Note: There are a few cases of duplicates in user autocompletion which are being worked on.

Crash [@ JSObject::changeProperty] or "Assertion failure: listp,"

RESOLVED FIXED

Status

()

Core
JavaScript Engine
--
critical
RESOLVED FIXED
7 years ago
5 years ago

People

(Reporter: gkw, Unassigned)

Tracking

(Blocks: 1 bug, 4 keywords)

Trunk
assertion, crash, regression, testcase
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(blocking2.0 betaN+, status1.9.2 unaffected, status1.9.1 unaffected)

Details

(crash signature)

(Reporter)

Description

7 years ago
__defineGetter__("x", function () {});
function z() {
    "".replace(/s/, "");
}
z();
(function () {
    for (a = 0; a < 2; a++) {
        __defineGetter__("", /a/);
        for each(y in [__defineGetter__("x", function(){})]) {}
    }
}());

asserts js debug shell on TM changeset e8ee411dca70 without -j at Assertion failure: listp, and crashes js opt shell at JSObject::changeProperty

s-s because this involves a scary address, 0x22.

===

Program received signal SIGSEGV, Segmentation fault.
0x081240b6 in JSObject::changeProperty(JSContext*, js::Shape const*, unsigned int, unsigned int, int (*)(JSContext*, JSObject*, int, js::Value*), int (*)(JSContext*, JSObject*, int, js::Value*)) ()
(gdb) x/i $eip
=> 0x81240b6 <_ZN8JSObject14changePropertyEP9JSContextPKN2js5ShapeEjjPFiS1_PS_iPNS2_5ValueEESA_+278>:	mov    %edx,(%eax)
(gdb) x/b $edx
0x829ef94:	0x22
(gdb) x/b $eax
0x0:	Cannot access memory at address 0x0
(Reporter)

Updated

7 years ago
blocking2.0: --- → ?
(Reporter)

Comment 1

7 years ago
Probably related to bug 558451.

Regression window:

http://hg.mozilla.org/tracemonkey/pushloghtml?fromchange=be9979b4c10b&tochange=f3e58c264932
Blocks: 558451
status1.9.1: --- → unaffected
status1.9.2: --- → unaffected

Updated

7 years ago
blocking2.0: ? → betaN+
WFM now.

/be
Status: NEW → RESOLVED
Last Resolved: 7 years ago
Resolution: --- → WORKSFORME
(Reporter)

Updated

7 years ago
Flags: in-testsuite?
The testcases for bug 595365 cover the bug well enough, but adding regression tests for each fuzzer-generated case wouldn't hurt. Have to be careful with eval of named function expressions, though. Gary, are you willing to add tests?

/be

Comment 4

7 years ago
autoBisect.py -p -e f3e58c264932 -s default -a 64 b592224.js

The first good revision is:
changeset:   53415:3feb012b18a3
user:        Brendan Eich <brendan@mozilla.org>
date:        Thu Sep 02 18:46:11 2010 -0700
summary:     Bugs in dictionary-mode property table maintenance (593256, r=jorendorff).

Updated

7 years ago
Resolution: WORKSFORME → FIXED
Group: core-security
Crash Signature: [@ JSObject::changeProperty]
Automatically extracted testcase for this bug was committed:

https://hg.mozilla.org/mozilla-central/rev/efaf8960a929
Flags: in-testsuite? → in-testsuite+
You need to log in before you can comment on or make changes to this bug.