Closed
Bug 665914
Opened 14 years ago
Closed 14 years ago
Crash [@ js::ArrayBuffer::getArrayBuffer] or "Assertion failure: obj,"
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla8
| Tracking | Status | |
|---|---|---|
| firefox7 | - | --- |
People
(Reporter: gkw, Assigned: nsm)
References
Details
(4 keywords, Whiteboard: fixed-in-tracemonkey)
Crash Data
Attachments
(2 files, 1 obsolete file)
|
7.35 KB,
text/plain
|
Details | |
|
1.93 KB,
patch
|
mrbkap
:
review+
|
Details | Diff | Splinter Review |
ArrayBuffer.prototype['byteLength']
crashes js opt shell on TM changeset 57ef3b619966 without any CLI arguments at js::ArrayBuffer::getArrayBuffer and asserts js debug shell at Assertion failure: obj,
|
||
Comment 1•14 years ago
|
||
The first bad revision is:
changeset: b89374bc34ee
user: Nikhil Marathe
date: Tue Jun 14 15:33:11 2011 -0400
summary: Bug 656519 - Avoid a malloc (and a finalizer) by storing the malloc'd array in our slots instead of in a separate malloc'd structure in our private field. r=mrbkap
Blocks: 656519
tracking-firefox7:
--- → ?
|
Assignee | |
Comment 2•14 years ago
|
||
All external API users should use js_IsTypedArray as a check, and getArrayBuffer could always return NULL otherwise. prop_getByteLength was the one exception where things could go wrong. The patch handles the null case. Test case updated.
|
Reporter | |
Comment 3•14 years ago
|
||
(In reply to comment #2)
> Created attachment 540793 [details] [diff] [review] [review]
> Fix: Allow getArrayBuffer to check and return NULL
>
> All external API users should use js_IsTypedArray as a check, and
> getArrayBuffer could always return NULL otherwise. prop_getByteLength was
> the one exception where things could go wrong. The patch handles the null
> case. Test case updated.
Nikhil, just wondering whether missed setting a reviewer, or is a new patch forthcoming?
|
|
Assignee | |
Updated•14 years ago
|
Attachment #540793 -
Flags: review?(mrbkap)
|
|
||
Comment 4•14 years ago
|
||
Comment on attachment 540793 [details] [diff] [review]
Fix: Allow getArrayBuffer to check and return NULL
Why not do the obj != NULL bypass before the gerArrayBuffer?
|
|
Assignee | |
Comment 5•14 years ago
|
||
Andreas,
If you mean something like below in prop_getByteLength
if (!obj) {
// set to 0
}
JSObject *arrayBuffer = getArrayBuffer(obj);
then this code can still fail:
var x = {}
x.__proto__ = ArrayBuffer.prototype
x.byteLength
|
||
Comment 6•14 years ago
|
||
Comment on attachment 540793 [details] [diff] [review]
Fix: Allow getArrayBuffer to check and return NULL
Review of attachment 540793 [details] [diff] [review]:
-----------------------------------------------------------------
::: js/src/jstypedarray.cpp
@@ +114,4 @@
> JSObject *
> ArrayBuffer::getArrayBuffer(JSObject *obj)
> {
> + while (obj != NULL && !js_IsArrayBuffer(obj))
Nit: In the JS engine, we don't bother explicitly comparing to null, and instead would just write |while (obj && ...)|.
Attachment #540793 -
Flags: review?(mrbkap) → review+
|
|
||
Updated•14 years ago
|
Assignee: general → nsm.nikhil
|
|
Assignee | |
Comment 7•14 years ago
|
||
fix nit.
Attachment #540793 -
Attachment is obsolete: true
Attachment #542977 -
Flags: review?(mrbkap)
|
|
||
Updated•14 years ago
|
Attachment #542977 -
Flags: review?(mrbkap) → review+
|
|
||
Comment 8•14 years ago
|
||
Whiteboard: fixed-in-tracemonkey
|
|
||
Comment 9•14 years ago
|
||
cdleary-bot mozilla-central merge info:
http://hg.mozilla.org/mozilla-central/rev/e52e78e088e5
|
|
||
Updated•14 years ago
|
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla8
|
||
Comment 10•14 years ago
|
||
This bug was nominated for tracking Firefox 7. Is the fix suitable for landing on Aurora? If so, please nominate the attachment with an approval request and an explanation of the value of the patch and the associated risk. Thanks.
|
|
Reporter | |
Comment 11•14 years ago
|
||
This bug is nominated tracking-firefox7 because it fixes a crash that made it to mozilla-central. (See comment 1)
|
|
||
Comment 12•14 years ago
|
||
We have lots of crashes and release drivers cannot add a lot of value by reading all of our crash reports several times a week. If someone believes this is a fix worth taking on Aurora, then please nominate the attachment with a risk analysis. Thanks.
|
|
Reporter | |
Comment 13•14 years ago
|
||
(In reply to comment #12)
> We have lots of crashes and release drivers cannot add a lot of value by
> reading all of our crash reports several times a week. If someone believes
> this is a fix worth taking on Aurora, then please nominate the attachment
> with a risk analysis. Thanks.
Brendan mentions this particular bug should be taken:
http://groups.google.com/group/mozilla.dev.tech.js-engine.internals/browse_thread/thread/626c85124555c0c9
From fuzzers' perspective, it fixes a bug that fuzzers find easily.
Nikil will have to nominate the attachment with a risk analysis.
|
||
Comment 15•13 years ago
|
||
Automatically extracted testcase for this bug was committed:
https://hg.mozilla.org/mozilla-central/rev/efaf8960a929
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•