[SERVER-21685] MinKey triggers segfault in SpiderMonkey on non-optimized builds Created: 26/Nov/15  Updated: 05/Apr/17  Resolved: 24/May/16

Status: Closed
Project: Core Server
Component/s: JavaScript
Affects Version/s: 3.2.0-rc4
Fix Version/s: None

Type: Bug Priority: Major - P3
Reporter: Robert Guo (Inactive) Assignee: DO NOT USE - Backlog - Platform Team
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Backwards Compatibility: Fully Compatible
Operating System: ALL
Participants:

 Description   

Does not affect optimized builds.

 Assertion failure: args.rval().isObject() && callee != &args.rval().toObject(), at src/third_party/mozjs-38/extract/js/src/jscntxtinlines.h:286
2015-11-26T15:33:44.998-0500 F -        [js] Invalid access at address: 0x0
2015-11-26T15:33:45.012-0500 F -        [js] Got signal: 11 (Segmentation fault: 11).
mongod(_ZN5mongo15printStackTraceERNSt3__113basic_ostreamIcNS0_11char_traitsIcEEEE+0x34) [0x101cfa5b4]
 mongod(_ZN5mongo12_GLOBAL__N_123printSignalAndBacktraceEi+0x75) [0x101cfa085]
 mongod(_ZN5mongo12_GLOBAL__N_124abruptQuitWithAddrSignalEiP9__siginfoPv+0xD0) [0x101cf9c30]
 libsystem_platform.dylib(_sigtramp+0x1A) [0x7fff8898e52a]
 ??? [0x7000008a83a8]
 mongod(_ZN2js17InvokeConstructorEP9JSContextN2JS8CallArgsE+0x510) [0x1022a06b0]
 mongod(_ZL9InterpretP9JSContextRN2js8RunStateE+0x128E1) [0x10228f9e1]
 mongod(_ZN2js9RunScriptEP9JSContextRNS_8RunStateE+0x378) [0x10227cff8]
 mongod(_ZN2js6InvokeEP9JSContextN2JS8CallArgsENS_14MaybeConstructE+0x851) [0x10226aca1]
 mongod(_ZN2js6InvokeEP9JSContextRKN2JS5ValueES5_jPS4_NS2_13MutableHandleIS3_EE+0x545) [0x10224dc95]
 mongod(_Z20JS_CallFunctionValueP9JSContextN2JS6HandleIP8JSObjectEENS2_INS1_5ValueEEERKNS1_16HandleValueArrayENS1_13MutableHandleIS6_EE+0x1AD) [0x1029c70dd]
 mongod(_ZN2JSL4CallEP9JSContextNS_6HandleIP8JSObjectEENS2_INS_5ValueEEERKNS_16HandleValueArrayENS_13MutableHandleIS6_EE+0x4D) [0x101b6addd]
 mongod(_ZN5mongo5mozjs14MozJSImplScope6invokeEyPKNS_7BSONObjES4_ibbb+0x778) [0x101b6c2a8]
 mongod(_ZZN5mongo5mozjs15MozJSProxyScope6invokeEyPKNS_7BSONObjES4_ibbbENK4$_24clEv+0x78) [0x101bd5588]
 mongod(_ZNSt3__128__invoke_void_return_wrapperIvE6__callIJRZN5mongo5mozjs15MozJSProxyScope6invokeEyPKNS3_7BSONObjES8_ibbbE4$_24EEEvDpOT_+0x2D) [0x101bd6f8d]
 mongod(_ZNSt3__110__function6__funcIZN5mongo5mozjs15MozJSProxyScope6invokeEyPKNS2_7BSONObjES7_ibbbE4$_24NS_9allocatorIS8_EEFvvEEclEv+0x2C) [0x101bd6e8c]
 mongod(_ZNKSt3__18functionIFvvEEclEv+0x81) [0x10123b571]
 mongod(_ZN5mongo5mozjs15MozJSProxyScope10implThreadEPv+0x3F6) [0x101bb44a6]
 mongod(_ZN4nspr6Thread13ThreadRoutineEPv+0x36) [0x101b3df66]
 mongod(_ZNSt3__114__thread_proxyINS_5tupleIJPFPvS2_EPN4nspr6ThreadEEEEEES2_S2_+0x1AD) [0x101b3fa3d]
 libsystem_pthread.dylib(_pthread_body+0x83) [0x7fff8ee229b1]
 libsystem_pthread.dylib(_pthread_body+0x0) [0x7fff8ee2292e]
 libsystem_pthread.dylib(thread_start+0xD) [0x7fff8ee20385]



 Comments   
Comment by Mira Carey [ 24/May/16 ]

We gave up mapping our debug mode to spidermonkey debug mode a while back, which means we won't hit this assert anymore

Comment by Mira Carey [ 30/Nov/15 ]

It looks like this debug assert is Mozilla being opinionated

From CallJSNativeConstructor():

    /*
     * Native constructors must return non-primitive values on success.
     * Although it is legal, if a constructor returns the callee, there is a
     * 99.9999% chance it is a bug. If any valid code actually wants the
     * constructor to return the callee, the assertion can be removed or
     * (another) conjunct can be added to the antecedent.
     *
     * Exceptions:
     *
     * - Proxies are exceptions to both rules: they can return primitives and
     *   they allow content to return the callee.
     *
     * - CallOrConstructBoundFunction is an exception as well because we might
     *   have used bind on a proxy function.
     *
     * - new Iterator(x) is user-hookable; it returns x.__iterator__() which
     *   could be any object.
     *
     * - (new Object(Object)) returns the callee.
     */

So, debug only (we don't have to worry about this for now), and probably the only way to work around it is to patch the sources and add another exception

Generated at Thu Feb 08 03:58:05 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.