Closed
Bug 945241
Opened 11 years ago
Closed 11 years ago
Crash [@ visitReferences<js::MemoryTracingVisitor>] with TypedObject
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
mozilla29
Tracking | Status | |
---|---|---|
firefox26 | --- | unaffected |
firefox27 | --- | unaffected |
firefox28 | --- | disabled |
firefox29 | --- | fixed |
firefox-esr17 | --- | unaffected |
firefox-esr24 | --- | unaffected |
b2g18 | --- | unaffected |
b2g-v1.1hd | --- | unaffected |
b2g-v1.2 | --- | unaffected |
b2g-v1.3 | --- | disabled |
People
(Reporter: decoder, Assigned: nmatsakis)
References
Details
(Keywords: crash, sec-low, testcase, Whiteboard: [jsbugmon:update,testComment=9])
Crash Data
Attachments
(4 files)
The following testcase crashes on mozilla-central revision 84a5a5800bd3 (run with --fuzzing-safe): var Object = TypedObject.Object; var handle0 = Object.handle();
Reporter | ||
Comment 1•11 years ago
|
||
Reporter | ||
Comment 2•11 years ago
|
||
This looks like a null-deref but the crash involves GC frames, so marking s-s.
Whiteboard: [jsbugmon:update,bisect]
Reporter | ||
Updated•11 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
Reporter | ||
Comment 3•11 years ago
|
||
JSBugMon: Bisection requested, failed due to error (try manually).
Updated•11 years ago
|
status-b2g18:
--- → unaffected
status-firefox26:
--- → unaffected
status-firefox27:
--- → unaffected
status-firefox28:
--- → unaffected
status-firefox29:
--- → affected
status-firefox-esr17:
--- → unaffected
status-firefox-esr24:
--- → unaffected
Updated•11 years ago
|
Comment 4•11 years ago
|
||
Due to build breakage, the regression window is quite large.
Comment 5•11 years ago
|
||
Bug 898359 might be likely, though: changeset: http://hg.mozilla.org/mozilla-central/rev/5b797c0177d3 user: Nicholas D. Matsakis date: Sun Sep 22 20:18:31 2013 -0400 summary: Bug 898359 - Implement reference types in typed objects r=sfink Nicholas, is bug 898359 a likely regressor?
Blocks: 898359
Flags: needinfo?(nmatsakis)
Comment 6•11 years ago
|
||
(In reply to Gary Kwong [:gkw] [:nth10sd] from comment #5) > Bug 898359 might be likely, though: > > changeset: http://hg.mozilla.org/mozilla-central/rev/5b797c0177d3 > user: Nicholas D. Matsakis > date: Sun Sep 22 20:18:31 2013 -0400 > summary: Bug 898359 - Implement reference types in typed objects r=sfink > > Nicholas, is bug 898359 a likely regressor? Yes.
Assignee: general → nmatsakis
Flags: needinfo?(nmatsakis)
Comment 7•11 years ago
|
||
Note that this only reproduces for me if I add an explicit gc() call at the end.
Comment 8•11 years ago
|
||
Reporter | ||
Comment 9•11 years ago
|
||
The following testcase crashes on mozilla-central revision 84a5a5800bd3 (run with --fuzzing-safe): var Object = TypedObject.Object; var handle0 = Object.handle(); gc();
Whiteboard: [jsbugmon:update] → [jsbugmon:update,testComment=9]
Assignee | ||
Comment 10•11 years ago
|
||
I'll take a look -- presumably an easy fix relating to unattached handles.
Comment 11•11 years ago
|
||
Setting to sec-low because this looks like a null deref. If it is something worse, please upgrade or clear the sec- rating.
Keywords: sec-low
Assignee | ||
Comment 12•11 years ago
|
||
Attachment #8347169 -
Flags: review?(sphink)
Comment 13•11 years ago
|
||
Comment on attachment 8347169 [details] [diff] [review] Bug945241.diff Review of attachment 8347169 [details] [diff] [review]: ----------------------------------------------------------------- That's the patch I used locally to stop it from crashing, but I wasn't sure if there was anything funky going on that would mean the a NULL mem was bad for some reason. That's why I left it for you. It makes sense that unattached Handles are a thing, though.
Attachment #8347169 -
Flags: review?(sphink) → review+
Assignee | ||
Comment 14•11 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/7450803f061c but I forgot the test case.
Assignee | ||
Comment 15•11 years ago
|
||
Try run (SM only, with test): https://tbpl.mozilla.org/?tree=Try&rev=d14c7c723941
Assignee | ||
Comment 16•11 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/f542c81e7e31
Comment 17•11 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/7450803f061c https://hg.mozilla.org/mozilla-central/rev/f542c81e7e31
Status: NEW → RESOLVED
Closed: 11 years ago
status-b2g-v1.1hd:
--- → unaffected
status-b2g-v1.2:
--- → unaffected
status-b2g-v1.3:
--- → affected
status-firefox29:
--- → fixed
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla29
Reporter | ||
Updated•11 years ago
|
Status: RESOLVED → VERIFIED
Reporter | ||
Comment 18•11 years ago
|
||
JSBugMon: This bug has been automatically verified fixed.
Updated•11 years ago
|
Updated•10 years ago
|
Updated•9 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•