Closed Bug 1118773 Opened 5 years ago Closed 5 years ago

Crash [@ js::NativeObject::getReservedSlot] with TypedObject

Categories

(Core :: JavaScript Engine, defect, critical)

x86
Linux
defect
Not set
critical

Tracking

()

RESOLVED DUPLICATE of bug 1113744
Tracking Status
firefox37 --- affected

People

(Reporter: decoder, Unassigned)

Details

(4 keywords, Whiteboard: [jsbugmon:update,ignore])

Crash Data

The following testcase crashes on mozilla-central revision 33781a3a5201 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --target=i686-pc-linux-gnu --enable-debug, run with --fuzzing-safe --no-threads):


var A = TypedObject.uint8.array(0x0 );
var a = new A();
var AA = TypedObject.uint8.array(2147483647).array(0);
(this.A   ) = function() { return ++x }; 
evaluate("gc();");
a.configurable === true 



Backtrace:

Program received signal SIGSEGV, Segmentation fault.
0x0815f595 in js::NativeObject::getReservedSlot (this=(const js::NativeObject * const) 0xf6859580 Cannot access memory at address 0x0, index=0) at js/src/vm/NativeObject.h:841
841	        MOZ_ASSERT(index < JSSLOT_FREE(getClass()));
#0  0x0815f595 in js::NativeObject::getReservedSlot (this=(const js::NativeObject * const) 0xf6859580 Cannot access memory at address 0x0, index=0) at js/src/vm/NativeObject.h:841
#1  0x0810841f in kind (this=<optimized out>) at js/src/builtin/TypedObject.h:158
#2  js::TypedObject::obj_getGeneric (cx=0x967d518, obj=(JSObject * const) 0xf685c010 [object InlineTransparentTypedObject], receiver=(JSObject * const) 0xf685c010 [object InlineTransparentTypedObject], id=$jsid("configurable"), vp=$jsval(-nan(0xfff88f685c010))) at js/src/builtin/TypedObject.cpp:1813
#3  0x080bb9d3 in JSObject::getGeneric (cx=0x967d518, obj=(JSObject * const) 0xf685c010 [object InlineTransparentTypedObject], receiver=(JSObject * const) 0xf685c010 [object InlineTransparentTypedObject], id=$jsid("configurable"), vp=$jsval(-nan(0xfff88f685c010))) at js/src/vm/NativeObject.h:1403
#4  0x086e34d8 in GetPropertyOperation (vp=$jsval(-nan(0xfff88f685c010)), lval=$jsval(-nan(0xfff88f685c010)), pc=<optimized out>, script=0xf684b128, fp=<optimized out>, cx=0x967d518) at js/src/vm/Interpreter.cpp:251
#5  Interpret (cx=0x967d518, state=...) at js/src/vm/Interpreter.cpp:2376
#6  0x086f0db2 in js::RunScript (cx=0x967d518, state=...) at js/src/vm/Interpreter.cpp:452
#7  0x086f10f5 in js::ExecuteKernel (cx=0x967d518, script=0xf684b128, scopeChainArg=(JSObject &) @0xf6847040 [object global] delegate, thisv=..., type=js::EXECUTE_GLOBAL, evalInFrame=..., result=0x0) at js/src/vm/Interpreter.cpp:661
#8  0x086f14ad in js::Execute (cx=0x967d518, script=0xf684b128, scopeChainArg=(JSObject &) @0xf6847040 [object global] delegate, rval=0x0) at js/src/vm/Interpreter.cpp:698
#9  0x0855f021 in ExecuteScript (cx=0x967d518, obj=(JSObject * const) 0xf6847040 [object global] delegate, scriptArg=0xf684b128, rval=0x0) at js/src/jsapi.cpp:4324
#10 0x0805bc99 in RunFile (compileOnly=false, file=0x9729e78, filename=0xffffd0e4 "min.js", obj=..., cx=0x967d518) at js/src/shell/js.cpp:450
#11 Process (cx=0x967d518, obj_=<optimized out>, filename=0xffffd0e4 "min.js", forceTTY=false) at js/src/shell/js.cpp:583
#12 0x08068f34 in ProcessArgs (op=0xffffccb8, obj_=<optimized out>, cx=0x967d518) at js/src/shell/js.cpp:5320
#13 Shell (op=0xffffccb8, cx=0x967d518, envp=<optimized out>) at js/src/shell/js.cpp:5559
#14 main (argc=<error reading variable: Cannot access memory at address 0x0>, argv=<error reading variable: Cannot access memory at address 0x4>, envp=<error reading variable: Cannot access memory at address 0x8>) at js/src/shell/js.cpp:5898
eax	0x0	0
ebx	0x963bff4	157532148
ecx	0x0	0
edx	0x0	0
esi	0xf6859580	-159017600
edi	0x0	0
ebp	0xffffc298	4294951576
esp	0xffffc270	4294951536
eip	0x815f595 <js::NativeObject::getReservedSlot(unsigned int) const+37>
=> 0x815f595 <js::NativeObject::getReservedSlot(unsigned int) const+37>:	movzbl 0x5(%eax),%eax
   0x815f599 <js::NativeObject::getReservedSlot(unsigned int) const+41>:	cmp    %edi,%eax
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/46ae5134ab00
user:        Brian Hackett
date:        Fri Dec 12 13:36:56 2014 -0700
summary:     Bug 1107226 - Share prototype objects for typed object arrays with the same element type, r=nmatsakis.

This iteration took 658.665 seconds to run.
NI from bhackett based on comment 1 :)
Flags: needinfo?(bhackett1024)
Does this still reproduce on inbound tip?  It might be a dupe of bug 1113744.
Flags: needinfo?(bhackett1024)
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 70de2960aa87).
Yea, that bug just landed on central, so I'll dupe it.
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 1113744
Marking s-s because original bug is s-s. Just to be sure.
Group: core-security
Group: core-security → core-security-release
Group: core-security-release
Keywords: sec-high
You need to log in before you can comment on or make changes to this bug.