Closed Bug 945241 Opened 6 years ago Closed 6 years ago

Crash [@ visitReferences<js::MemoryTracingVisitor>] with TypedObject

Categories

(Core :: JavaScript Engine, defect, critical)

x86
Linux
defect
Not set
critical

Tracking

()

VERIFIED FIXED
mozilla29
Tracking Status
firefox26 --- unaffected
firefox27 --- unaffected
firefox28 --- disabled
firefox29 --- fixed
firefox-esr17 --- unaffected
firefox-esr24 --- unaffected
b2g18 --- unaffected
b2g-v1.1hd --- unaffected
b2g-v1.2 --- unaffected
b2g-v1.3 --- disabled

People

(Reporter: decoder, Assigned: nmatsakis)

References

(Blocks 1 open bug)

Details

(Keywords: crash, sec-low, testcase, Whiteboard: [jsbugmon:update,testComment=9])

Crash Data

Attachments

(4 files)

The following testcase crashes on mozilla-central revision 84a5a5800bd3 (run with --fuzzing-safe):


var Object = TypedObject.Object;
var handle0 = Object.handle();
This looks like a null-deref but the crash involves GC frames, so marking s-s.
Whiteboard: [jsbugmon:update,bisect]
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, failed due to error (try manually).
Attached file regression window
Due to build breakage, the regression window is quite large.
Bug 898359 might be likely, though:

changeset:   http://hg.mozilla.org/mozilla-central/rev/5b797c0177d3
user:        Nicholas D. Matsakis
date:        Sun Sep 22 20:18:31 2013 -0400
summary:     Bug 898359 - Implement reference types in typed objects r=sfink

Nicholas, is bug 898359 a likely regressor?
Blocks: 898359
Flags: needinfo?(nmatsakis)
(In reply to Gary Kwong [:gkw] [:nth10sd] from comment #5)
> Bug 898359 might be likely, though:
> 
> changeset:   http://hg.mozilla.org/mozilla-central/rev/5b797c0177d3
> user:        Nicholas D. Matsakis
> date:        Sun Sep 22 20:18:31 2013 -0400
> summary:     Bug 898359 - Implement reference types in typed objects r=sfink
> 
> Nicholas, is bug 898359 a likely regressor?

Yes.
Assignee: general → nmatsakis
Flags: needinfo?(nmatsakis)
Note that this only reproduces for me if I add an explicit gc() call at the end.
Attached file stack
The following testcase crashes on mozilla-central revision 84a5a5800bd3 (run with --fuzzing-safe):


var Object = TypedObject.Object;
var handle0 = Object.handle();
gc();
Whiteboard: [jsbugmon:update] → [jsbugmon:update,testComment=9]
I'll take a look -- presumably an easy fix relating to unattached handles.
Setting to sec-low because this looks like a null deref.  If it is something worse, please upgrade or clear the sec- rating.
Keywords: sec-low
Attached patch Bug945241.diffSplinter Review
Attachment #8347169 - Flags: review?(sphink)
Comment on attachment 8347169 [details] [diff] [review]
Bug945241.diff

Review of attachment 8347169 [details] [diff] [review]:
-----------------------------------------------------------------

That's the patch I used locally to stop it from crashing, but I wasn't sure if there was anything funky going on that would mean the a NULL mem was bad for some reason. That's why I left it for you. It makes sense that unattached Handles are a thing, though.
Attachment #8347169 - Flags: review?(sphink) → review+
https://hg.mozilla.org/mozilla-central/rev/7450803f061c
https://hg.mozilla.org/mozilla-central/rev/f542c81e7e31
Status: NEW → RESOLVED
Closed: 6 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla29
Status: RESOLVED → VERIFIED
JSBugMon: This bug has been automatically verified fixed.
Group: core-security
You need to log in before you can comment on or make changes to this bug.