Crash [@ JSString::ensureLinear] with Symbol

RESOLVED FIXED in mozilla35

Status

()

--
critical
RESOLVED FIXED
4 years ago
4 years ago

People

(Reporter: decoder, Assigned: jorendorff)

Tracking

(Blocks: 1 bug, {crash, testcase})

Trunk
mozilla35
x86_64
Linux
crash, testcase
Points:
---

Firefox Tracking Flags

(firefox34 affected)

Details

(Whiteboard: [jsbugmon:update,ignore], crash signature)

Attachments

(2 attachments)

(Reporter)

Description

4 years ago
The following testcase crashes on mozilla-central revision cd2acc7ab2f8 (run with --no-threads --fuzzing-safe):


"use strict";
eval('({[Symbol.iterator]:1, [Symbol()]:2})');
(Reporter)

Comment 1

4 years ago
Created attachment 8477692 [details]
[crash-signature] Machine-readable crash signature
(Reporter)

Comment 2

4 years ago
Needinfo from jorendorff because it involves Symbol :)
Flags: needinfo?(jorendorff)
Whiteboard: [jsbugmon:update,bisect]
(Reporter)

Updated

4 years ago
status-firefox34: --- → affected
(Reporter)

Updated

4 years ago
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
(Reporter)

Comment 3

4 years ago
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/7079b7552946
user:        Guptha Rajagopal
date:        Fri Aug 08 09:15:00 2014 -0400
summary:     Bug 924688 - Implement ES6 computed property names. r=jorendorff

This iteration took 428.368 seconds to run.
(Reporter)

Updated

4 years ago
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
(Reporter)

Comment 4

4 years ago
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 7bd309e55a3d).
(Reporter)

Comment 5

4 years ago
Still reproduces, e.g. with

environment [Symbol.iterator] = 1;
This is just specific to the environment object. This test case doesn't even include computed property name.
(Assignee)

Comment 7

4 years ago
Any other places where this reproduces? Otherwise it looks like this is fixed...
Status: NEW → RESOLVED
Last Resolved: 4 years ago
Flags: needinfo?(jorendorff)
Resolution: --- → DUPLICATE
Duplicate of bug: 1037723
(Assignee)

Comment 8

4 years ago
D'oh. Bug 1037723 fixes the getter but not the setter.
Status: RESOLVED → REOPENED
Resolution: DUPLICATE → ---
(Assignee)

Comment 9

4 years ago
Created attachment 8486862 [details] [diff] [review]
bug-1057587-env_resolve-v1.patch
Assignee: nobody → jorendorff
Attachment #8486862 - Flags: review?(evilpies)
Comment on attachment 8486862 [details] [diff] [review]
bug-1057587-env_resolve-v1.patch

Review of attachment 8486862 [details] [diff] [review]:
-----------------------------------------------------------------

::: js/src/shell/js.cpp
@@ +4957,5 @@
>  
> +    if (JSID_IS_SYMBOL(id))
> +        return true;
> +    RootedString idstring(cx, IdToString(cx, id));
> +    if (!idstring)

Good catch.
Attachment #8486862 - Flags: review?(evilpies) → review+
https://hg.mozilla.org/mozilla-central/rev/9f5b055bb012
Status: REOPENED → RESOLVED
Last Resolved: 4 years ago4 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla35
You need to log in before you can comment on or make changes to this bug.