Closed
Bug 1061534
Opened 10 years ago
Closed 10 years ago
Assertion failure: obj->is<JSObject>() || obj->is<ArrayObject>(), at jsobj.cpp:2004
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla35
| Tracking | Status | |
|---|---|---|
| firefox35 | --- | affected |
People
(Reporter: decoder, Assigned: bhackett1024)
Details
(Keywords: assertion, testcase, Whiteboard: [jsbugmon:update,bisect])
Attachments
(2 files)
|
465 bytes,
text/plain
|
Details | |
|
763 bytes,
patch
|
nbp
:
review+
|
Details | Diff | Splinter Review |
The following testcase asserts on mozilla-central revision c360f3d1c00d (run with --fuzzing-safe --no-threads --ion-eager):
test = (function () {
function f() {};
return "var obj = { x : 2 };" + f.toSource() + (4);
})();
evalWithCache(test, {});
function evalWithCache(code, ctx) {
code = cacheEntry(code);
var res1 = evaluate(code, Object.create(ctx, {saveBytecode: { value: true } }));
}
if (typeof assertThrowsInstanceOf === 'undefined') {
var assertThrowsInstanceOf = function assertThrowsInstanceOf(f, ctor, msg) {};
}
evaluate('evaluate(\'assertThrowsInstanceOf(function () {}, ["jak", "ms"]);\', { noScriptRval : true, compileAndGo : true })');
|
Reporter | |
Comment 1•10 years ago
|
||
|
|
Reporter | |
Comment 2•10 years ago
|
||
This doesn't crash but the code later on seems to assume that if the object is not an Array, it is a JSObject and treats it as such. Not sure what implications this has, so marking s-s for now.
status-firefox35:
--- → affected
Whiteboard: [jsbugmon:update,bisect]
|
||
Comment 3•10 years ago
|
||
It looks like maybe you are the last one to look at this function in bug 1057571, Brian, could you take a look? Thanks.
Flags: needinfo?(bhackett1024)
|
Assignee | |
Comment 4•10 years ago
|
||
This looks like a bug in MCloneLiteral codegen. The wrong register is used, which is pretty bad, but I don't know how and when we use the cloneSingletons option on compartments so it's hard to gauge how serious this is.
Assignee: nobody → bhackett1024
Attachment #8482972 -
Flags: review?(nicolas.b.pierron)
Flags: needinfo?(bhackett1024)
|
||
Comment 5•10 years ago
|
||
(In reply to Brian Hackett (:bhackett) from comment #4) > This looks like a bug in MCloneLiteral codegen. The wrong register is used, > which is pretty bad, but I don't know how and when we use the > cloneSingletons option on compartments so it's hard to gauge how serious > this is. We use cloneSingletons when we intend to save the code that we produced after having executed it. It was added for the start-up cache projects which keep being postponed. So I do not expect anybody to be using it yet, except our test suite. The |evalWithCache| function provided in the test suite is used to check that we do not lose any information by serializing and deserializing, such as type information.
|
|
||
Updated•10 years ago
|
Attachment #8482972 -
Flags: review?(nicolas.b.pierron) → review+
|
|
Assignee | |
Updated•10 years ago
|
Group: core-security
|
|
Assignee | |
Comment 6•10 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/d680084327eb
|
||
Comment 7•10 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/d680084327eb
Status: NEW → RESOLVED
Closed: 10 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla35
You need to log in
before you can comment on or make changes to this bug.
Description
•