Bugzilla@Mozilla – Bug 568855
Crash [@ nanojit::LIns::opcode] with non-native __proto__
Last modified: 2010-07-20 16:43:19 PDT
Summon comment box
this.__proto__ = Proxy.create({has:function(){return false}}); (function(){ eval("(function(){ for(var j=0;j<6;++j) if(j%2==1) p=0; })")(); })() Triggers one of the following (all in a debug build): * Crash [@ nanojit::LIns::opcode] * Crash [@ nanojit::LirWriter::insImmI] * Assertion failed: 0 (../nanojit/LIR.cpp:996) * Assertion failure: status == ARECORD_COMPLETED || status == ARECORD_ABORTED || status == ARECORD_ERROR, at ../jstracer.cpp:7139 The proliferation of assertions and crashes may make this annoying for jsfunfuzz.
This can be triggered via liveconnect as well, and might affect branches.
js> this.__proto__ = Proxy.create({has:function(){return false}}); js> (function(){ eval("(function(){ for(var j=0;j<6;++j) if(j%2==1) p=0; })")(); })() Program received signal EXC_BAD_ACCESS, Could not access memory. Reason: KERN_PROTECTION_FAILURE at address: 0x0000003a 0x001601f5 in nanojit::CseFilter::insLoad () (gdb) (gdb) bt #0 0x001601f5 in nanojit::CseFilter::insLoad () #1 0x0012cd95 in js::TraceRecorder::traverseScopeChain () #2 0x00138575 in js::TraceRecorder::record_JSOP_BINDNAME () #3 0x00155618 in js::TraceRecorder::monitorRecording () #4 0x0005bc76 in js_Interpret () #5 0x000665a0 in js_Execute () #6 0x0000f67c in JS_ExecuteScript () #7 0x00004cfc in Process () #8 0x000090ba in main () (gdb) x/i $eip 0x1601f5 <_ZN7nanojit9CseFilter7insLoadENS_7LOpcodeEPNS_4LInsEih+629>: call *0x30(%ecx) (gdb) x/b $ecx 0xa: Cannot access memory at address 0xa
This is not a recent regression. And it affects branches. Keep this closed please.
Created attachment 448142 [details] [review] patch Existing bug in js_FindIdentifierBase usage here. It can deep abort. Static analysis would be nice here.
(This was checked in to TM) http://hg.mozilla.org/tracemonkey/rev/3e86dbfb0814
http://hg.mozilla.org/mozilla-central/rev/3e86dbfb0814
Any hope for branch patches for this?
Created attachment 455263 [details] [review] patch for 1.9.2
Comment on attachment 455263 [details] [review] patch for 1.9.2 a=LegNeato for 1.9.2.7. Please land on mozilla-1.9.2 default. Thanks for getting to this!
http://hg.mozilla.org/releases/mozilla-1.9.2/rev/fb26dff2f09e
This affects 1.9.1 as well, yes?
1.9.1 is not affected. We didn't trace this case back then.
Thanks for confirming!