592214 - Crash [@ JSObject::removeProperty] or "Assertion failure: nativeContains(*aprop),"

Status: VERIFIED DUPLICATE of bug 593256

(Core :: JavaScript Engine, defect)

Description

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

eval("\
  function(){for(d in[0,Number]) {\
    __defineGetter__(\"\",function(){}),\
    [(__defineGetter__(\"x\",Math.pow))]\
  }}\
")()
delete gc
eval("\
  function() {\
    for(e in __defineSetter__(\"x\",function(){})){}\
  }\
")()
delete gc

asserts js debug shell on TM changeset e8ee411dca70 without -j at Assertion failure: nativeContains(*aprop), and crashes js opt shell at JSObject::removeProperty

s-s because it seems to be accessing 0x3e, a scary address.

===

Program received signal SIGSEGV, Segmentation fault.
0x0812277a in JSObject::removeProperty(JSContext*, int) ()
(gdb) x/i $eip
=> 0x812277a <_ZN8JSObject14removePropertyEP9JSContexti+362>:	mov    %edx,(%eax)
(gdb) x/b $edx
0x829dd3c:	0x3e
(gdb) x/b $eax
0x0:	Cannot access memory at address 0x0

Comment 1

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Probably related to bug 558451.

Regression window:

http://hg.mozilla.org/tracemonkey/pushloghtml?fromchange=be9979b4c10b&tochange=f3e58c264932

Comment 2

[Marcia Knous [:marcia]]

I noticed today that Mac trunk users are hitting this crash with more frequency in the last day or so - http://tinyurl.com/34qvymn.

Comment 3

[Brendan Eich [:brendan]]

A nearly-null address is not scary but I'm leaving this bug s-s per Gary's decision when filing. But I'm also duping it against non-s-s bug 593256. I added the fuzzer-generated test to the jsreftests in that bug's first-pushed cset.

/be

Comment 4

[Brendan Eich [:brendan]]

Great bug, sorry I didn't look into it sooner. It showed that losing dictionary mode property tables was not just a memory bloat and lookup efficiency loss bug, which I should have seen. It was a memory safety bug that could reincarnate a deleted shape via the table.

/be