Closed Bug 1023145 Opened 9 years ago Closed 9 years ago

Assertion failure: args[0].isObject(), at vm/SelfHosting.cpp:522 or Crash [@ js::intrinsic_UnsafeGetReservedSlot] with SIMD

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla33
Tracking Flags:
Tracking Status
firefox33 --- affected

People

(Reporter: decoder, Assigned: bbouvier)

Details

(Keywords: assertion, crash, testcase, Whiteboard: [jsbugmon:update])

Crash Data

Attachments

(2 files, 2 obsolete files)

[crash-signature] Machine-readable crash signature
1.09 KB, text/plain
Details
Patch + test
2.80 KB, patch
till
: review+
Details | Diff | Splinter Review 
The following testcase asserts on mozilla-central revision 9dc0ffca10f4 (run with --fuzzing-safe):


delete Object.prototype.__proto__;
var int32x4 = SIMD.int32x4;
var Array = int32x4.array(1);
var array = new Array([int32x4(1, 2, 3, 4)]);
The crash seems like a null-deref, needinfo on Niko because it's SIMD-related.
Crash Signature: [@ js::intrinsic_UnsafeGetReservedSlot]
status-firefox33: --- → affected
Flags: needinfo?(nmatsakis)
Keywords: crash
Whiteboard: [jsbugmon:update,bisect]
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result:
=== Tinderbox Build Bisection Results by autoBisect ===

The "good" changeset has the timestamp "20140607030736" and the hash "f56234ba7ec7".
The "bad" changeset has the timestamp "20140607033236" and the hash "731411eebd0a".

Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=f56234ba7ec7&tochange=731411eebd0a

        Attachment #8437578 -
        Attachment is obsolete: true

    
    

    
  


  

        Attachment #8437618 -
        Attachment is obsolete: true

    
    

    
  
bbouvier, can you take this? It's happening because builtin/TypedObject.js contains this:

    function TypedObjectTypeDescr(typedObj) {
      return TYPROTO_DESCR(typedObj.__proto__);
    }

but user scripts can delete Object.prototype.__proto__. The fix is to declare

    var std_Object_getPrototypeOf = Object.getPrototypeOf;

in Utilities.js, and use that. Kind of surprising we don't have it already.
Flags: needinfo?(benj)

    
    

    
  

      
      
      
      

        Attached patch
          
          
        Patch + testSplinter Review
      

    


  
Thanks jorendorff for the needinfo! The fix you've suggested works perfectly.
Assignee: nobody → benj
Status: NEW → ASSIGNED

        Attachment #8452972 -
        Flags: review?(till)
Flags: needinfo?(nmatsakis)
Flags: needinfo?(benj)

    
    

    
  
Comment on attachment 8452972 [details] [diff] [review]
Patch + test

Review of attachment 8452972 [details] [diff] [review]:
-----------------------------------------------------------------

Surprising we didn't have that indeed!

        Attachment #8452972 -
        Flags: review?(till) → review+

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/b69f005c1781
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla33

          You need to log in
          before you can comment on or make changes to this bug.