Closed
Bug 881470
Opened 12 years ago
Closed 12 years ago
Crash [@ JSRuntime::needsBarrier] or [@ js::EncapsulatedValue::runtime]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
mozilla24
| Tracking | Status | |
|---|---|---|
| firefox21 | --- | unaffected |
| firefox22 | --- | unaffected |
| firefox23 | --- | unaffected |
| firefox24 | + | fixed |
| firefox-esr17 | --- | unaffected |
| b2g18 | --- | unaffected |
| b2g18-v1.0.0 | --- | unaffected |
| b2g18-v1.0.1 | --- | unaffected |
| b2g-v1.1hd | --- | unaffected |
People
(Reporter: gkw, Assigned: h4writer)
References
Details
(4 keywords, Whiteboard: [jsbugmon:update,testComment=3])
Crash Data
Attachments
(3 files)
s = newGlobal()
try {
evalcx("\
Object.defineProperty(this,\"x\",{ \
get: function() {\
y[15] = y;\
x \
}\
});\
y = [];\
Array(x);\
", s)
} catch (e) {}
try {
evalcx("\
y = [];\
x, {};\
", s)
} catch (e) {}
evalcx("\
Array.prototype.shift.call(y); \
", s)
crashes js debug shell on m-c changeset 9115d8b717e1 without any CLI arguments at JSRuntime::needsBarrier
|
||
Updated•12 years ago
|
Crash Signature: [@ JSRuntime::needsBarrier] → [@ JSRuntime::needsBarrier()]
|
||
Updated•12 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:bisect]
|
|
||
Comment 1•12 years ago
|
||
JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.
|
|
||
Updated•12 years ago
|
Whiteboard: [jsbugmon:bisect] → [jsbugmon:]
|
Reporter | |
Comment 2•12 years ago
|
||
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: http://hg.mozilla.org/mozilla-central/rev/3835cbed5915
user: Nicolas B. Pierron
date: Fri May 24 14:58:08 2013 -0700
summary: Bug 774006 - IonMonkey: Implement SetElementIC for integer indexes. r=h4writer
Setting needinfo from Hannes since Nicolas is away on PTO, but feel free to forward this on.
Blocks: 774006
Flags: needinfo?(hv1989)
|
|
Reporter | |
Updated•12 years ago
|
Group: core-security
|
|
Reporter | |
Comment 3•12 years ago
|
||
try {
Object.defineProperty(this, "y", {
get: function() {
x[7] = x;
y
}
});
x = RegExp().exec();
y;
} catch (e) {}
try {
y
} catch (e) {};
try {
y
} catch (e) {};
x.t = 2;
y;
crashes js opt shell (no need for threadsafe nor --enable-more-deterministic) on m-c rev 291207393608 at js::EncapsulatedValue::runtime, turning s-s just in case.
|
|
Reporter | |
Comment 4•12 years ago
|
||
The testcase in comment 3 also points to bug 774006.
Crash Signature: [@ JSRuntime::needsBarrier()] → [@ JSRuntime::needsBarrier()]
[@ js::EncapsulatedValue::runtime]
status-b2g18:
--- → unaffected
status-b2g18-v1.0.0:
--- → unaffected
status-b2g18-v1.0.1:
--- → unaffected
status-b2g-v1.1hd:
--- → unaffected
status-firefox21:
--- → unaffected
status-firefox22:
--- → unaffected
status-firefox23:
--- → unaffected
status-firefox24:
--- → affected
status-firefox-esr17:
--- → unaffected
tracking-firefox24:
--- → ?
Summary: Crash [@ JSRuntime::needsBarrier] → Crash [@ JSRuntime::needsBarrier] or [@ js::EncapsulatedValue::runtime]
Whiteboard: [jsbugmon:] → [jsbugmon:update,testComment=3]
|
Assignee | |
Comment 5•12 years ago
|
||
I cannot reproduce this bug locally. Either testcases on the tested revision 64bit/32bit/safebuild/enable-deterministic w/wo ion-eager.
So this is actually just a guess. Could you test if this solves the problem?
Attachment #761382 -
Flags: feedback?(gary)
Flags: needinfo?(hv1989)
|
|
Reporter | |
Comment 7•12 years ago
|
||
Comment on attachment 761382 [details] [diff] [review]
Possible patch?
(In reply to Hannes Verschore [:h4writer] from comment #5)
> Created attachment 761382 [details] [diff] [review]
> Possible patch?
>
> I cannot reproduce this bug locally. Either testcases on the tested revision
> 64bit/32bit/safebuild/enable-deterministic w/wo ion-eager.
>
> So this is actually just a guess. Could you test if this solves the problem?
I tested this on Mac 10.8.4, and yes, this patch does fix the issue on rev b51316b2af6c.
Attachment #761382 -
Flags: feedback?(gary) → feedback+
|
|
Assignee | |
Updated•12 years ago
|
Attachment #761382 -
Flags: review?(jdemooij)
|
||
Updated•12 years ago
|
|
||
Comment 8•12 years ago
|
||
Comment on attachment 761382 [details] [diff] [review]
Possible patch?
Review of attachment 761382 [details] [diff] [review]:
-----------------------------------------------------------------
Good catch.
Attachment #761382 -
Flags: review?(jdemooij) → review+
|
|
Reporter | |
Updated•12 years ago
|
Assignee: general → hv1989
Status: NEW → ASSIGNED
|
|
Reporter | |
Comment 9•12 years ago
|
||
I'm restarting a round of fuzzing after whole-day breakage, so I've landed this too (since this fixes bug 879096 as well):
https://hg.mozilla.org/integration/mozilla-inbound/rev/5efe6470e752
I'll drop a note to Hannes.
|
||
Comment 10•12 years ago
|
||
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Flags: in-testsuite?
Resolution: --- → FIXED
Target Milestone: --- → mozilla24
|
|
||
Updated•12 years ago
|
Status: RESOLVED → VERIFIED
Crash Signature: [@ JSRuntime::needsBarrier()]
[@ js::EncapsulatedValue::runtime] → [@ JSRuntime::needsBarrier()]
[@ js::EncapsulatedValue::runtime]
|
|
||
Comment 11•12 years ago
|
||
JSBugMon: This bug has been automatically verified fixed.
|
||
Updated•11 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•