Closed
Bug 1335619
Opened 7 years ago
Closed 7 years ago
Assertion failure: !keyVal.isMagic(JS_ELEMENTS_HOLE), at js/src/builtin/MapObject.cpp:1185
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
mozilla54
Tracking | Status | |
---|---|---|
firefox-esr45 | --- | unaffected |
firefox51 | --- | unaffected |
firefox52 | --- | unaffected |
firefox-esr52 | --- | unaffected |
firefox53 | --- | unaffected |
firefox54 | --- | verified |
People
(Reporter: gkw, Assigned: anba)
References
Details
(Keywords: assertion, sec-high, testcase, Whiteboard: [jsbugmon:update])
Attachments
(2 files)
28.42 KB,
text/plain
|
Details | |
2.41 KB,
patch
|
jandem
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision 1d025ac534a6 (build with --enable-debug --enable-more-deterministic, run with --fuzzing-safe --no-threads --ion-eager): // jsfunfuzz-generated x = []; y = x.push(Set, 1); Array.prototype.shift.call(x); // Adapted from randomly chosen test: js/src/tests/ecma_5/String/match-defines-match-elements.js Object.defineProperty(Array.prototype, 1, { set: function() {} }) // jsfunfuzz-generated Array.prototype.splice.call(x, 3, {}, y); new Set(x); Backtrace: 0 js-dbg-64-dm-clang-darwin-1d025ac534a6 0x000000010e4ac8a0 js::SetObject::construct(JSContext*, unsigned int, JS::Value*) + 3360 (MapObject.cpp:1185) 1 js-dbg-64-dm-clang-darwin-1d025ac534a6 0x000000010e46381e js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) + 222 (jscntxtinlines.h:263) 2 js-dbg-64-dm-clang-darwin-1d025ac534a6 0x000000010e46fa8a js::CallJSNativeConstructor(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) + 138 (jscntxtinlines.h:295) 3 js-dbg-64-dm-clang-darwin-1d025ac534a6 0x000000010e46402a InternalConstruct(JSContext*, js::AnyConstructArgs const&) + 570 (Interpreter.cpp:551) 4 js-dbg-64-dm-clang-darwin-1d025ac534a6 0x000000010e463c71 js::ConstructFromStack(JSContext*, JS::CallArgs const&) + 65 (Interpreter.cpp:589) /snip For detailed crash information, see attachment. Locking s-s as a start because the assert seems to involve holes in Arrays, not sure if that might be bad.
Reporter | ||
Comment 1•7 years ago
|
||
Reporter | ||
Comment 2•7 years ago
|
||
autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/6aae92d8aa00 user: André Bargull date: Thu Jan 26 12:19:01 2017 -0800 summary: Bug 1282104 - Part 2: Remove dense fast path in Array.prototype methods which didn't check for inherited accessors. r=jandem André, is bug 1282104 a likely regressor?
Blocks: 1282104
Flags: needinfo?(andrebargull)
Assignee | ||
Comment 4•7 years ago
|
||
With bug 1282104 fixed, we also need to check for inherited accessor properties before extending the dense elements in the fast path of step 16 for Array.p.splice. Before bug 1282104, this wasn't necessary because we always defined instead of set the elements in step 16.b.iv.2.
Assignee: nobody → andrebargull
Status: NEW → ASSIGNED
Flags: needinfo?(andrebargull)
Attachment #8832462 -
Flags: review?(jdemooij)
Updated•7 years ago
|
Attachment #8832462 -
Flags: review?(jdemooij) → review+
Updated•7 years ago
|
status-firefox53:
--- → unaffected
status-firefox-esr45:
--- → unaffected
status-firefox-esr52:
--- → unaffected
Keywords: sec-high
Assignee | ||
Updated•7 years ago
|
Keywords: checkin-needed
Comment 5•7 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/9019b1aeabd45a050c99686f3d694fd616239b2b
status-firefox51:
--- → unaffected
status-firefox52:
--- → unaffected
Flags: in-testsuite+
Keywords: checkin-needed
Comment 6•7 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/9019b1aeabd4
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla54
Updated•7 years ago
|
Status: RESOLVED → VERIFIED
Comment 7•7 years ago
|
||
JSBugMon: This bug has been automatically verified fixed.
Updated•7 years ago
|
Group: javascript-core-security → core-security-release
Updated•7 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•