Last Comment Bug 771027 - Assertion failure: isObject(), at ../../jsapi.h:474 or Opt Crash [@ js_IteratorMore]
: Assertion failure: isObject(), at ../../jsapi.h:474 or Opt Crash [@ js_Iterat...
: assertion, crash, regression, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: x86 Linux
-- critical (vote)
: mozilla17
Assigned To: Jason Orendorff [:jorendorff]
: Jason Orendorff [:jorendorff]
Depends on:
Blocks: jsfunfuzz langfuzz 725907
  Show dependency treegraph
Reported: 2012-07-04 17:21 PDT by Christian Holler (:decoder)
Modified: 2013-01-19 13:51 PST (History)
5 users (show)
choller: in‑testsuite+
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---

v1 (2.44 KB, patch)
2012-07-06 08:52 PDT, Jason Orendorff [:jorendorff]
bhackett1024: review+
Details | Diff | Splinter Review

Description User image Christian Holler (:decoder) 2012-07-04 17:21:01 PDT
The following test asserts/crashes on mozilla-central revision b6aa44d8f11f (options -m -n -a):

Array.prototype.iterator = (function() { { while(0) function Uint8ClampedArray() {  } } });
assertEq(Set(["testing", "testing", 123]).size(), 2);

Opt-crash trace:

==35441== Invalid read of size 4
==35441==    at 0x80CE74F: js_IteratorMore(JSContext*, JS::Handle<JSObject*>, JS::Value*) (jsiter.cpp:1762)
==35441==    by 0xFFFFFF81: ???
==35441==  Address 0x0 is not stack'd, malloc'd or (recently) free'd
Comment 1 User image Jesse Ruderman 2012-07-06 07:29:41 PDT
The first bad revision is:
changeset:   cb49c3730a97
user:        Jason Orendorff
date:        Tue Jul 03 16:34:56 2012 -0500
summary:     Bug 725907 - for-of improvements, part 2: Make for-of loops just call .iterator() instead of using the magic iteratorObject hook with an extra flag. r=bhackett.

The first good revision is:
changeset:   aadf6091245b
user:        Ehsan Akhgari
date:        Wed Jul 04 19:26:20 2012 -0400
summary:     Backout changeset cb49c3730a97 (bug 725907 part 2) under the suspicion of breaking Linux32 mochitest-chrome without framepointers
Comment 2 User image Jason Orendorff [:jorendorff] 2012-07-06 08:38:43 PDT
Reproduced. Even without -m -n -a. Taking.
Comment 3 User image Jason Orendorff [:jorendorff] 2012-07-06 08:52:34 PDT
Created attachment 639693 [details] [diff] [review]

Yup. Easy fix. Right on, fuzzers.
Comment 4 User image Gary Kwong [:gkw] [:nth10sd] 2012-07-07 16:14:15 PDT
(In reply to Jason Orendorff [:jorendorff] from comment #3)
> Created attachment 639693 [details] [diff] [review]
> v1
> Yup. Easy fix. Right on, fuzzers.

Unfortunately, I think the patch now has a little bit of bitrot to land on mozilla-inbound.
Comment 5 User image Jason Orendorff [:jorendorff] 2012-07-09 09:56:47 PDT
No worries. The Map/Set iterators were backed out due to unrelated brain damage, but when I reland them, I'll land this fix along with them.
Comment 6 User image Ed Morley [:emorley] 2012-07-20 06:43:38 PDT
Comment 7 User image Christian Holler (:decoder) 2013-01-19 13:51:14 PST
Automatically extracted testcase for this bug was committed:

Note You need to log in before you can comment on or make changes to this bug.