Closed Bug 931008 Opened 11 years ago Closed 11 years ago

Assertion failure: table, at dist/include/js/HashTable.h:1353 or Crash [@ Range]

Tracking

()

Status:

VERIFIED FIXED

Milestone:

mozilla28

Tracking Flags:

Tracking

Status

firefox25

---

unaffected

firefox26

---

unaffected

firefox27

---

affected

firefox28

---

verified

firefox-esr17

---

unaffected

firefox-esr24

---

unaffected

b2g18

---

unaffected

b2g-v1.1hd

---

unaffected

b2g-v1.2

---

unaffected

People

(Reporter: decoder, Assigned: sfink)

References

Details

(4 keywords, Whiteboard: [jsbugmon:update])

Crash Data

Attachments

(2 files, 1 obsolete file)

[crash-signature] Machine-readable crash signature 11 years ago Christian Holler (:decoder) 1.07 KB, text/plain		Details
[crash-signature] Machine-readable crash signature 11 years ago Christian Holler (:decoder) 1.01 KB, text/plain		Details
Initialize memory field before using it 11 years ago Steve Fink [:sfink] [:s:] 1.26 KB, patch	jorendorff : review+	Details \| Diff \| Splinter Review

Christian Holler (:decoder)

Reporter

Description

•

11 years ago

The following testcase asserts on mozilla-central revision 5a9ac6fed6ff (run with --fuzzing-safe): gczeal(9, 2) serialize(Boolean, Boolean.prototype.valueOf());

Christian Holler (:decoder)

Reporter

Comment 1

•

11 years ago

Attached file [crash-signature] Machine-readable crash signature (obsolete) — Details

Christian Holler (:decoder)

Reporter

Comment 2

•

11 years ago

Attached file [crash-signature] Machine-readable crash signature — Details

Attachment #822315 - Attachment is obsolete: true

Christian Holler (:decoder)

Reporter

Updated

•

11 years ago

Crash Signature: [@ Range]

Keywords: crash

Whiteboard: [jsbugmon:update,bisect]

Christian Holler (:decoder)

Reporter

Updated

•

11 years ago

Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]

Christian Holler (:decoder)

Reporter

Comment 3

•

11 years ago

JSBugMon: Bisection requested, failed due to error (try manually).

Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)

Comment 4

•

11 years ago

autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: http://hg.mozilla.org/mozilla-central/rev/7cc3e16e4af1 user: Steve Fink date: Tue Oct 15 23:47:26 2013 -0700 summary: Bug 861925 - Add an optional parameter to the shell serialize() function for specifying Transferables, r=jorendorff Steve, is bug 861925 a likely regressor?

Blocks: 861925

status-b2g18: --- → unaffected

status-b2g-v1.1hd: --- → unaffected

status-b2g-v1.2: --- → unaffected

status-firefox25: --- → unaffected

status-firefox26: --- → unaffected

status-firefox27: --- → affected

status-firefox28: --- → affected

status-firefox-esr17: --- → unaffected

status-firefox-esr24: --- → unaffected

Flags: needinfo?(sphink)

Keywords: regression

Steve Fink [:sfink] [:s:]

Assignee

Comment 5

•

11 years ago

(In reply to Gary Kwong [:gkw] [:nth10sd] (yes, still catching up on bugmail) from comment #4) > Steve, is bug 861925 a likely regressor? Yes, definitely. Looks like an error handling problem.

Flags: needinfo?(sphink)

Steve Fink [:sfink] [:s:]

Assignee

Updated

•

11 years ago

QA Contact: general → sphink

Steve Fink [:sfink] [:s:]

Assignee

Comment 6

•

11 years ago

Attached patch Initialize memory field before using it — Details — Splinter Review

The problem is that if the transferable array is an invalid type (not an array), then we report an error. But JSStructuredCloneWriter doesn't initialize an AutoObjectUnsigned32HashMap member early enough, so it dies when it tries to trace it.

Attachment #831696 - Flags: review?(jorendorff)

Steve Fink [:sfink] [:s:]

Assignee

Updated

•

11 years ago

Assignee: general → sphink

Status: NEW → ASSIGNED

Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)

Updated

•

11 years ago

QA Contact: sphink

Jason Orendorff [:jorendorff]

Comment 7

•

11 years ago

Comment on attachment 831696 [details] [diff] [review] Initialize memory field before using it Review of attachment 831696 [details] [diff] [review]: ----------------------------------------------------------------- Subtle. :-\

Attachment #831696 - Flags: review?(jorendorff) → review+

Steve Fink [:sfink] [:s:]

Assignee

Comment 8

•

11 years ago

http://hg.mozilla.org/integration/mozilla-inbound/rev/9e7c32fc496a

Carsten Book [:Tomcat]

Comment 9

•

11 years ago

https://hg.mozilla.org/mozilla-central/rev/9e7c32fc496a

Status: ASSIGNED → RESOLVED

Closed: 11 years ago

Resolution: --- → FIXED

Target Milestone: --- → mozilla28

Ekanan Ketunuti

Updated

•

11 years ago

status-firefox28: affected → fixed

Ioana (away)

Updated

•

11 years ago

Keywords: verifyme

Ioana (away)

Comment 11

•

11 years ago

Tested this with Firefox JS shells on Ubuntu 12.10 x86_x64: 01/31 nightly - Assertion failure: table, at ../../dist/include/js/HashTable.h:1353 Segmentation fault (core dumped) 02/04 beta and 02/05 nightly - TypeError: invalid transferable array for structured clone. Could this error be hiding a still reproducible assertion failure?

Flags: needinfo?(sphink)

Keywords: verifyme

Steve Fink [:sfink] [:s:]

Assignee

Comment 12

•

11 years ago

(In reply to Ioana Budnar, QA [:ioana] from comment #11) > Tested this with Firefox JS shells on Ubuntu 12.10 x86_x64: > > 01/31 nightly - Assertion failure: table, at > ../../dist/include/js/HashTable.h:1353 > Segmentation fault (core dumped) > > 02/04 beta and 02/05 nightly - TypeError: invalid transferable array for > structured clone. Could this error be hiding a still reproducible assertion > failure? No. The error is the correct behavior. The crash resulted from mishandling the error. If the error is making it all the way out to the user now, the problem is fixed. Thanks for checking!

Flags: needinfo?(sphink)

Ioana (away)

Updated

•

11 years ago

Status: RESOLVED → VERIFIED

status-firefox28: fixed → verified

You need to log in before you can comment on or make changes to this bug.