Closed Bug 646052 Opened 13 years ago Closed 13 years ago

Crash [@ js::PropertyTable::search(int, bool)]

Categories

(Core :: JavaScript Engine, defect)

defect
Not set
critical

Tracking

()

VERIFIED DUPLICATE of bug 635389
Tracking Status
blocking2.0 --- .x+

People

(Reporter: gkw, Unassigned)

Details

(Keywords: crash, regression, testcase, Whiteboard: [ccbr][sg:dos])

Crash Data

<script>
x = [];x.join = x.toString;while ((7) & x) {}
</script>

or

javascript:x = [];x.join = x.toString;while ((7) & x) {}

Boom, Firefox 4 final goes up in flames. This is really bad, < 60 characters to crash. New profile. Signature is #16 on Firefox 4 topcrash list, and rising.

bp-1ed98119-4ae0-4713-8614-c1d9c2110329

s-s and setting [sg:critical?] to fear the worst, and blocking2.0? for being a topcrasher.

See bug 595975 for a possibly-related topcrash bug. cc'ing marcia, chofmann.

js::PropertyTable::search(int, bool) signature, 12k Windows crashes:
https://crash-stats.mozilla.com/report/list?range_value=2&range_unit=weeks&date=2011-03-29%2005%3A00%3A00&signature=js%3A%3APropertyTable%3A%3Asearch%28int%2C%20bool%29&version=Firefox%3A4.0

js::PropertyTable::search Linux/Mac:
https://crash-stats.mozilla.com/report/list?range_value=2&range_unit=weeks&date=2011-03-29%2005%3A00%3A00&signature=js%3A%3APropertyTable%3A%3Asearch&version=Firefox%3A4.0
Happens on Linux too. Getting a regression window...
OS: Windows 7 → All
Hardware: x86 → All
Opt shell backtrace:

Program received signal SIGSEGV, Segmentation fault.
0x080e82af in js_GetProperty(JSContext*, JSObject*, JSObject*, int, js::Value*) ()
(gdb) bt
#0  0x080e82af in js_GetProperty(JSContext*, JSObject*, JSObject*, int, js::Value*) ()
#1  0x0806695e in array_toString(JSContext*, unsigned int, js::Value*) ()
#2  0x080cacf9 in js::Invoke(JSContext*, js::CallArgs const&, unsigned int) ()
#3  0x08066b00 in array_toString(JSContext*, unsigned int, js::Value*) ()
#4  0x080cacf9 in js::Invoke(JSContext*, js::CallArgs const&, unsigned int) ()
#5  0x08066b00 in array_toString(JSContext*, unsigned int, js::Value*) ()
#6  0x080cacf9 in js::Invoke(JSContext*, js::CallArgs const&, unsigned int) ()
#7  0x08066b00 in array_toString(JSContext*, unsigned int, js::Value*) ()
#8  0x080cacf9 in js::Invoke(JSContext*, js::CallArgs const&, unsigned int) ()
#9  0x08066b00 in array_toString(JSContext*, unsigned int, js::Value*) ()
#10 0x080cacf9 in js::Invoke(JSContext*, js::CallArgs const&, unsigned int) ()
--snip--


May be a recursive stack overflow.

This, though, smells immensely like bug 635389.
Definitely a duplicate.
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → DUPLICATE
blocking2.0: ? → .x+
Crash Signature: [@ js::PropertyTable::search(int, bool)]
Scratchpad now shows too much recursion error message instead of crashing. (using scratchpad since the javascript: protocol in the URL bar is disabled)

-> VERIFIED.
Status: RESOLVED → VERIFIED
Group: core-security
Whiteboard: [ccbr][sg:critical?] → [ccbr][sg:dos]
A testcase for this bug was already added in the original bug (bug 635389).
Flags: in-testsuite-
You need to log in before you can comment on or make changes to this bug.