Closed Bug 879096 Opened 11 years ago Closed 11 years ago

Crash [@ js::ObjectImpl::getOps] or [@ js::EncapsulatedPtr]

Categories

(Core :: JavaScript Engine, defect)

x86_64
macOS
defect
Not set
critical

Tracking

()

VERIFIED FIXED
Tracking Status
firefox23 --- unaffected
firefox24 + verified
firefox-esr17 --- unaffected
b2g18 --- unaffected

People

(Reporter: gkw, Unassigned)

References

Details

(5 keywords, Whiteboard: [jsbugmon:])

Crash Data

Attachments

(1 file)

Attached file debug and opt stacks
x = []
try {
    Object.defineProperty(this, "z", {
        get: function() {
            x[6] = x;
            return new Array
        }
    });
    x = z
    for (var n = 0; n < 1000; n++) {
        z[7] = 1
    }
    x()
} catch (e) {}

crashes js debug shell on m-c changeset 57d30169ddd4 with --baseline-eager at js::EncapsulatedPtr and crashes js opt shell at js::ObjectImpl::getOps

The "1000" value is essential to trigger the bug.

Locking s-s just-in-case even though this requires --enable-more-deterministic - feel free to open up in case otherwise.


autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   132941:3835cbed5915
user:        Nicolas B. Pierron
date:        Fri May 24 14:58:08 2013 -0700
summary:     Bug 774006 - IonMonkey: Implement SetElementIC for integer indexes. r=h4writer
Flags: needinfo?(nicolas.b.pierron)
Crash Signature: [@ js::ObjectImpl::getOps] [@ js::EncapsulatedPtr] → [@ js::ObjectImpl::getOps] [@ js::EncapsulatedPtr]
Whiteboard: [jsbugmon:update] → [jsbugmon:]
JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.
I can still reproduce with m-c rev 9115d8b717e1, on a --enable-more-deterministic shell with --baseline-eager.
Crash Signature: [@ js::ObjectImpl::getOps] [@ js::EncapsulatedPtr] → [@ js::ObjectImpl::getOps] [@ js::EncapsulatedPtr]
Guessing this is sec-high...
Keywords: sec-high
I have also checked that the patch in bug 881470 comment 5 also fixes this issue.
Flags: needinfo?(nicolas.b.pierron)
This is likely fixed by the patch in bug 881470.
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
no longer seeing crashes at those signatures
Status: RESOLVED → VERIFIED
Group: core-security
You need to log in before you can comment on or make changes to this bug.