Closed
Bug 948423
Opened 11 years ago
Closed 11 years ago
Assertion failure: mutationCount == p.mutationCount, at dist/include/js/HashTable.h:1459
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
mozilla29
Tracking | Status | |
---|---|---|
firefox27 | --- | disabled |
firefox28 | --- | disabled |
firefox29 | --- | fixed |
firefox-esr24 | --- | disabled |
b2g18 | --- | unaffected |
b2g-v1.2 | --- | unaffected |
b2g-v1.3 | --- | disabled |
People
(Reporter: decoder, Assigned: jonco)
References
Details
(Keywords: assertion, sec-critical, testcase)
Attachments
(1 file)
1.84 KB,
patch
|
sfink
:
review+
|
Details | Diff | Splinter Review |
The following testcase asserts on mozilla-central revision df82be9d89a5 (threadsafe build, run with --fuzzing-safe --thread-count=2): var ArrayType = TypedObject.ArrayType; var StructType = TypedObject.StructType; var uint8 = TypedObject.uint8; var uint32 = TypedObject.uint32; var ObjectType = TypedObject.Object; function runTests() { (function DimensionLinkedToUndimension() { var UintsA = uint32.array(); var FiveUintsA = UintsA.dimension(5); var FiveUintsB = uint32.array(5); assertEq(true, FiveUintsA.equivalent(FiveUintsB) ); })(); (function PrototypeHierarchy() { schedulegc(3); var Uint8s = uint8.array(); })(); } runTests();
Reporter | ||
Comment 1•11 years ago
|
||
This is a gc hazard, Jonco and mjrosenb are already investigating :) Marked sec-critical because some object is being modified while finalized, and that doesn't sound like a good idea.
Keywords: sec-critical
Assignee | ||
Comment 2•11 years ago
|
||
We need to call relookupOrAdd() rather than add() here as creating a new type object may have caused a GC, which may have modified the hash table.
Assignee: general → jcoppeard
Attachment #8345961 -
Flags: review?(sphink)
Updated•11 years ago
|
status-b2g18:
--- → unaffected
status-b2g-v1.2:
--- → unaffected
status-b2g-v1.3:
--- → disabled
status-firefox27:
--- → disabled
status-firefox28:
--- → disabled
status-firefox29:
--- → affected
status-firefox-esr24:
--- → disabled
Comment 3•11 years ago
|
||
Comment on attachment 8345961 [details] [diff] [review] bug948423-typerep-fuzz Review of attachment 8345961 [details] [diff] [review]: ----------------------------------------------------------------- Nasty little typerepresentationses playing with my preciousss hashtableses while I is sleepings. Nasty nasssty.
Attachment #8345961 -
Flags: review?(sphink) → review+
Assignee | ||
Comment 4•11 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/463a1bf8508f
https://hg.mozilla.org/mozilla-central/rev/463a1bf8508f
Target Milestone: --- → mozilla29
Updated•11 years ago
|
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Reporter | ||
Updated•11 years ago
|
Status: RESOLVED → VERIFIED
Reporter | ||
Comment 6•11 years ago
|
||
JSBugMon: This bug has been automatically verified fixed.
Comment 7•11 years ago
|
||
Unfortunately, TypedObject is nightly only, so as https://tbpl.mozilla.org/?tree=Try&rev=9e4d891154f4 shows you need a followup to bail out if TypedObject is undefined so we won't be permaorange on aurora at the next merge.
Updated•9 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•