32 0x10a60ad21 in gfxFontInfoLoader::CancelLoader() (/Users/jruderman/builds/mozilla-central-asan-debug-slow/dist/NightlyDebug.app/Contents/MacOS/XUL+0x50fad21)
> #33 0x10a60bf14 in gfxFontInfoLoader::FinalizeLoader(FontInfoData*) (/Users/jruderman/builds/mozilla-central-asan-debug-slow/dist/NightlyDebug.app/Contents/MacOS/XUL+0x50fbf14)
> #34 0x10a60822c in FontInfoLoadCompleteEvent::Run() (/Users/jruderman/builds/mozilla-central-asan-debug-slow/dist/NightlyDebug.app/Contents/MacOS/XUL+0x50f822c)
> #35 0x105b25b69 in nsThread::ProcessNextEvent(bool, bool*) (/Users/jruderman/builds/mozilla-central-asan-debug-slow/dist/NightlyDebug.app/Contents/MacOS/XUL+0x615b69)
> #36 0x1055ee81f in NS_ProcessPendingEvents(nsIThread*, unsigned int) (/Users/jruderman/builds/mozilla-central-asan-debug-slow/dist/NightlyDebug.app/Contents/MacOS/XUL+0xde81f)
> #37 0x10e2ac7a5 in nsBaseAppShell::NativeEventCallback() (/Users/jruderman/builds/mozilla-central-asan-debug-slow/dist/NightlyDebug.app/Contents/MacOS/XUL+0x8d9c7a5)
> #38 0x10e070fa7 in nsAppShell::ProcessGeckoEvents(void*) (/Users/jruderman/builds/mozilla-central-asan-debug-slow/dist/NightlyDebug.app/Contents/MacOS/XUL+0x8b60fa7)
> #39 0x7fff873998f0 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x7f8f0)
> #40 0x7fff8738b061 in __CFRunLoopDoSources0 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x71061)
> #41 0x7fff8738a7ee in __CFRunLoopRun (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x707ee)
> #42 0x7fff8738a274 in CFRunLoopRunSpecific (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x70274)
> #43 0x7fff83742f0c in RunCurrentEventLoopInMode (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox+0x2ef0c)
> #44 0x7fff83742cb6 in ReceiveNextEventCommon (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox+0x2ecb6)
> #45 0x7fff83742abb in _BlockUntilNextEventMatchingListInModeWithFilter (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox+0x2eabb)
> #46 0x7fff8877928d in _DPSNextEvent (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x2428d)
> #47 0x7fff887788da in -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x238da)
> #48 0x10e06c942 in -[GeckoNSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] (/Users/jruderman/builds/mozilla-central-asan-debug-slow/dist/NightlyDebug.app/Contents/MacOS/XUL+0x8b5c942)
> #49 0x7fff8876c9cb in -[NSApplication run] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x179cb)
> #50 0x10e07494c in nsAppShell::Run() (/Users/jruderman/builds/mozilla-central-asan-debug-slow/dist/NightlyDebug.app/Contents/MacOS/XUL+0x8b6494c)
> #51 0x1171bdc37 in nsAppStartup::Run() (/Users/jruderman/builds/mozilla-central-asan-debug-slow/dist/NightlyDebug.app/Contents/MacOS/XUL+0x11cadc37)
> #52 0x116b7c34f in XREMain::XRE_mainRun() (/Users/jruderman/builds/mozilla-central-asan-debug-slow/dist/NightlyDebug.app/Contents/MacOS/XUL+0x1166c34f)
> #53 0x116b7eb61 in XREMain::XRE_main(int, char**, nsXREAppData const*) (/Users/jruderman/builds/mozilla-central-asan-debug-slow/dist/NightlyDebug.app/Contents/MacOS/XUL+0x1166eb61)
> #54 0x116b7febd in XRE_main (/Users/jruderman/builds/mozilla-central-asan-debug-slow/dist/NightlyDebug.app/Contents/MacOS/XUL+0x1166febd)
> #55 0x1000067fb in do_main(int, char**, nsIFile*) (/Users/jruderman/builds/mozilla-central-asan-debug-slow/dist/NightlyDebug.app/Contents/MacOS/firefox-bin+0x1000067fb)
> #56 0x1000038a8 in main (/Users/jruderman/builds/mozilla-central-asan-debug-slow/dist/NightlyDebug.app/Contents/MacOS/firefox-bin+0x1000038a8)
> #57 0x100000bf3 in start (/Users/jruderman/builds/mozilla-central-asan-debug-slow/dist/NightlyDebug.app/Contents/MacOS/firefox-bin+0x100000bf3)
> #58 0x5 (/Users/jruderman/builds/mozilla-central-asan-debug-slow/dist/NightlyDebug.app/Contents/MacOS/firefox-bin+0x5)
|
||
Comment 1•11 years ago
|
||
Comment on attachment 8370624 [details]
testcase (crashes ASAN Firefox when loaded)
I'm not getting a crash in a release nightly, requires ASAN to see
Attachment #8370624 -
Attachment description: testcase (crashes Firefox when loaded) → testcase (crashes ASAN Firefox when loaded)
|
Reporter | |
Comment 2•11 years ago
|
||
Odd, non-debug ASan was the only configuration I couldn't get to crash. Nightly, debug, and debug+ASan all crashed for me.
|
|
Reporter | |
Comment 3•11 years ago
|
||
The first bad revision is:
changeset: http://hg.mozilla.org/mozilla-central/rev/b97134e81798
user: Eric Faust
date: Thu Jan 16 15:09:52 2014 -0800
summary: Bug 950407 Followup - Add a parameter to JSMSG_SETPROTOTYPEOF_FAIL. (r=Waldo on IRC)
Blocks: 950407
Keywords: regression
|
Assignee | |
Comment 4•11 years ago
|
||
Assignee: nobody → efaustbmo
Status: NEW → ASSIGNED
Attachment #8371019 -
Flags: feedback?(jruderman)
|
||
Updated•11 years ago
|
Attachment #8371019 -
Flags: review+
|
|
Reporter | |
Comment 5•11 years ago
|
||
Comment on attachment 8371019 [details] [diff] [review]
Fix?
Fixes the crash for me :)
Attachment #8371019 -
Flags: feedback?(jruderman) → feedback+
|
|
Assignee | |
Comment 6•11 years ago
|
||
Comment on attachment 8371019 [details] [diff] [review]
Fix?
[Approval Request Comment]
Bug caused by (feature/regressing bug #): 950407
User impact if declined: Crash on certain JS C++ API call (setting object prototype)
Testing completed (on m-c, etc.): tested by jesse
Risk to taking this patch (and alternatives if risky): Tiny. Just changes an error handling case
String or IDL/UUID changes made by this patch: N/A
Attachment #8371019 -
Flags: approval-mozilla-aurora?
|
||
Updated•11 years ago
|
Attachment #8371019 -
Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
|
|
Assignee | |
Comment 7•11 years ago
|
||
|
|
Assignee | |
Comment 8•11 years ago
|
||
|
||
Comment 9•11 years ago
|
||
Please don't land on release branches until the patch has stuck on trunk. Believe me, multi-tree bustages can and have occurred and it just makes for bigger messes to clean up.
Also, this affects more than trunk and doesn't have a security rating. AFAIK, that means it should have gotten security approval before landing.
status-firefox29:
--- → fixed
Flags: needinfo?(efaustbmo)
|
|
||
Comment 10•11 years ago
|
||
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
status-b2g18:
--- → unaffected
status-b2g-v1.1hd:
--- → unaffected
status-b2g-v1.2:
--- → unaffected
status-b2g-v1.3:
--- → unaffected
status-b2g-v1.4:
--- → fixed
status-firefox27:
--- → unaffected
status-firefox28:
--- → unaffected
status-firefox30:
--- → fixed
status-firefox-esr24:
--- → unaffected
Flags: needinfo?(efaustbmo)
Resolution: --- → FIXED
Target Milestone: --- → mozilla30
|
|
||
Updated•10 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•