Closed Bug 616711 Opened 9 years ago Closed 9 years ago

Crash [@ js_SuppressDeletedProperty] or [@ JSObject::getPrivate]

Categories

(Core :: JavaScript Engine, defect, critical)

x86
Linux
defect
Not set
critical

Tracking

()

VERIFIED FIXED
Tracking Status
blocking2.0 --- betaN+

People

(Reporter: gkw, Assigned: bhackett)

References

(Blocks 1 open bug)

Details

(Keywords: crash, regression, testcase, Whiteboard: [ccbr][sg:critical][fixed-in-tracemonkey])

Crash Data

Attachments

(2 files)

Attached file console output
this.toString = String
try {
    (function () {
        for each(d in evalcx("({n:<x/>})")) {
            #1#
        }
    })()
} catch (r) {}
gc()
delete this.toString

crashes js debug shell on TM changeset d31f58102b38 at JSObject::getPrivate and crashes js opt shell at js_SuppressDeletedProperty.

s-s because this involves gc. 0xdadadada also seems to be accessed, albeit in debug builds. Assuming [sg:critical?] unless otherwise.
The testcase has to be passed in as a CLI argument.
blocking2.0: --- → ?
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   57084:f52f5d7feb29
user:        Andreas Gal
date:        Wed Nov 10 15:56:00 2010 -0800
summary:     typeof(regexp from sandbox) is "function" (bug 607799, r=brendan).
Blocks: 607799
Assignee: general → gal
blocking2.0: ? → betaN+
bisect is a red herring
GC bug, must block
Whiteboard: [ccbr][sg:critical?] → [ccbr][sg:critical]
Assignee: gal → bhackett1024
Attached patch maybe fixSplinter Review
The problem seems to be that Reify in jswrapper.cpp does not close the active iterator on its failure paths.  This can leave cx->enumerators pointing to an iterObj with no other referent, and since cx->enumerators is not traversed by the GC (it is only supposed to point to things on the stack) the iterObj gets collected.  Reify should always close the old iterator (it does so on successful paths), as this patch does.  I don't really know the proxy/wrapper code though, is this the right interpretation?
Attachment #497420 - Flags: review?(gal)
Comment on attachment 497420 [details] [diff] [review]
maybe fix

An Auto helper might be worth it here. Nice catch. Thanks for fixing this!
Attachment #497420 - Flags: review?(gal) → review+
Yeah, the helper does look cleaner.

http://hg.mozilla.org/tracemonkey/rev/b013a27e6275
Whiteboard: [ccbr][sg:critical] → [ccbr][sg:critical][fixed-in-tracemonkey]
http://hg.mozilla.org/mozilla-central/rev/b013a27e6275
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Crash Signature: [@ js_SuppressDeletedProperty] [@ JSObject::getPrivate]
JSBugMon: This bug has been automatically verified fixed.
Status: RESOLVED → VERIFIED
Group: core-security
You need to log in before you can comment on or make changes to this bug.