Last Comment Bug 568855 - Crash [@ nanojit::LIns::opcode] with non-native __proto__
: Crash [@ nanojit::LIns::opcode] with non-native __proto__
Status: RESOLVED FIXED
: [ccbr][sg:critical?] fixed-in-tracemo...
: assertion, crash, regression, testcase
Product: Core
Classification: Components
Component: JavaScript Engine
: Trunk
: x86 Mac OS X
: -- critical (vote)
: ---
Assigned To: Andreas Gal :gal
: general
:
:
: jsfunfuzz harmony:proxies
  Show dependency treegraph
 
Reported: 2010-05-28 09:32 PDT by Jesse Ruderman
Modified: 2010-07-20 16:43 PDT (History)
12 users (show)
See Also:
Crash Signature:
[@ nanojit::LIns::opcode]
  ---
  ---
  ---
  ---
  ---
  ---
  ---
  ---
  ---
  final+
  ---
  .7+
  .7-fixed
  ---
  unaffected


Attachments
patch (1.03 KB, patch)
2010-05-28 16:45 PDT, Andreas Gal :gal
dvander: review+
Details | Diff | Splinter Review
patch for 1.9.2 (1.03 KB, patch)
2010-06-30 14:21 PDT, Andreas Gal :gal
dvander: review+
clegnitto: approval1.9.2.7+
Details | Diff | Splinter Review

Summon comment box

Description Jesse Ruderman 2010-05-28 09:32:49 PDT
this.__proto__ = Proxy.create({has:function(){return false}});
(function(){
  eval("(function(){ for(var j=0;j<6;++j) if(j%2==1) p=0; })")();
})()

Triggers one of the following (all in a debug build):
* Crash [@ nanojit::LIns::opcode]
* Crash [@ nanojit::LirWriter::insImmI]
* Assertion failed: 0 (../nanojit/LIR.cpp:996)
* Assertion failure: status == ARECORD_COMPLETED || status == ARECORD_ABORTED || status == ARECORD_ERROR, at ../jstracer.cpp:7139

The proliferation of assertions and crashes may make this annoying for jsfunfuzz.
Comment 1 Andreas Gal :gal 2010-05-28 09:35:47 PDT
This can be triggered via liveconnect as well, and might affect branches.
Comment 2 Gary Kwong [:nth10sd] 2010-05-28 10:29:08 PDT
js> this.__proto__ = Proxy.create({has:function(){return false}});
js> (function(){
  eval("(function(){ for(var j=0;j<6;++j) if(j%2==1) p=0; })")();
})()

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_PROTECTION_FAILURE at address: 0x0000003a
0x001601f5 in nanojit::CseFilter::insLoad ()
(gdb) 
(gdb) bt
#0  0x001601f5 in nanojit::CseFilter::insLoad ()
#1  0x0012cd95 in js::TraceRecorder::traverseScopeChain ()
#2  0x00138575 in js::TraceRecorder::record_JSOP_BINDNAME ()
#3  0x00155618 in js::TraceRecorder::monitorRecording ()
#4  0x0005bc76 in js_Interpret ()
#5  0x000665a0 in js_Execute ()
#6  0x0000f67c in JS_ExecuteScript ()
#7  0x00004cfc in Process ()
#8  0x000090ba in main ()
(gdb) x/i $eip
0x1601f5 <_ZN7nanojit9CseFilter7insLoadENS_7LOpcodeEPNS_4LInsEih+629>:  call   *0x30(%ecx)
(gdb) x/b $ecx
0xa:    Cannot access memory at address 0xa
Comment 3 Andreas Gal :gal 2010-05-28 10:33:39 PDT
This is not a recent regression. And it affects branches. Keep this closed please.
Comment 4 Andreas Gal :gal 2010-05-28 16:45:35 PDT
Created attachment 448142 [details] [review]
patch

Existing bug in js_FindIdentifierBase usage here. It can deep abort. Static analysis would be nice here.
Comment 5 Gary Kwong [:nth10sd] 2010-06-03 04:36:46 PDT
(This was checked in to TM)

http://hg.mozilla.org/tracemonkey/rev/3e86dbfb0814
Comment 7 Christian Legnitto [:LegNeato] 2010-06-25 17:13:51 PDT
Any hope for branch patches for this?
Comment 8 Andreas Gal :gal 2010-06-30 14:21:54 PDT
Created attachment 455263 [details] [review]
patch for 1.9.2
Comment 9 Christian Legnitto [:LegNeato] 2010-06-30 16:30:42 PDT
Comment on attachment 455263 [details] [review]
patch for 1.9.2

a=LegNeato for 1.9.2.7. Please land on mozilla-1.9.2 default.

Thanks for getting to this!
Comment 11 Christian Legnitto [:LegNeato] 2010-06-30 18:43:11 PDT
This affects 1.9.1 as well, yes?
Comment 12 Andreas Gal :gal 2010-06-30 19:25:36 PDT
1.9.1 is not affected. We didn't trace this case back then.
Comment 13 Christian Legnitto [:LegNeato] 2010-06-30 20:37:17 PDT
Thanks for confirming!

Note You need to log in before you can comment on or make changes to this bug.