Closed
Bug 1124563
Opened 10 years ago
Closed 10 years ago
Assertion failure: obj->lastProperty() == p->value().shape, at jsinfer.cpp
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
mozilla38
| Tracking | Status | |
|---|---|---|
| firefox36 | --- | fixed |
| firefox37 | --- | fixed |
| firefox38 | --- | verified |
| firefox-esr31 | --- | unaffected |
| b2g-v1.4 | --- | unaffected |
| b2g-v2.0 | --- | unaffected |
| b2g-v2.0M | --- | unaffected |
| b2g-v2.1 | --- | unaffected |
| b2g-v2.1S | --- | unaffected |
| b2g-v2.2 | --- | fixed |
| b2g-master | --- | fixed |
People
(Reporter: gkw, Assigned: jonco)
References
Details
(5 keywords, Whiteboard: [jsbugmon:update][adv-main36-])
Attachments
(4 files)
|
4.98 KB,
text/plain
|
Details | |
|
5.66 KB,
patch
|
terrence
:
review+
|
Details | Diff | Splinter Review |
|
5.68 KB,
patch
|
jonco
:
review+
Sylvestre
:
approval-mozilla-aurora+
|
Details | Diff | Splinter Review |
|
4.89 KB,
patch
|
jonco
:
review+
Sylvestre
:
approval-mozilla-beta+
|
Details | Diff | Splinter Review |
try {
gc(0, 'shrinking')({x: 0})
} catch (e) {}
eval("({x: 0, x: 0})[{x: 0}]")
asserts js debug shell on m-c changeset 34e2d2bd7ec4 with --fuzzing-safe --no-threads --no-ion at Assertion failure: obj->lastProperty() == p->value().shape, at jsinfer.cpp
Debug configure options:
CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --enable-optimize --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests
=== Tinderbox Build Bisection Results by autoBisect ===
The "good" changeset has the timestamp "20150121001427" and the hash "1533b263c457".
The "bad" changeset has the timestamp "20150121013236" and the hash "26d8f946a53b".
Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=1533b263c457&tochange=26d8f946a53b
Setting this s-s first since compacting GC seems to be involved.
Jon, is bug 650161 aka compacting GC a likely regressor, or is it exposing the issue?
Flags: needinfo?(jcoppeard)
|
Reporter | |
Comment 1•10 years ago
|
||
(lldb) bt 5
* thread #1: tid = 0x23cec, 0x000000010060ceb7 js-dbg-opt-64-dm-nsprBuild-darwin-7148aa99ad67`js::types::TypeCompartment::fixObjectType(this=<unavailable>, cx=<unavailable>, obj=<unavailable>) + 3175 at jsinfer.cpp:2829, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
* frame #0: 0x000000010060ceb7 js-dbg-opt-64-dm-nsprBuild-darwin-7148aa99ad67`js::types::TypeCompartment::fixObjectType(this=<unavailable>, cx=<unavailable>, obj=<unavailable>) + 3175 at jsinfer.cpp:2829
frame #1: 0x000000010017c876 js-dbg-opt-64-dm-nsprBuild-darwin-7148aa99ad67`js::frontend::ParseNode::getConstantValue(js::ExclusiveContext*, js::frontend::ParseNode::AllowConstantObjects, JS::MutableHandle<JS::Value>) [inlined] js::types::FixObjectType(obj=0x00000001041850a0) + 2086 at jsinferinlines.h:568
frame #2: 0x000000010017c82e js-dbg-opt-64-dm-nsprBuild-darwin-7148aa99ad67`js::frontend::ParseNode::getConstantValue(this=<unavailable>, cx=<unavailable>, allowObjects=<unavailable>, vp=<unavailable>) + 2014 at BytecodeEmitter.cpp:4363
frame #3: 0x0000000100183b37 js-dbg-opt-64-dm-nsprBuild-darwin-7148aa99ad67`EmitSingletonInitialiser(cx=0x0000000101e02260, bce=0x00007fff5fbfcde0, pn=<unavailable>) + 87 at BytecodeEmitter.cpp:4377
frame #4: 0x0000000100184d3c js-dbg-opt-64-dm-nsprBuild-darwin-7148aa99ad67`EmitObject(cx=0x0000000101e02260, bce=0x00007fff5fbfcde0, pn=0x000000010281cfa8) + 2028 at BytecodeEmitter.cpp:6582
(lldb)
|
Assignee | |
Comment 2•10 years ago
|
||
The problem is that we aren't fixing up the baseShapes hash table, whose keys are based on objects that can be moved by GC.
Assignee: nobody → jcoppeard
Flags: needinfo?(jcoppeard)
|
||
Updated•10 years ago
|
status-firefox37:
--- → unaffected
Keywords: csectype-uaf,
sec-high
|
|
Assignee | |
Comment 4•10 years ago
|
||
This patch fixes the particular problem of the table not being updated on compacting GC.
Unfortunately this is still a problem for generational GC.
Attachment #8555965 -
Flags: review?(terrence)
|
||
Updated•10 years ago
|
Attachment #8555965 -
Flags: review?(terrence) → review+
|
|
Assignee | |
Comment 5•10 years ago
|
||
I'm going to land this patch now and fix the generational issue in bug 1127246.
|
|
Assignee | |
Comment 6•10 years ago
|
||
|
||
Updated•10 years ago
|
status-b2g-v1.4:
--- → unaffected
status-b2g-v2.0:
--- → unaffected
status-b2g-v2.0M:
--- → unaffected
status-b2g-v2.1:
--- → unaffected
status-b2g-v2.1S:
--- → unaffected
status-b2g-v2.2:
--- → unaffected
status-b2g-master:
--- → affected
status-firefox36:
--- → unaffected
status-firefox-esr31:
--- → unaffected
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla38
|
||
Updated•10 years ago
|
Status: RESOLVED → VERIFIED
|
|
||
Comment 8•10 years ago
|
||
JSBugMon: This bug has been automatically verified fixed.
|
|
||
Updated•10 years ago
|
|
|
Assignee | |
Comment 9•10 years ago
|
||
This is a dependency for bug 1127246.
Approval Request Comment
[Feature/regressing bug #]: Bug 650161.
[User impact if declined]: Possible stability/security issue due to bug 1127246.
[Describe test coverage new/current, TreeHerder]: On m-c for 5 days.
[Risks and why]: Low.
[String/UUID change made/needed]: None.
Attachment #8559233 -
Flags: review+
Attachment #8559233 -
Flags: approval-mozilla-aurora?
|
|
Assignee | |
Comment 10•10 years ago
|
||
This is a dependency for bug 1127246.
Approval Request Comment
[Feature/regressing bug #]: Bug 650161.
[User impact if declined]: Possible stability/security issue due to bug 1127246.
[Describe test coverage new/current, TreeHerder]: On m-c for 5 days.
[Risks and why]: Low.
[String/UUID change made/needed]: None.
Attachment #8559250 -
Flags: review+
Attachment #8559250 -
Flags: approval-mozilla-beta?
|
|
Assignee | |
Comment 11•10 years ago
|
||
BTW the uplift patches for aurora and beta are to fix 'ggc' test build errors, and mainly touch code that's #ifdefed out in the main builds.
|
||
Updated•10 years ago
|
Attachment #8559233 -
Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
|
|
||
Updated•10 years ago
|
Attachment #8559250 -
Flags: approval-mozilla-beta? → approval-mozilla-beta+
|
|
Assignee | |
Comment 12•10 years ago
|
||
|
|
Assignee | |
Comment 13•10 years ago
|
||
|
|
||
Comment 14•10 years ago
|
||
|
||
Comment 15•10 years ago
|
||
If bug 650161 is the regressor, how did this affect 36? Looking at checkin dates, bug 650161 appears to be either 37 or 38 only.
|
|
||
Updated•10 years ago
|
Flags: needinfo?(jcoppeard)
|
|
Assignee | |
Comment 16•10 years ago
|
||
(In reply to Al Billings [:abillings] from comment #15)
The code in bug 650161 is only built by default in 38 onwards, however the code is present in earlier versions and the 'ggc' test build does build and test this.
The uplift was done so that that this test will pass and doesn't affect the normal builds for 36 and 37.
Flags: needinfo?(jcoppeard)
|
|
||
Comment 17•10 years ago
|
||
Ah, thanks. Minusing it for advisories for 36 then.
Whiteboard: [jsbugmon:update] → [jsbugmon:update][adv-main36-]
|
||
Updated•10 years ago
|
Group: core-security → core-security-release
|
||
Updated•9 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•