If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

Aurora: Crash [@ SuppressDeletedPropertyHelper<SingleIdPredicate>]

NEW
Unassigned

Status

()

Core
JavaScript Engine
--
critical
6 years ago
2 years ago

People

(Reporter: decoder, Unassigned)

Tracking

(Blocks: 1 bug, {crash, testcase})

9 Branch
x86
Linux
crash, testcase
Points:
---

Firefox Tracking Flags

(firefox9 affected)

Details

(Whiteboard: js-triage-needed, crash signature)

(Reporter)

Description

6 years ago
The following test crashes on mozilla-aurora revision 4754469691db (32 bit optimized build, options -m -n):


loadFile();
function loadFile(unused) {
eval("\
function testUndemoteLateGlobalSlots() {\
    for each (aaa in [(null ), '', 0/0, '']) {\
        for each(let aaa in [0, 0]) {\
    try {\
      testUndemoteLateGlobalSlots(aaa);\
    } catch (aaa) {}\
  }\
    }\
    delete aaa;\
}\
assertEq(testUndemoteLateGlobalSlots(), 'ok');\
");
}


I cannot reproduce this issue on mozilla-central. It would be good if someone could check that the underlying bug is also not present on mozilla-central and if we need this fixed on aurora. The crash seems to be a near null-deref:

==36433== Invalid read of size 1
==36433==    at 0x80E3137: bool SuppressDeletedPropertyHelper<SingleIdPredicate>(JSContext*, JSObject*, SingleIdPredicate) (jsiter.cpp:847)
==36433==    by 0x80E3B6E: js_SuppressDeletedProperty(JSContext*, JSObject*, int) (jsiter.cpp:920)
==36433==    by 0x80F04C3: js_DeleteProperty(JSContext*, JSObject*, int, JS::Value*, int) (jsobj.cpp:6467)
==36433==    by 0x8073E3A: JSObject::deleteProperty(JSContext*, int, JS::Value*, int) (jsobjinlines.h:176)
==36433==    by 0x80D3929: js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) (jsinterp.cpp:3166)
==36433==    by 0x80E171A: js::ExecuteKernel(JSContext*, JSScript*, JSObject&, JS::Value const&, js::ExecuteType, js::StackFrame*, JS::Value*) (jsinterp.cpp:814)
==36433==    by 0x80FA932: EvalKernel(JSContext*, js::CallArgs const&, EvalType, js::StackFrame*, JSObject&) (jsobj.cpp:1283)
==36433==    by 0x80FAD86: js::DirectEval(JSContext*, js::CallArgs const&) (jsobj.cpp:1346)
==36433==    by 0x80DA90D: js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) (jsinterp.cpp:4006)
==36433==    by 0x80E2378: js::Execute(JSContext*, JSScript*, JSObject&, JS::Value*) (jsinterp.cpp:814)
==36433==    by 0x80617CD: JS_ExecuteScript (jsapi.cpp:4891)
==36433==    by 0x8050AA6: Process(JSContext*, JSObject*, char const*, bool) (js.cpp:483)
==36433==  Address 0x1c is not stack'd, malloc'd or (recently) free'd
(Assignee)

Updated

3 years ago
Assignee: general → nobody

Updated

2 years ago
Crash Signature: [@ SuppressDeletedPropertyHelper<SingleIdPredicate>] → [@ SuppressDeletedPropertyHelper<SingleIdPredicate>] [@ SuppressDeletedPropertyHelper<T>]
You need to log in before you can comment on or make changes to this bug.