Closed Bug 853573 Opened 8 years ago Closed 8 years ago

Assertion failure: !cx->compartment->activeAnalysis, at jsinterp.cpp:354

Categories

(Core :: JavaScript Engine, defect)

x86_64
Linux
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla22
Tracking Status
firefox21 --- unaffected
firefox22 --- fixed
firefox-esr17 --- unaffected
b2g18 --- unaffected

People

(Reporter: decoder, Assigned: nmatsakis)

References

Details

(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update,testComment=1][adv-main22-])

Attachments

(1 file)

The following testcase asserts on mozilla-central revision 1d6fe70c79c5 (no options required):


var p = Proxy.create({
  has : function(id) {}
});
Object.prototype.__proto__ = p;
  var pa0 = new ParallelArray(range(0, 256));
  var pa1 = new ParallelArray(256, function (x) {
    return pa0.map(function(y) {});
  });
function range(n, m) {
  var result = [];
  for (var i = n; i < m; i++)
    result.push(i);
  return result;
}
Whiteboard: [jsbugmon:update,bisect]
I reduced the test case to this:

var p = Proxy.create({
  has : function(id) {}
});
Object.prototype.__proto__ = p;

  var pa1 = new ParallelArray(4, function(x) {
    return new ParallelArray(4, function() 0);
  });
When we create a (self-hosted) ParallelArray object, we always define the same four properties. We expect these properties to always be "own" properties, and there are offsets are baked into TI so that they are treated as definite properties. The assertion failure that we see here was due to the fact that these offsets were not matching what we expected. This is because we were using JSObject::setProperty() to create the properties, which is vulnerable to proxies and other strange behavior based on modifications to Object.prototype. This patch switches us to use JSObject::defineProperty() which I believe should avoid the issue.
Attachment #728891 - Flags: review?(tschneidereit)
Assignee: general → nmatsakis
Comment on attachment 728891 [details] [diff] [review]
Use defineProperty and not setProperty

Review of attachment 728891 [details] [diff] [review]:
-----------------------------------------------------------------

Definitely, using defineProperty is required for correctness, here.
Attachment #728891 - Flags: review?(tschneidereit) → review+
Marking s-s because this bug is actually a security problem. A very similar test with the same assertion tripped an asan error on the fuzzer.
Group: core-security
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update,bisect,ignore]
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 8d09f003e087).
This landed on m-c:

http://hg.mozilla.org/mozilla-central/rev/f7138044b0cf

What branches (if any) are affected by this?
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Whiteboard: [jsbugmon:update,bisect,ignore] → [jsbugmon:update,bisect,testComment=1]
Whiteboard: [jsbugmon:update,bisect,testComment=1] → [jsbugmon:update,testComment=1]
No branches are affected.
Flags: in-testsuite?
Target Milestone: --- → mozilla22
Whiteboard: [jsbugmon:update,testComment=1] → [jsbugmon:update,testComment=1][adv-main22-]
Group: core-security
You need to log in before you can comment on or make changes to this bug.