If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

Crash [@ js::ObjectImpl::getOps] or [@ js::EncapsulatedPtr]

VERIFIED FIXED

Status

()

Core
JavaScript Engine
--
critical
VERIFIED FIXED
4 years ago
3 years ago

People

(Reporter: gkw, Unassigned)

Tracking

(Blocks: 1 bug, 5 keywords)

Trunk
x86_64
Mac OS X
assertion, crash, regression, sec-high, testcase
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox23 unaffected, firefox24+ verified, firefox-esr17 unaffected, b2g18 unaffected)

Details

(Whiteboard: [jsbugmon:], crash signature)

Attachments

(1 attachment)

(Reporter)

Description

4 years ago
Created attachment 757739 [details]
debug and opt stacks

x = []
try {
    Object.defineProperty(this, "z", {
        get: function() {
            x[6] = x;
            return new Array
        }
    });
    x = z
    for (var n = 0; n < 1000; n++) {
        z[7] = 1
    }
    x()
} catch (e) {}

crashes js debug shell on m-c changeset 57d30169ddd4 with --baseline-eager at js::EncapsulatedPtr and crashes js opt shell at js::ObjectImpl::getOps

The "1000" value is essential to trigger the bug.

Locking s-s just-in-case even though this requires --enable-more-deterministic - feel free to open up in case otherwise.


autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   132941:3835cbed5915
user:        Nicolas B. Pierron
date:        Fri May 24 14:58:08 2013 -0700
summary:     Bug 774006 - IonMonkey: Implement SetElementIC for integer indexes. r=h4writer
(Reporter)

Updated

4 years ago
Flags: needinfo?(nicolas.b.pierron)
status-firefox23: --- → unaffected
status-firefox24: --- → affected
status-firefox-esr17: --- → affected
Crash Signature: [@ js::ObjectImpl::getOps] [@ js::EncapsulatedPtr] → [@ js::ObjectImpl::getOps] [@ js::EncapsulatedPtr]
Whiteboard: [jsbugmon:update] → [jsbugmon:]
JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.
(Reporter)

Comment 2

4 years ago
I can still reproduce with m-c rev 9115d8b717e1, on a --enable-more-deterministic shell with --baseline-eager.
Crash Signature: [@ js::ObjectImpl::getOps] [@ js::EncapsulatedPtr] → [@ js::ObjectImpl::getOps] [@ js::EncapsulatedPtr]
Guessing this is sec-high...
Keywords: sec-high
(Reporter)

Comment 4

4 years ago
I have also checked that the patch in bug 881470 comment 5 also fixes this issue.
Flags: needinfo?(nicolas.b.pierron)
(Reporter)

Updated

4 years ago
status-firefox-esr17: affected → unaffected
tracking-firefox24: --- → ?

Updated

4 years ago
tracking-firefox24: ? → +
(Reporter)

Comment 5

4 years ago
This is likely fixed by the patch in bug 881470.
Status: NEW → RESOLVED
Last Resolved: 4 years ago
Resolution: --- → FIXED
no longer seeing crashes at those signatures
Status: RESOLVED → VERIFIED
status-firefox24: affected → verified
status-b2g18: --- → unaffected
Group: core-security
You need to log in before you can comment on or make changes to this bug.