The default bug view has changed. See this FAQ.

Crash [@ js::ParallelArrayObject::toStringBufferImpl] or "Assertion failure: isObject(),"

VERIFIED FIXED in Firefox 17

Status

()

Core
JavaScript Engine
--
critical
VERIFIED FIXED
5 years ago
4 years ago

People

(Reporter: gkw, Assigned: shu)

Tracking

(Blocks: 1 bug, 5 keywords)

Trunk
mozilla17
x86_64
Mac OS X
assertion, csectype-nullptr, regression, sec-other, testcase
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(firefox14 unaffected, firefox15 unaffected, firefox16 unaffected, firefox17 verified, firefox-esr10 unaffected)

Details

(Whiteboard: [fuzzblocker], crash signature)

Attachments

(3 attachments)

(Reporter)

Description

5 years ago
Created attachment 653223 [details]
stack

print(ParallelArray());

asserts js debug shell on m-c changeset 35b8d6ef5d46 without any CLI arguments at Assertion failure: isObject(),

This is blowing up the fuzzers so setting [fuzzblocker].

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   102665:ea2ad8970f3e
user:        Shu-yu Guo
date:        Fri Aug 17 10:38:59 2012 -0700
summary:     Bug 778559 - Implement ParallelArray API with sequential execution (r=dmandelin)
(Reporter)

Updated

5 years ago
Group: core-security
(Reporter)

Comment 1

5 years ago
Locking s-s because the possibly-related bug 783924 is s-s. The crash in this bug seems to be a null crash though.

(setting csec-dos because of null crash)
Crash Signature: [@ js::ParallelArrayObject::toStringBufferImpl]
status-firefox-esr10: --- → unaffected
status-firefox14: --- → unaffected
status-firefox15: --- → unaffected
status-firefox16: --- → unaffected
status-firefox17: --- → affected
Keywords: csec-dos, sec-critical
Summary: "Assertion failure: isObject()," → Crash [@ js::ParallelArrayObject::toStringBufferImpl] or "Assertion failure: isObject(),"
(Reporter)

Comment 2

5 years ago
Created attachment 653228 [details]
stack from opt crash
(Assignee)

Comment 3

5 years ago
Created attachment 653229 [details] [diff] [review]
fix and testcase
(Assignee)

Updated

5 years ago
Attachment #653229 - Flags: review?
(Assignee)

Updated

5 years ago
Attachment #653229 - Flags: review? → review?(dmandelin)
Attachment #653229 - Flags: review?(dmandelin) → review+
(Assignee)

Comment 4

5 years ago
https://hg.mozilla.org/integration/mozilla-inbound/rev/d194a7d36e65
https://hg.mozilla.org/mozilla-central/rev/d194a7d36e65
Assignee: general → shu
Status: NEW → RESOLVED
Last Resolved: 5 years ago
status-firefox17: affected → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla17
Status: RESOLVED → VERIFIED
JSBugMon: This bug has been automatically verified fixed.
status-firefox17: fixed → verified
Blocks: 783924
Group: core-security
Keywords: csec-dos, sec-critical → csec-nullptr, sec-other
Automatically extracted testcase for this bug was committed:

https://hg.mozilla.org/mozilla-central/rev/efaf8960a929
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.