Closed Bug 568275 Opened 15 years ago Closed 14 years ago

Crash [@ JSScope::removeProperty] or "Assertion failure: sprop->childp,"

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
blocking2.0 --- final+
status1.9.2 --- unaffected
status1.9.1 --- unaffected

People

(Reporter: gkw, Assigned: Waldo)

References

Details

(4 keywords, Whiteboard: [ccbr][sg:dos] fixed by bug 595365)

Crash Data

x = ({ x: /x/ }) x.p = [] Object.defineProperty(x, "x", { writable: "" }) for (b in [[], null, [undefined]]) { function f(a) { delete a.x a.x = Infinity } for each(z in [x]) { f(z) } } crashes js opt shell on TM tip without -j at JSScope::removeProperty and asserts js debug shell on TM tip without -j at Assertion failure: sprop->childp, at ../jsscope.h:843 Seems to be a near null crash but setting s-s just to be safe. === Program received signal EXC_BAD_ACCESS, Could not access memory. Reason: KERN_PROTECTION_FAILURE at address: 0x00000000 0x000dea8c in JSScope::removeProperty () (gdb) bt #0 0x000dea8c in JSScope::removeProperty () #1 0x00077516 in js_DeleteProperty () #2 0x000598d6 in js_Interpret () #3 0x00065dd0 in js_Execute () #4 0x0000eeec in JS_ExecuteScript () #5 0x000046a6 in Process () #6 0x0000893a in main () (gdb) x/i $eip 0xdea8c <_ZN7JSScope14removePropertyEP9JSContextl+300>: mov %edx,(%eax) (gdb) x/b $edx 0x865ab0: 0x64
autoBisect shows this is probably related to bug 430133: The first bad revision is: changeset: 36651:766a6b2e74e7 user: Jeff Walden date: Fri Jun 05 12:56:45 2009 -0700 summary: Bug 430133 - Implement ES3.1's Object.defineProperty and Object.defineProperties. r=jorendorff
Blocks: 430133
blocking2.0: --- → ?
Assignee: general → jwalden+bmo
blocking2.0: ? → final+
Shorter: var a = Object.defineProperty({ x: /x/, p: [] }, "x", { writable: false }); for (var i = 0; i < 5; i++) { delete a.x; a.x = Infinity; }
This WFM -- Gary, mind tracking down which change fixed this?
(In reply to comment #3) > This WFM -- Gary, mind tracking down which change fixed this? Sure. :) Seems to be fixed by bug 595365. autoBisect shows this is probably related to the following changeset: The first good revision is: changeset: 53550:cd3c926a7413 user: Brendan Eich date: Sat Sep 11 23:55:25 2010 -0700 summary: Google Maps crash on tracemonkey branch (595365, precog r=jorendorff, a=beta6+).
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Group: core-security
status1.9.1: --- → unaffected
status1.9.2: --- → unaffected
Depends on: 595365
Whiteboard: [ccbr][sg:dos] → [ccbr][sg:dos] fixed by bug 595365
Crash Signature: [@ JSScope::removeProperty]
Automatically extracted testcase for this bug was committed: https://hg.mozilla.org/mozilla-central/rev/efaf8960a929
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.