Closed Bug 1335619 Opened 7 years ago Closed 7 years ago

Assertion failure: !keyVal.isMagic(JS_ELEMENTS_HOLE), at js/src/builtin/MapObject.cpp:1185

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla54
Tracking Flags:
Tracking Status
firefox-esr45 --- unaffected
firefox51 --- unaffected
firefox52 --- unaffected
firefox-esr52 --- unaffected
firefox53 --- unaffected
firefox54 --- verified

People

(Reporter: gkw, Assigned: anba)

References

Details

(Keywords: assertion, sec-high, testcase, Whiteboard: [jsbugmon:update])

Attachments

(2 files)

Detailed Crash Information
28.42 KB, text/plain
Details
bug1335619.patch
2.41 KB, patch
jandem
: review+
Details | Diff | Splinter Review 
The following testcase crashes on mozilla-central revision 1d025ac534a6 (build with --enable-debug --enable-more-deterministic, run with --fuzzing-safe --no-threads --ion-eager):

// jsfunfuzz-generated
x = [];
y = x.push(Set, 1);
Array.prototype.shift.call(x);
// Adapted from randomly chosen test: js/src/tests/ecma_5/String/match-defines-match-elements.js
Object.defineProperty(Array.prototype, 1, {
    set: function() {}
})
// jsfunfuzz-generated
Array.prototype.splice.call(x, 3, {}, y);
new Set(x);


Backtrace:

0   js-dbg-64-dm-clang-darwin-1d025ac534a6	0x000000010e4ac8a0 js::SetObject::construct(JSContext*, unsigned int, JS::Value*) + 3360 (MapObject.cpp:1185)
1   js-dbg-64-dm-clang-darwin-1d025ac534a6	0x000000010e46381e js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) + 222 (jscntxtinlines.h:263)
2   js-dbg-64-dm-clang-darwin-1d025ac534a6	0x000000010e46fa8a js::CallJSNativeConstructor(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) + 138 (jscntxtinlines.h:295)
3   js-dbg-64-dm-clang-darwin-1d025ac534a6	0x000000010e46402a InternalConstruct(JSContext*, js::AnyConstructArgs const&) + 570 (Interpreter.cpp:551)
4   js-dbg-64-dm-clang-darwin-1d025ac534a6	0x000000010e463c71 js::ConstructFromStack(JSContext*, JS::CallArgs const&) + 65 (Interpreter.cpp:589)
/snip

For detailed crash information, see attachment.

Locking s-s as a start because the assert seems to involve holes in Arrays, not sure if that might be bad.
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/6aae92d8aa00
user:        André Bargull
date:        Thu Jan 26 12:19:01 2017 -0800
summary:     Bug 1282104 - Part 2: Remove dense fast path in Array.prototype methods which didn't check for inherited accessors. r=jandem

André, is bug 1282104 a likely regressor?
Blocks: 1282104
Flags: needinfo?(andrebargull)
Attached patch bug1335619.patchSplinter Review 
With bug 1282104 fixed, we also need to check for inherited accessor properties before extending the dense elements in the fast path of step 16 for Array.p.splice. Before bug 1282104, this wasn't necessary because we always defined instead of set the elements in step 16.b.iv.2.
Assignee: nobody → andrebargull
Status: NEW → ASSIGNED
Flags: needinfo?(andrebargull)
Attachment #8832462 - Flags: review?(jdemooij)
Attachment #8832462 - Flags: review?(jdemooij) → review+
Keywords: checkin-needed
https://hg.mozilla.org/mozilla-central/rev/9019b1aeabd4
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
status-firefox54: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla54
Status: RESOLVED → VERIFIED
status-firefox54: fixedverified
JSBugMon: This bug has been automatically verified fixed.
Group: javascript-core-security → core-security-release
Group: core-security-release
Keywords: bugmon
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: