Closed
Bug 829813
Opened 12 years ago
Closed 12 years ago
Crash [@ js::Shape::attributes] or [@ js::baseops::GetAttributes]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla21
| Tracking | Status | |
|---|---|---|
| firefox18 | --- | unaffected |
| firefox19 | --- | unaffected |
| firefox20 | --- | unaffected |
| firefox21 | + | fixed |
| firefox-esr10 | --- | unaffected |
| firefox-esr17 | --- | unaffected |
| b2g18 | --- | unaffected |
People
(Reporter: gkw, Assigned: bhackett1024)
References
Details
(4 keywords, Whiteboard: [jsbugmon:update])
Crash Data
Attachments
(3 files)
|
9.25 KB,
text/plain
|
Details | |
|
6.00 KB,
patch
|
billm
:
review+
|
Details | Diff | Splinter Review |
|
18.83 KB,
patch
|
billm
:
review+
|
Details | Diff | Splinter Review |
for (x in [0]) {
(function() {
return Object.propertyIsEnumerable
})().call([0], x)
}
crashes js debug shell on m-c changeset 44dcffe8792b without any CLI arguments at js::Shape::attributes
Seems like an obvious null-deref but I'll leave it to the devs to open this up.
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: 118493:f4671ccc4502
user: Brian Hackett
date: Thu Jan 10 17:53:11 2013 -0700
summary: Bug 827490 - Allow native objects to have both slots and dense elements, rm dense/slow array distinction, r=billm, dvander.
|
Reporter | |
Comment 1•12 years ago
|
||
Related to bug 829795?
Flags: needinfo?(bhackett1024)
OS: Mac OS X → All
|
Assignee | |
Comment 2•12 years ago
|
||
NULL deref, not s-s.
Group: core-security
Flags: needinfo?(bhackett1024)
|
||
Updated•12 years ago
|
Crash Signature: [@ js::Shape::attributes]
[@ js::baseops::GetAttributes] → [@ js::Shape::attributes]
[@ js::baseops::GetAttributes]
[@ js::baseops::GetAttributes(JSContext*, JS::Handle<JSObject*>, JS::Handle<long>, unsigned int*)]
[@ js::baseops::GetAttributes(JSContext*, JS::Handle<JSObject*>, JS::Handle<int> unsigned int*)]
tracking-firefox21:
--- → ?
Keywords: topcrash
|
|
Assignee | |
Comment 4•12 years ago
|
||
This was caused by missing checks for element properties, the attached patch also fixes several similar bugs. Also, I forgot to fix IsImplicitProperty per your comments in bug 827490, do you still want that? (I'm neutral about this, it seems kind of weird to have two different methods to mark properties found which don't have shapes, but could still help code clarity.)
Attachment #701570 -
Flags: review?(wmccloskey)
Comment on attachment 701570 [details] [diff] [review]
patch
Yes, please do fix the IsImplicitProperty thing. Also, it would be nice if you could assert in these functions that the object is native or non-native, so that we always call the right one.
Also, please add a helper function GetShapeAttributes or something that would work for indexed properties. Then all the calls where you do this:
IsImplicitProperty(prop) ? JSPROP_ENUMERATE : prop->attributes()
could be replaced by the helper function.
Attachment #701570 -
Flags: review?(wmccloskey) → review+
|
|
Assignee | |
Comment 8•12 years ago
|
||
I hate to be such a stickler, but you forgot to fix the one in jsiter.cpp.
|
|
Assignee | |
Comment 10•12 years ago
|
||
Cleanup IsImplicitProperty. I wasn't able to assert isNative vs. !isNative on the affected objects as they aren't passed to the implicit property functions, and adding more arguments to the functions just junks up the source while not actually helping anything (the wrong object can be passed in).
Attachment #701964 -
Flags: review?(wmccloskey)
Comment on attachment 701964 [details] [diff] [review]
cleanup
Thanks. I was thinking that IsImplicitDenseElement could assert that, if the shape isn't 0x1, then it must be native.
Attachment #701964 -
Flags: review?(wmccloskey) → review+
|
|
Reporter | |
Updated•12 years ago
|
Keywords: checkin-needed
|
|
Assignee | |
Comment 12•12 years ago
|
||
|
|
Reporter | |
Updated•12 years ago
|
Keywords: checkin-needed
|
|
Reporter | |
Updated•12 years ago
|
Assignee: general → bhackett1024
Status: NEW → ASSIGNED
|
||
Comment 13•12 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/7f0cc623ea14
https://hg.mozilla.org/mozilla-central/rev/4ec09b923083
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla21
|
|
Reporter | |
Updated•12 years ago
|
|
||
Updated•12 years ago
|
|
||
Comment 14•12 years ago
|
||
Automatically extracted testcase for this bug was committed:
https://hg.mozilla.org/mozilla-central/rev/2e891e0db397
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•