Crash at its_getter

RESOLVED FIXED in mozilla11

Status

()

Core
JavaScript Engine
--
critical
RESOLVED FIXED
6 years ago
4 years ago

People

(Reporter: decoder, Assigned: bhackett)

Tracking

(Blocks: 2 bugs, {assertion, testcase})

11 Branch
mozilla11
x86_64
Linux
assertion, testcase
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

(Reporter)

Description

6 years ago
The following testcase asserts on jaegermonkey branch revision 1210706b4576 (run with -m -n -a), tested on 64 bit:


this.__proto__ = null;
Object.prototype.__proto__ = this;
function exploreProperties(obj) {
  var props = [];
  for (var o = obj; o; o = Object.getPrototypeOf(o)) {
    props = props.concat(Object.getOwnPropertyNames(o));
  }
  for (var i = 0; i < props.length; ++i) {
    var p = props[i];
    var v = obj[p];
  }
}
var c = [{}];
exploreProperties(c);
(Assignee)

Comment 1

6 years ago
This testcase crashes on m-i cset e05e46646dc3.

its_getter and its_setter (PropertyOp hooks only defined in the shell) do not have checks that they are being called on the right object, and will go straight to the object's private data.  The accessed object is an array; this crashes on JM because on JM arrays do not have private data, and crashes on trunk because the array private data is an integer (array length) rather than a pointer (as expected by the hook).
Summary: [ObjShrink]: Assertion failure: hasPrivate(), at ../../jsobjinlines.h:90 → Crash at its_getter
Target Milestone: --- → mozilla10
Version: Other Branch → 11 Branch
(Assignee)

Updated

6 years ago
Target Milestone: mozilla10 → ---
(Assignee)

Comment 2

6 years ago
Created attachment 573207 [details] [diff] [review]
patch (95d98e8ab9f3)

I guess this is the right fix, though I don't know how the PropertyOp API works so well.
Assignee: general → bhackett1024
Attachment #573207 - Flags: review?
(Assignee)

Updated

6 years ago
Attachment #573207 - Flags: review? → review?(jwalden+bmo)
Comment on attachment 573207 [details] [diff] [review]
patch (95d98e8ab9f3)

Review of attachment 573207 [details] [diff] [review]:
-----------------------------------------------------------------

I wonder how many of the bugs related to the its class are bugs due to its buggy implementation, versus bugs that reveal actual problems.
Attachment #573207 - Flags: review?(jwalden+bmo) → review+
I feel like at some point I wrote comment 1 in another bug, then nobody acted on it because it wasn't an actual bug, and it got rediscovered here in a somewhat different manner.  But I might be wrong about that.  :-\
(Assignee)

Comment 5

6 years ago
https://hg.mozilla.org/integration/mozilla-inbound/rev/c2ed79d6fea9
(Reporter)

Updated

6 years ago
Duplicate of this bug: 688371
https://hg.mozilla.org/mozilla-central/rev/c2ed79d6fea9
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla11
(Reporter)

Updated

5 years ago
Duplicate of this bug: 693045
(Reporter)

Comment 9

4 years ago
Automatically extracted testcase for this bug was committed:

https://hg.mozilla.org/mozilla-central/rev/2e891e0db397
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.