Note: There are a few cases of duplicates in user autocompletion which are being worked on.

Crash [@ JSObject::removeProperty] or "Assertion failure: nativeContains(*aprop),"

VERIFIED DUPLICATE of bug 593256

Status

()

Core
JavaScript Engine
--
critical
VERIFIED DUPLICATE of bug 593256
7 years ago
4 years ago

People

(Reporter: gkw, Unassigned)

Tracking

(Blocks: 1 bug, 4 keywords)

Trunk
assertion, crash, regression, testcase
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(blocking2.0 betaN+, status1.9.2 unaffected, status1.9.1 unaffected)

Details

(Whiteboard: [sg:critical?], crash signature)

(Reporter)

Description

7 years ago
eval("\
  function(){for(d in[0,Number]) {\
    __defineGetter__(\"\",function(){}),\
    [(__defineGetter__(\"x\",Math.pow))]\
  }}\
")()
delete gc
eval("\
  function() {\
    for(e in __defineSetter__(\"x\",function(){})){}\
  }\
")()
delete gc

asserts js debug shell on TM changeset e8ee411dca70 without -j at Assertion failure: nativeContains(*aprop), and crashes js opt shell at JSObject::removeProperty

s-s because it seems to be accessing 0x3e, a scary address.

===

Program received signal SIGSEGV, Segmentation fault.
0x0812277a in JSObject::removeProperty(JSContext*, int) ()
(gdb) x/i $eip
=> 0x812277a <_ZN8JSObject14removePropertyEP9JSContexti+362>:	mov    %edx,(%eax)
(gdb) x/b $edx
0x829dd3c:	0x3e
(gdb) x/b $eax
0x0:	Cannot access memory at address 0x0
(Reporter)

Updated

7 years ago
blocking2.0: --- → ?
(Reporter)

Comment 1

7 years ago
Probably related to bug 558451.

Regression window:

http://hg.mozilla.org/tracemonkey/pushloghtml?fromchange=be9979b4c10b&tochange=f3e58c264932
Blocks: 558451
OS: Linux → All
Hardware: x86 → All
status1.9.1: --- → unaffected
status1.9.2: --- → unaffected

Updated

7 years ago
blocking2.0: ? → betaN+
I noticed today that Mac trunk users are hitting this crash with more frequency in the last day or so - http://tinyurl.com/34qvymn.
Depends on: 594899
A nearly-null address is not scary but I'm leaving this bug s-s per Gary's decision when filing. But I'm also duping it against non-s-s bug 593256. I added the fuzzer-generated test to the jsreftests in that bug's first-pushed cset.

/be
Status: NEW → RESOLVED
Last Resolved: 7 years ago
No longer depends on: 594899
Resolution: --- → DUPLICATE
Duplicate of bug: 593256
Great bug, sorry I didn't look into it sooner. It showed that losing dictionary mode property tables was not just a memory bloat and lookup efficiency loss bug, which I should have seen. It was a memory safety bug that could reincarnate a deleted shape via the table.

/be
Status: RESOLVED → VERIFIED
Group: core-security
Whiteboard: [sg:critical?]
Crash Signature: [@ JSObject::removeProperty]
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.