Closed Bug 1061534 Opened 7 years ago Closed 7 years ago

Assertion failure: obj->is<JSObject>() || obj->is<ArrayObject>(), at jsobj.cpp:2004

Categories

(Core :: JavaScript Engine, defect)

x86_64
Linux
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla35
Tracking Status
firefox35 --- affected

People

(Reporter: decoder, Assigned: bhackett1024)

Details

(Keywords: assertion, testcase, Whiteboard: [jsbugmon:update,bisect])

Attachments

(2 files)

The following testcase asserts on mozilla-central revision c360f3d1c00d (run with --fuzzing-safe --no-threads --ion-eager):


test = (function () {
  function f() {};
  return "var obj = { x : 2 };" + f.toSource() + (4);
})();
evalWithCache(test, {});
function evalWithCache(code, ctx) {
  code = cacheEntry(code);
  var res1 = evaluate(code, Object.create(ctx, {saveBytecode: { value: true } }));
}
if (typeof assertThrowsInstanceOf === 'undefined') {
    var assertThrowsInstanceOf = function assertThrowsInstanceOf(f, ctor, msg) {};
}
evaluate('evaluate(\'assertThrowsInstanceOf(function () {}, ["jak", "ms"]);\', { noScriptRval : true, compileAndGo : true  })');
This doesn't crash but the code later on seems to assume that if the object is not an Array, it is a JSObject and treats it as such. Not sure what implications this has, so marking s-s for now.
Whiteboard: [jsbugmon:update,bisect]
It looks like maybe you are the last one to look at this function in bug 1057571, Brian, could you take a look?  Thanks.
Flags: needinfo?(bhackett1024)
Attached patch patchSplinter Review
This looks like a bug in MCloneLiteral codegen.  The wrong register is used, which is pretty bad, but I don't know how and when we use the cloneSingletons option on compartments so it's hard to gauge how serious this is.
Assignee: nobody → bhackett1024
Attachment #8482972 - Flags: review?(nicolas.b.pierron)
Flags: needinfo?(bhackett1024)
(In reply to Brian Hackett (:bhackett) from comment #4)
> This looks like a bug in MCloneLiteral codegen.  The wrong register is used,
> which is pretty bad, but I don't know how and when we use the
> cloneSingletons option on compartments so it's hard to gauge how serious
> this is.

We use cloneSingletons when we intend to save the code that we produced after having executed it.  It was added for the start-up cache projects which keep being postponed.  So I do not expect anybody to be using it yet, except our test suite. The |evalWithCache| function provided in the test suite is used to check that we do not lose any information by serializing and deserializing, such as type information.
Attachment #8482972 - Flags: review?(nicolas.b.pierron) → review+
Group: core-security
https://hg.mozilla.org/mozilla-central/rev/d680084327eb
Status: NEW → RESOLVED
Closed: 7 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla35
You need to log in before you can comment on or make changes to this bug.