Crash [@ js_SuppressDeletedProperty] or [@ JSObject::getPrivate]

VERIFIED FIXED

Status

()

Core
JavaScript Engine
--
critical
VERIFIED FIXED
8 years ago
3 years ago

People

(Reporter: gkw, Assigned: bhackett)

Tracking

(Blocks: 1 bug, {crash, regression, testcase})

Trunk
x86
Linux
crash, regression, testcase
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(blocking2.0 betaN+)

Details

(Whiteboard: [ccbr][sg:critical][fixed-in-tracemonkey], crash signature)

Attachments

(2 attachments)

(Reporter)

Description

8 years ago
Created attachment 495258 [details]
console output

this.toString = String
try {
    (function () {
        for each(d in evalcx("({n:<x/>})")) {
            #1#
        }
    })()
} catch (r) {}
gc()
delete this.toString

crashes js debug shell on TM changeset d31f58102b38 at JSObject::getPrivate and crashes js opt shell at js_SuppressDeletedProperty.

s-s because this involves gc. 0xdadadada also seems to be accessed, albeit in debug builds. Assuming [sg:critical?] unless otherwise.
(Reporter)

Comment 1

8 years ago
The testcase has to be passed in as a CLI argument.
blocking2.0: --- → ?
(Reporter)

Comment 2

8 years ago
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   57084:f52f5d7feb29
user:        Andreas Gal
date:        Wed Nov 10 15:56:00 2010 -0800
summary:     typeof(regexp from sandbox) is "function" (bug 607799, r=brendan).
Blocks: 607799

Updated

8 years ago
Assignee: general → gal

Updated

8 years ago
blocking2.0: ? → betaN+

Comment 3

8 years ago
bisect is a red herring

Comment 4

8 years ago
GC bug, must block
Whiteboard: [ccbr][sg:critical?] → [ccbr][sg:critical]

Updated

8 years ago
Assignee: gal → bhackett1024
(Assignee)

Comment 5

8 years ago
Created attachment 497420 [details] [diff] [review]
maybe fix

The problem seems to be that Reify in jswrapper.cpp does not close the active iterator on its failure paths.  This can leave cx->enumerators pointing to an iterObj with no other referent, and since cx->enumerators is not traversed by the GC (it is only supposed to point to things on the stack) the iterObj gets collected.  Reify should always close the old iterator (it does so on successful paths), as this patch does.  I don't really know the proxy/wrapper code though, is this the right interpretation?
Attachment #497420 - Flags: review?(gal)

Comment 6

8 years ago
Comment on attachment 497420 [details] [diff] [review]
maybe fix

An Auto helper might be worth it here. Nice catch. Thanks for fixing this!
Attachment #497420 - Flags: review?(gal) → review+
(Assignee)

Comment 7

8 years ago
Yeah, the helper does look cleaner.

http://hg.mozilla.org/tracemonkey/rev/b013a27e6275
(Assignee)

Updated

8 years ago
Whiteboard: [ccbr][sg:critical] → [ccbr][sg:critical][fixed-in-tracemonkey]

Comment 8

8 years ago
http://hg.mozilla.org/mozilla-central/rev/b013a27e6275
Status: NEW → RESOLVED
Last Resolved: 8 years ago
Resolution: --- → FIXED
Crash Signature: [@ js_SuppressDeletedProperty] [@ JSObject::getPrivate]
JSBugMon: This bug has been automatically verified fixed.
Status: RESOLVED → VERIFIED
Group: core-security
You need to log in before you can comment on or make changes to this bug.