Closed Bug 948423 Opened 10 years ago Closed 10 years ago

Assertion failure: mutationCount == p.mutationCount, at dist/include/js/HashTable.h:1459

Categories

(Core :: JavaScript Engine, defect)

x86
Linux
defect
Not set
critical

Tracking

()

VERIFIED FIXED
mozilla29
Tracking Status
firefox27 --- disabled
firefox28 --- disabled
firefox29 --- fixed
firefox-esr24 --- disabled
b2g18 --- unaffected
b2g-v1.2 --- unaffected
b2g-v1.3 --- disabled

People

(Reporter: decoder, Assigned: jonco)

References

Details

(Keywords: assertion, sec-critical, testcase)

Attachments

(1 file)

The following testcase asserts on mozilla-central revision df82be9d89a5 (threadsafe build, run with --fuzzing-safe --thread-count=2):


var ArrayType = TypedObject.ArrayType;
var StructType = TypedObject.StructType;
var uint8 = TypedObject.uint8;
var uint32 = TypedObject.uint32;
var ObjectType = TypedObject.Object;
function runTests() {
  (function DimensionLinkedToUndimension() {
    var UintsA = uint32.array();
    var FiveUintsA = UintsA.dimension(5);
    var FiveUintsB = uint32.array(5);
    assertEq(true, 
	FiveUintsA.equivalent(FiveUintsB)
	);
  })();
  (function PrototypeHierarchy() {
    schedulegc(3);
    var Uint8s = uint8.array();
  })();
}
runTests();
This is a gc hazard, Jonco and mjrosenb are already investigating :) Marked sec-critical because some object is being modified while finalized, and that doesn't sound like a good idea.
Keywords: sec-critical
We need to call relookupOrAdd() rather than add() here as creating a new type object may have caused a GC, which may have modified the hash table.
Assignee: general → jcoppeard
Attachment #8345961 - Flags: review?(sphink)
Comment on attachment 8345961 [details] [diff] [review]
bug948423-typerep-fuzz

Review of attachment 8345961 [details] [diff] [review]:
-----------------------------------------------------------------

Nasty little typerepresentationses playing with my preciousss hashtableses while I is sleepings. Nasty nasssty.
Attachment #8345961 - Flags: review?(sphink) → review+
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Status: RESOLVED → VERIFIED
JSBugMon: This bug has been automatically verified fixed.
Unfortunately, TypedObject is nightly only, so as https://tbpl.mozilla.org/?tree=Try&rev=9e4d891154f4 shows you need a followup to bail out if TypedObject is undefined so we won't be permaorange on aurora at the next merge.
Depends on: 950617
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: