Closed Bug 743000 Opened 14 years ago Closed 13 years ago

Crash [@ JSCompartment::wrap] or [@ TypedArrayTemplate<int>::copyFromTypedArray] or "Assertion failure: IsFastOrSlowTypedArray(obj),"

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla14
Tracking Flags:
Tracking Status
firefox11 --- unaffected
firefox12 --- unaffected
firefox13 --- unaffected
firefox14 + fixed
firefox-esr10 --- unaffected

People

(Reporter: gkw, Assigned: sfink)

References

Details

(5 keywords, Whiteboard: [advisory-tracking-])

Crash Data

Attachments

(2 files)

stack
10.20 KB, text/plain
Details
Second testcase stack
4.16 KB, text/plain
Details
Attached file stack
Int32Array(wrap(new Uint8ClampedArray)) asserts js debug shell on m-c changeset 1da11a2bc5db without any CLI flags at Assertion failure: IsFastOrSlowTypedArray(obj), and crashes js opt shell at TypedArrayTemplate<int>::copyFromTypedArray s-s just to be safe, this might be related to bug 736609. A shell compiled with the patch in bug 736609 still shows this assert.
autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: 91040:17e95355ad77 user: Bobby Holley date: Thu Apr 05 09:39:41 2012 +1000 summary: Bug 737245 - Typed Arrays should handle cross-compartment wrappers; part3. r=luke
Blocks: 737245
This stuff has been taken over by sfink and markh. I didn't land the patches (though I wrote them a while back), so I'm not really in the loop here.
This also crashes as JSCompartment::wrap on Mac with another testcase: evalcx("wrap(new Uint8ClampedArray).buffer;", newGlobal("new-compartment"));
Crash Signature: [@ TypedArrayTemplate<int>::copyFromTypedArray] → [@ TypedArrayTemplate<int>::copyFromTypedArray] [@ JSCompartment::wrap]
OS: Windows 7 → All
Hardware: x86 → All
Summary: Crash [@ TypedArrayTemplate<int>::copyFromTypedArray] or "Assertion failure: IsFastOrSlowTypedArray(obj)," → Crash [@ JSCompartment::wrap] or [@ TypedArrayTemplate<int>::copyFromTypedArray] or "Assertion failure: IsFastOrSlowTypedArray(obj),"
I think this should be fixed with bug 741041, though I'll need to check to be sure. It's definitely the sort of thing that I'm trying to fix. Thanks!
Status: NEW → ASSIGNED
I've found a version that crashes at js::GCMarker::drainMarkStack, so I'm quite sure this can be [sg:critical].
Whiteboard: js-triage-needed → [sg:critical] js-triage-needed
(In reply to Steve Fink [:sfink] from comment #4) > I think this should be fixed with bug 741041, though I'll need to check to > be sure. It's definitely the sort of thing that I'm trying to fix. Thanks! Bug 741041 should land in Firefox 14, else the regressor of this bug needs to be backed out.
Attached file Second testcase stack
> I've found a version that crashes at js::GCMarker::drainMarkStack, so I'm > quite sure this can be [sg:critical]. Function("b = wrap(Float64Array()).buffer")() gc() I've attached the backtrace for this testcase. This testcase accesses weird memory address 0xebe04511.
> Function("b = wrap(Float64Array()).buffer")() > gc() This also asserts 32-bit js debug shell on mozilla-central changeset 434f50e70815 without any CLI arguments at Assertion failure: IsFastOrSlowTypedArray(obj)
(In reply to Steve Fink [:sfink] from comment #4) > I think this should be fixed with bug 741041, though I'll need to check to > be sure. It's definitely the sort of thing that I'm trying to fix. Thanks! I was wrong. Bug 711843 fixes this. The problem is that eg prop_getBuffer() calls js_IsTypedArray() that, as of the patch identified in comment 1, unconditionally unwraps its argument. This is wrong in all kinds of ways. I could probably come up with a spot fix that partially rolled back that patch, but bug 711843 restructures the code flow so it's easy to only unwrap on the paths that need it. If I can't get bug 711843 landed in the next few days, I'll work on a spot fix.
Depends on: 711843
(In reply to Steve Fink [:sfink] from comment #9) > (In reply to Steve Fink [:sfink] from comment #4) > If I can't get bug 711843 landed in the next few days, I'll work on a spot > fix. Sounds like a plan :) (Assigning this one to you)
Assignee: general → sphink
Confirming fixed by bug 743000 (http://hg.mozilla.org/mozilla-central/rev/7a601537cb88) autoBisect shows this is probably related to the following changeset: The first good revision is: changeset: 92092:7a601537cb88 user: Tom Schuster date: Sat Jan 14 09:43:00 2012 -0800 summary: Bug 711843 - Update JSAPI for typed arrays, remove uses of jstypedarray.h outside the engine [r=Waldo,bz,Ms2ger,bholley,bjacob,philikon,evilpie,bent,yourmama] [a=mfinkle thanks to gkw]
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
status-firefox14: affectedfixed
Target Milestone: --- → mozilla14
JSBugMon: This bug has been automatically verified fixed.
Status: RESOLVED → VERIFIED
Group: core-security
Whiteboard: [sg:critical] js-triage-needed → [sg:critical][advisory-tracking-] js-triage-needed
Keywords: sec-critical
Whiteboard: [sg:critical][advisory-tracking-] js-triage-needed → [advisory-tracking-]
Automatically extracted testcase for this bug was committed: https://hg.mozilla.org/mozilla-central/rev/efaf8960a929
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: