Closed Bug 1122854 Opened 9 years ago Closed 9 years ago

CompactingGC: Assertion failure: obj->lastProperty() == p->value().shape, at js/src/jsinfer.cpp:2829

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1124563

People

(Reporter: decoder, Assigned: jonco)

References

Details

(Keywords: crash, sec-high, testcase, Whiteboard: [jsbugmon:ignore]) 

The following testcase crashes on mozilla-central revision cac6192956ab (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --enable-debug --enable-gccompacting, run with --fuzzing-safe --thread-count=2):

gczeal(14);
evaluate('\
arr = Object.defineProperty([0, 1, 2, 3, (/\\u0029/i ), 5], "length", { writable: false });\
arr = Object.defineProperty([], "length", { writable: 8, writable: false });\
', { noScriptRval : true, compileAndGo : true });



Backtrace:

Program received signal SIGSEGV, Segmentation fault.
0x000000000093afa0 in js::types::TypeCompartment::fixObjectType (this=<optimized out>, cx=cx@entry=0x199d650, obj=0x7ffff5483070) at js/src/jsinfer.cpp:2829
2829	        MOZ_ASSERT(obj->lastProperty() == p->value().shape);
#0  0x000000000093afa0 in js::types::TypeCompartment::fixObjectType (this=<optimized out>, cx=cx@entry=0x199d650, obj=0x7ffff5483070) at js/src/jsinfer.cpp:2829
#1  0x000000000059b639 in FixObjectType (obj=<optimized out>, cx=0x199d650) at js/src/jsinferinlines.h:569
#2  js::frontend::ParseNode::getConstantValue (this=this@entry=0x19a9990, cx=cx@entry=0x199d650, allowObjects=allowObjects@entry=js::frontend::ParseNode::AllowObjects, vp=..., vp@entry=...) at js/src/frontend/BytecodeEmitter.cpp:4312
#3  0x000000000059dfe6 in EmitSingletonInitialiser (cx=cx@entry=0x199d650, bce=bce@entry=0x7fffffffb2b0, pn=pn@entry=0x19a9990) at js/src/frontend/BytecodeEmitter.cpp:4326
#4  0x00000000005bf86e in EmitObject (cx=cx@entry=0x199d650, bce=bce@entry=0x7fffffffb2b0, pn=pn@entry=0x19a9990) at js/src/frontend/BytecodeEmitter.cpp:6530
#5  0x00000000005b0ef6 in js::frontend::EmitTree (cx=0x199d650, bce=0x7fffffffb2b0, pn=0x19a9990) at js/src/frontend/BytecodeEmitter.cpp:7237
#6  0x00000000005b108e in EmitCallOrNew (pn=0x19a9a38, bce=0x7fffffffb2b0, cx=0x199d650) at js/src/frontend/BytecodeEmitter.cpp:6251
#7  js::frontend::EmitTree (cx=0x199d650, bce=0x7fffffffb2b0, pn=0x19a9a38) at js/src/frontend/BytecodeEmitter.cpp:7150
#8  0x00000000005bd0af in EmitAssignment (cx=cx@entry=0x199d650, bce=bce@entry=0x7fffffffb2b0, lhs=0x19a9a70, op=JSOP_NOP, rhs=0x19a9a38) at js/src/frontend/BytecodeEmitter.cpp:4119
#9  0x00000000005b1465 in js::frontend::EmitTree (cx=0x199d650, bce=0x7fffffffb2b0, pn=0x19a9828) at js/src/frontend/BytecodeEmitter.cpp:7060
#10 0x00000000005b174b in EmitStatement (pn=0x19a9b18, bce=0x7fffffffb2b0, cx=0x199d650) at js/src/frontend/BytecodeEmitter.cpp:5963
#11 js::frontend::EmitTree (cx=0x199d650, bce=0x7fffffffb2b0, pn=0x19a9b18) at js/src/frontend/BytecodeEmitter.cpp:7026
#12 0x00000000005b3d69 in js::frontend::CompileScript (cx=cx@entry=0x199d650, alloc=<optimized out>, scopeChain=..., evalCaller=..., evalStaticScope=..., options=..., srcBuf=..., source_=source_@entry=0x0, staticLevel=staticLevel@entry=0, extraSct=extraSct@entry=0x0) at js/src/frontend/BytecodeCompiler.cpp:397
#13 0x00000000008a387a in JS::Compile (cx=0x199d650, obj=..., options=..., srcBuf=..., script=...) at js/src/jsapi.cpp:4034
#14 0x00000000008a3955 in JS::Compile (cx=cx@entry=0x199d650, obj=..., obj@entry=..., options=..., chars=<optimized out>, length=<optimized out>, script=..., script@entry=...) at js/src/jsapi.cpp:4043
#15 0x0000000000462150 in Evaluate (cx=0x199d650, argc=<optimized out>, vp=0x1a112f0) at js/src/shell/js.cpp:1284
#16 0x0000000000a20766 in js::CallJSNative (cx=0x199d650, native=0x4618a0 <Evaluate(JSContext*, unsigned int, jsval*)>, args=...) at js/src/jscntxtinlines.h:226
#17 0x0000000000a11ef7 in js::Invoke (cx=cx@entry=0x199d650, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:498
#18 0x0000000000a0cabb in Interpret (cx=cx@entry=0x199d650, state=...) at js/src/vm/Interpreter.cpp:2556
#19 0x0000000000a11bcf in js::RunScript (cx=cx@entry=0x199d650, state=...) at js/src/vm/Interpreter.cpp:448
#20 0x0000000000a19a0d in js::ExecuteKernel (cx=cx@entry=0x199d650, script=..., script@entry=..., scopeChainArg=..., thisv=..., type=type@entry=js::EXECUTE_GLOBAL, evalInFrame=..., evalInFrame@entry=..., result=result@entry=0x0) at js/src/vm/Interpreter.cpp:657
#21 0x0000000000a1a026 in js::Execute (cx=cx@entry=0x199d650, script=..., script@entry=..., scopeChainArg=..., rval=rval@entry=0x0) at js/src/vm/Interpreter.cpp:694
#22 0x00000000008a41b7 in ExecuteScript (cx=cx@entry=0x199d650, obj=..., scriptArg=..., rval=rval@entry=0x0) at js/src/jsapi.cpp:4362
#23 0x00000000008a428c in JS_ExecuteScript (cx=cx@entry=0x199d650, obj=..., obj@entry=..., scriptArg=..., scriptArg@entry=...) at js/src/jsapi.cpp:4384
#24 0x0000000000406c60 in RunFile (compileOnly=false, file=0x1a7abd0, filename=0x7fffffffe0b2 "min.js", obj=..., cx=0x199d650) at js/src/shell/js.cpp:451
#25 Process (cx=cx@entry=0x199d650, obj_=<optimized out>, filename=0x7fffffffe0b2 "min.js", forceTTY=forceTTY@entry=false) at js/src/shell/js.cpp:584
#26 0x000000000044e760 in ProcessArgs (op=0x7fffffffdb70, obj_=<optimized out>, cx=0x199d650) at js/src/shell/js.cpp:5489
#27 Shell (envp=<optimized out>, op=0x7fffffffdb70, cx=0x199d650) at js/src/shell/js.cpp:5728
#28 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:6068
rax	0x0	0
rbx	0x7ffff5464ab0	140737308412592
rcx	0x7ffff6ca53cd	140737333842893
rdx	0x0	0
rsi	0x7ffff6f7a9d0	140737336814032
rdi	0x7ffff6f791c0	140737336807872
rbp	0x7fffffffa470	140737488331888
rsp	0x7fffffffa2a0	140737488331424
r8	0x7ffff7fd4780	140737353959296
r9	0x72746e65632d616c	8247338199356891500
r10	0x7fffffffa060	140737488330848
r11	0x7ffff6c27960	140737333328224
r12	0x7ffff5483070	140737308536944
r13	0x19d4818	27084824
r14	0x1a7b100	27767040
r15	0x7ffff5483070	140737308536944
rip	0x93afa0 <js::types::TypeCompartment::fixObjectType(js::ExclusiveContext*, js::PlainObject*)+2336>
=> 0x93afa0 <js::types::TypeCompartment::fixObjectType(js::ExclusiveContext*, js::PlainObject*)+2336>:	movl   $0xb0d,0x0
   0x93afab <js::types::TypeCompartment::fixObjectType(js::ExclusiveContext*, js::PlainObject*)+2347>:	callq  0x404b20 <abort@plt>

Not s-s because compacting GC is not enabled yet in any builds.
Assignee: nobody → jcoppeard
Group: core-security
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → DUPLICATE
Group: core-security → core-security-release
Group: core-security-release
Keywords: sec-high
You need to log in before you can comment on or make changes to this bug.