Closed Bug 658803 Opened 12 years ago Closed 12 years ago

TI: "Assertion failure: !newScriptCleared,"

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: gkw, Unassigned)

References

Details

(Keywords: assertion, testcase) 

function f() {
  var N = 624;
  this.init_genrand = function(s) {
    for (z = 1; z < N; z++) {}
  };
}(function() {
  new f;
}());
function g(o) {
  var props = Object.getOwnPropertyNames(o);
  var prop = props[props.length - 1] + "p"
  o[prop] = Number.prototype.__proto__;
}
g(Number.prototype.__proto__);

asserts js debug shell on JM changeset 33f1ad45ccb8 with -n at Assertion failure: !newScriptCleared,

This was found using a combination of jsfunfuzz and jandem's method fuzzer.

(gdb) bt
#0  0xf7fdf430 in __kernel_vsyscall ()
#1  0xf7fafa90 in raise (sig=6) at ../nptl/sysdeps/unix/sysv/linux/pt-raise.c:42
#2  0x081ff23d in JS_Assert (s=0x83eec65 "!newScriptCleared", file=0x83ee71c "/home/fuzz1/Desktop/jsfunfuzz-dbg-32-jm-69810-33f1ad45ccb8/compilePath/js/src/jsinfer.cpp", ln=2805)
    at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-jm-69810-33f1ad45ccb8/compilePath/js/src/jsutil.cpp:89
#3  0x08114048 in js::types::TypeObject::clearNewScript (this=0x852c260, cx=0x84ea1b8) at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-jm-69810-33f1ad45ccb8/compilePath/js/src/jsinfer.cpp:2805
#4  0x0811e892 in TypeConstraintClearDefiniteSetter::newType (this=0x852c360, cx=0x84ea1b8, source=0x852c32c, type=7)
    at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-jm-69810-33f1ad45ccb8/compilePath/js/src/jsinfer.cpp:3985
#5  0x0805c34f in js::types::TypeCompartment::resolvePending (this=0x84eab58, cx=0x84ea1b8) at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-jm-69810-33f1ad45ccb8/compilePath/js/src/jsinferinlines.h:892
#6  0x0805c711 in js::types::TypeSet::addType (this=0x852c32c, cx=0x84ea1b8, type=7) at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-jm-69810-33f1ad45ccb8/compilePath/js/src/jsinferinlines.h:1170
#7  0x08113fd5 in js::types::TypeObject::markUnknown (this=0x8528f18, cx=0x84ea1b8) at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-jm-69810-33f1ad45ccb8/compilePath/js/src/jsinfer.cpp:2796
#8  0x08113f72 in js::types::TypeObject::markUnknown (this=0x8521bc0, cx=0x84ea1b8) at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-jm-69810-33f1ad45ccb8/compilePath/js/src/jsinfer.cpp:2779
#9  0x080810bf in JSContext::markTypeObjectUnknownProperties (this=0x84ea1b8, obj=0x8521bc0) at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-jm-69810-33f1ad45ccb8/compilePath/js/src/jsinferinlines.h:480
#10 0x083aef92 in JSScript::typeMonitorAssign (this=0x852e108, cx=0x84ea1b8, pc=0x852e1ee "8QŰe\005\310`\r3", obj=0xf7504050, id=..., rval=...)
    at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-jm-69810-33f1ad45ccb8/compilePath/js/src/jsinferinlines.h:691
#11 0x0839b6c7 in js::Interpret (cx=0x84ea1b8, entryFrame=0xf76dd030, inlineCallCount=1, interpMode=js::JSINTERP_NORMAL)
    at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-jm-69810-33f1ad45ccb8/compilePath/js/src/jsinterp.cpp:4551
#12 0x08128219 in js::RunScript (cx=0x84ea1b8, script=0x852df80, fp=0xf76dd030) at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-jm-69810-33f1ad45ccb8/compilePath/js/src/jsinterp.cpp:607
#13 0x0812961b in js::Execute (cx=0x84ea1b8, chain=..., script=0x852df80, prev=0x0, flags=0, result=0xffffd138)
    at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-jm-69810-33f1ad45ccb8/compilePath/js/src/jsinterp.cpp:992
#14 0x0807a97d in JS_ExecuteScript (cx=0x84ea1b8, obj=0xf75020a8, scriptObj=0xf7504488, rval=0xffffd138) at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-jm-69810-33f1ad45ccb8/compilePath/js/src/jsapi.cpp:5078
#15 0x0804c5a5 in Process (cx=0x84ea1b8, obj=0xf75020a8, filename=0x0, forceTTY=0, last=1) at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-jm-69810-33f1ad45ccb8/compilePath/js/src/shell/js.cpp:555
#16 0x0804d311 in ProcessArgs (cx=0x84ea1b8, obj=0xf75020a8, argv=0xffffd378, argc=1) at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-jm-69810-33f1ad45ccb8/compilePath/js/src/shell/js.cpp:984
#17 0x0805888f in Shell (cx=0x84ea1b8, argc=1, argv=0xffffd378, envp=0xffffd380) at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-jm-69810-33f1ad45ccb8/compilePath/js/src/shell/js.cpp:5970
#18 0x08058b79 in main (argc=1, argv=0xffffd378, envp=0xffffd380) at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-jm-69810-33f1ad45ccb8/compilePath/js/src/shell/js.cpp:6103
The ClearDefiniteSetter type constraint (used to clear information about properties a type object definitely has if its prototype gets a setter for one of those properties) did not check that those definite properties had already been cleared before trying to clear them again.

http://hg.mozilla.org/projects/jaegermonkey/rev/9e085d869d9b
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Automatically extracted testcase for this bug was committed:

https://hg.mozilla.org/mozilla-central/rev/efaf8960a929
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.