Closed Bug 618576 Opened 14 years ago Closed 14 years ago

Crash [@ js::PropertyTable::search] or "Assertion failure: isNative(),"

Categories

(Core :: JavaScript Engine, defect)

x86
Linux
defect
Not set
critical

Tracking

()

VERIFIED FIXED
Tracking Status
blocking2.0 --- betaN+

People

(Reporter: gkw, Assigned: jorendorff)

References

Details

(4 keywords, Whiteboard: [fixed-in-tracemonkey])

Crash Data

Attachments

(1 file)

eval("\
  (function(){\
    x=<x/>;\
    x.function::__proto__=(evalcx(''));\
    function m(n){\
      for(a in n);\
    }\
    for each(z in[x]){\
      m(z)\
    }\
  })\
")()

asserts js debug shell on TM changeset 1002cba2f2d6 without -m or -j at Assertion failure: isNative(), and crashes js opt shell at js::PropertyTable::search


Setting s-s because this seems to concern 0xc8, a scary address.

opt shell console output:

Program received signal SIGSEGV, Segmentation fault.
0x08147307 in js::PropertyTable::search(int, bool) ()
(gdb) bt
#0  0x08147307 in js::PropertyTable::search(int, bool) ()
#1  0x00000000 in ?? ()
(gdb) x/i $eip
=> 0x8147307 <_ZN2js13PropertyTable6searchEib+23>:	mov    (%eax),%ecx
(gdb) x/b $eax
0xc8:	Cannot access memory at address 0xc8
(gdb) x/b $ecx
0xffffca84:	0x00
blocking2.0: --- → ?
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   43319:4c1fbfcf1d0d
user:        Jason Orendorff
date:        Wed Jun 16 16:13:28 2010 -0500
summary:     Bug 570169 - Part 2, add assertions that gcthings do not leak across compartments. r=gal.
Blocks: 570169
Assignee: general → gal
Assignee: gal → general
blocking2.0: ? → betaN+
Assignee: general → jorendorff
Attached patch v1Splinter Review
Attachment #497354 - Flags: review?(igor)
Compartment stuff probably triggered this because it caused the result of evalcx("") to be non-native (a wrapper).
Comment on attachment 497354 [details] [diff] [review]
v1

r+ on the patch with the test included
Attachment #497354 - Flags: review?(igor) → review+
http://hg.mozilla.org/tracemonkey/rev/2062f14d2081
Whiteboard: [fixed-in-tracemonkey]
http://hg.mozilla.org/mozilla-central/rev/2062f14d2081
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Crash Signature: [@ js::PropertyTable::search]
JSBugMon: This bug has been automatically verified fixed.
Status: RESOLVED → VERIFIED
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: