Closed Bug 1117240 Opened 5 years ago Closed 5 years ago

Assertion failure: newType, at jsobjinlines.h

Categories

(Core :: JavaScript: GC, defect, critical)

x86_64
Linux
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla37
Tracking Status
firefox37 --- affected

People

(Reporter: gkw, Assigned: jonco)

References

(Blocks 2 open bugs)

Details

(Keywords: assertion, regression, testcase)

Attachments

(1 file)

The upcoming testcase asserts js debug shell on m-c changeset 13fe5ad0364d with --fuzzing-safe --no-threads --ion-eager at Assertion failure: newType, at jsobjinlines.h

The shell was obtained from:

https://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2015-01-02-mozilla-central-debug/

in particular:

https://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2015-01-02-mozilla-central-debug/jsshell-linux-x86_64.zip

This was found by combining random js tests together with jsfunfuzz, the specific files are too many to be listed.

Setting s-s as a start but not setting a rating. This may be an OOM/GC issue, but the assertion describing types does not really sound good.

Bisection is not reliable - I cannot reproduce on a local testcase, and so I do not have a reliable stack.
Flags: needinfo?(terrence)
Flags: needinfo?(sphink)
Flags: needinfo?(jcoppeard)
Attached patch bug1117240Splinter Review
TypeCompartment::newTypeObject() is fallible but its return value is not checked.
Assignee: nobody → jcoppeard
Flags: needinfo?(terrence)
Flags: needinfo?(sphink)
Flags: needinfo?(jcoppeard)
Attachment #8543940 - Flags: review?(bhackett1024)
Blocks: 1061318
Is this basically just a null deref then?  Can we unhide the bug?
Attachment #8543940 - Flags: review?(bhackett1024) → review+
(In reply to Andrew McCreight [:mccr8] from comment #3)
Yes, please do.
Group: core-security
https://hg.mozilla.org/mozilla-central/rev/b25b5bedc53a
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla37
You need to log in before you can comment on or make changes to this bug.