Closed
Bug 618576
Opened 14 years ago
Closed 14 years ago
Crash [@ js::PropertyTable::search] or "Assertion failure: isNative(),"
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
Tracking | Status | |
---|---|---|
blocking2.0 | --- | betaN+ |
People
(Reporter: gkw, Assigned: jorendorff)
References
Details
(4 keywords, Whiteboard: [fixed-in-tracemonkey])
Crash Data
Attachments
(1 file)
1.18 KB,
patch
|
igor
:
review+
|
Details | Diff | Splinter Review |
eval("\ (function(){\ x=<x/>;\ x.function::__proto__=(evalcx(''));\ function m(n){\ for(a in n);\ }\ for each(z in[x]){\ m(z)\ }\ })\ ")() asserts js debug shell on TM changeset 1002cba2f2d6 without -m or -j at Assertion failure: isNative(), and crashes js opt shell at js::PropertyTable::search Setting s-s because this seems to concern 0xc8, a scary address. opt shell console output: Program received signal SIGSEGV, Segmentation fault. 0x08147307 in js::PropertyTable::search(int, bool) () (gdb) bt #0 0x08147307 in js::PropertyTable::search(int, bool) () #1 0x00000000 in ?? () (gdb) x/i $eip => 0x8147307 <_ZN2js13PropertyTable6searchEib+23>: mov (%eax),%ecx (gdb) x/b $eax 0xc8: Cannot access memory at address 0xc8 (gdb) x/b $ecx 0xffffca84: 0x00
Reporter | ||
Updated•14 years ago
|
blocking2.0: --- → ?
Reporter | ||
Comment 1•14 years ago
|
||
autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: 43319:4c1fbfcf1d0d user: Jason Orendorff date: Wed Jun 16 16:13:28 2010 -0500 summary: Bug 570169 - Part 2, add assertions that gcthings do not leak across compartments. r=gal.
Blocks: 570169
Updated•14 years ago
|
Assignee: general → gal
Updated•14 years ago
|
Assignee: gal → general
blocking2.0: ? → betaN+
Assignee | ||
Updated•14 years ago
|
Assignee: general → jorendorff
Assignee | ||
Comment 2•14 years ago
|
||
Attachment #497354 -
Flags: review?(igor)
Assignee | ||
Comment 3•14 years ago
|
||
Compartment stuff probably triggered this because it caused the result of evalcx("") to be non-native (a wrapper).
Comment 4•14 years ago
|
||
Comment on attachment 497354 [details] [diff] [review] v1 r+ on the patch with the test included
Attachment #497354 -
Flags: review?(igor) → review+
Assignee | ||
Comment 5•14 years ago
|
||
http://hg.mozilla.org/tracemonkey/rev/2062f14d2081
Whiteboard: [fixed-in-tracemonkey]
Comment 6•14 years ago
|
||
http://hg.mozilla.org/mozilla-central/rev/2062f14d2081
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Updated•13 years ago
|
Crash Signature: [@ js::PropertyTable::search]
Comment 7•12 years ago
|
||
JSBugMon: This bug has been automatically verified fixed.
Updated•12 years ago
|
Status: RESOLVED → VERIFIED
Updated•9 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•