Closed
Bug 1435295
Opened 6 years ago
Closed 6 years ago
Assertion failure: !unknownProperties(), at js/src/vm/TypeInference.cpp:2918 with OOM
Categories
(Core :: JavaScript Engine, defect, P1)
Tracking
()
VERIFIED
FIXED
mozilla60
Tracking | Status | |
---|---|---|
firefox-esr52 | --- | unaffected |
firefox58 | --- | unaffected |
firefox59 | --- | unaffected |
firefox60 | --- | verified |
People
(Reporter: decoder, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: assertion, testcase, Whiteboard: [jsbugmon:update,bisect])
Attachments
(1 file)
1.58 KB,
patch
|
jandem
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision 841512e696b9 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe): oomTest(new Function(`function execOffThread(source) { offThreadCompileModule(source); return finishOffThreadModule(); } b = execOffThread("[1, 2, 3]") `)); Backtrace: received signal SIGSEGV, Segmentation fault. 0x0000000000ca0b68 in js::ObjectGroup::markUnknown (this=0x7ffff47db190, cx=cx@entry=0x7ffff5f16000) at js/src/vm/TypeInference.cpp:2918 #0 0x0000000000ca0b68 in js::ObjectGroup::markUnknown (this=0x7ffff47db190, cx=cx@entry=0x7ffff5f16000) at js/src/vm/TypeInference.cpp:2918 #1 0x0000000000a09182 in js::gc::GCRuntime::mergeCompartments (this=this@entry=0x7ffff5f1a780, source=0x7ffff5f4c800, target=target@entry=0x7ffff5f3d800) at js/src/jsgc.cpp:7938 #2 0x0000000000a0989e in js::gc::MergeCompartments (source=<optimized out>, target=target@entry=0x7ffff5f3d800) at js/src/jsgc.cpp:7870 #3 0x0000000000b96b53 in js::GlobalHelperThreadState::mergeParseTaskCompartment (this=this@entry=0x7ffff5f06400, cx=cx@entry=0x7ffff5f16000, parseTask=0x7ffff4871000, global=..., global@entry=..., dest=0x7ffff5f3d800) at js/src/vm/HelperThreads.cpp:1721 #4 0x0000000000ba7f0c in js::GlobalHelperThreadState::finishParseTask<js::GlobalHelperThreadState::finishParseTask(JSContext*, js::ParseTaskKind, void*)::<lambda(js::ParseTask*)>, void> (finishCallback=<optimized out>, token=0x1, kind=js::ParseTaskKind::Module, cx=0x7ffff5f16000, this=0x7ffff5f06400) at js/src/vm/HelperThreads.cpp:1565 #5 js::GlobalHelperThreadState::finishParseTask (this=0x7ffff5f06400, cx=cx@entry=0x7ffff5f16000, kind=kind@entry=js::ParseTaskKind::Module, token=<optimized out>) at js/src/vm/HelperThreads.cpp:1605 #6 0x0000000000ba84bc in js::GlobalHelperThreadState::finishModuleParseTask (this=<optimized out>, cx=0x7ffff5f16000, token=<optimized out>) at js/src/vm/HelperThreads.cpp:1687 #7 0x0000000000977e74 in JS::FinishOffThreadModule (cx=<optimized out>, token=<optimized out>) at js/src/jsapi.cpp:4353 #8 0x00000000004624b3 in FinishOffThreadModule (cx=0x7ffff5f16000, argc=<optimized out>, vp=<optimized out>) at js/src/shell/js.cpp:4863 #9 0x000032f6e54cee71 in ?? () [...] #13 0x0000000000000000 in ?? () rax 0x0 0 rbx 0x7ffff4857000 140737295773696 rcx 0x7ffff6c282ad 140737333330605 rdx 0x0 0 rsi 0x7ffff6ef7770 140737336276848 rdi 0x7ffff6ef6540 140737336272192 rbp 0x7fffffffba60 140737488337504 rsp 0x7fffffffb980 140737488337280 r8 0x7ffff6ef7770 140737336276848 r9 0x7ffff7fe4780 140737354024832 r10 0x58 88 r11 0x7ffff6b9e7a0 140737332766624 r12 0x7ffff47db190 140737295266192 r13 0x7ffff5f3d800 140737319786496 r14 0x7ffff5f16000 140737319624704 r15 0x7ffff4c90080 140737300201600 rip 0xca0b68 <js::ObjectGroup::markUnknown(JSContext*)+1112> => 0xca0b68 <js::ObjectGroup::markUnknown(JSContext*)+1112>: movl $0x0,0x0 0xca0b73 <js::ObjectGroup::markUnknown(JSContext*)+1123>: ud2 Marking s-s as a start because the unknownProperties assert can sometimes indicate a security problem.
Updated•6 years ago
|
Flags: needinfo?(jcoppeard)
Priority: -- → P1
Comment 1•6 years ago
|
||
I think we just need to check whether the object group has already been marked unknown here.
Assignee: nobody → jcoppeard
Flags: needinfo?(jcoppeard)
Attachment #8948443 -
Flags: review?(jdemooij)
Comment 2•6 years ago
|
||
Comment on attachment 8948443 [details] [diff] [review] bug1435295-merge-oom Review of attachment 8948443 [details] [diff] [review]: ----------------------------------------------------------------- Ah yes.
Attachment #8948443 -
Flags: review?(jdemooij) → review+
Comment 4•6 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/d8ad38aef8866ba2ac70862c78bbb67ef8349890
Comment 5•6 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/d8ad38aef886
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla60
Updated•6 years ago
|
status-firefox58:
--- → unaffected
status-firefox59:
--- → unaffected
status-firefox-esr52:
--- → unaffected
Updated•6 years ago
|
Status: RESOLVED → VERIFIED
Comment 6•6 years ago
|
||
JSBugMon: This bug has been automatically verified fixed.
Updated•6 years ago
|
Group: javascript-core-security → core-security-release
Updated•6 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•