Closed Bug 783923 Opened 12 years ago Closed 12 years ago

Crash [@ js::ParallelArrayObject::toStringBufferImpl] or "Assertion failure: isObject(),"

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla17
Tracking Flags:
Tracking Status
firefox14 --- unaffected
firefox15 --- unaffected
firefox16 --- unaffected
firefox17 --- verified
firefox-esr10 --- unaffected

People

(Reporter: gkw, Assigned: shu)

References

Details

(5 keywords, Whiteboard: [fuzzblocker])

Crash Data

Attachments

(3 files)

stack
7.63 KB, text/plain
Details
stack from opt crash
6.92 KB, text/plain
Details
fix and testcase
3.74 KB, patch
dmandelin
: review+
Details | Diff | Splinter Review
Attached file stack 
print(ParallelArray());

asserts js debug shell on m-c changeset 35b8d6ef5d46 without any CLI arguments at Assertion failure: isObject(),

This is blowing up the fuzzers so setting [fuzzblocker].

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   102665:ea2ad8970f3e
user:        Shu-yu Guo
date:        Fri Aug 17 10:38:59 2012 -0700
summary:     Bug 778559 - Implement ParallelArray API with sequential execution (r=dmandelin)
Group: core-security
Locking s-s because the possibly-related bug 783924 is s-s. The crash in this bug seems to be a null crash though.

(setting csec-dos because of null crash)
Crash Signature: [@ js::ParallelArrayObject::toStringBufferImpl]
status-firefox-esr10: --- → unaffected
status-firefox14: --- → unaffected
status-firefox15: --- → unaffected
status-firefox16: --- → unaffected
status-firefox17: --- → affected
Keywords: csec-dos, sec-critical
Summary: "Assertion failure: isObject()," → Crash [@ js::ParallelArrayObject::toStringBufferImpl] or "Assertion failure: isObject(),"
Attached patch fix and testcaseSplinter Review 

    
  

        Attachment #653229 -
        Flags: review?

    
  

        Attachment #653229 -
        Flags: review? → review?(dmandelin)

        Attachment #653229 -
        Flags: review?(dmandelin) → review+

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/d194a7d36e65
Assignee: general → shu
Status: NEW → RESOLVED
Closed: 12 years ago

          status-firefox17:
          affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla17
Status: RESOLVED → VERIFIED

    
    

    
  
JSBugMon: This bug has been automatically verified fixed.
Blocks: 783924
Group: core-security
Keywords: csec-dos, 
          
            sec-criticalcsec-nullptr, 
          
            sec-other

    
    

    
  
Automatically extracted testcase for this bug was committed:

https://hg.mozilla.org/mozilla-central/rev/efaf8960a929
Flags: in-testsuite+

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: