Assertion failure: mutationCount == p.mutationCount, at dist/include/js/HashTable.h:1459

VERIFIED FIXED in Firefox 29

Status

()

Core
JavaScript Engine
--
critical
VERIFIED FIXED
5 years ago
3 years ago

People

(Reporter: decoder, Assigned: jonco)

Tracking

(Blocks: 1 bug, {assertion, sec-critical, testcase})

Trunk
mozilla29
x86
Linux
assertion, sec-critical, testcase
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox27 disabled, firefox28 disabled, firefox29 fixed, firefox-esr24 disabled, b2g18 unaffected, b2g-v1.2 unaffected, b2g-v1.3 disabled)

Details

Attachments

(1 attachment)

(Reporter)

Description

5 years ago
The following testcase asserts on mozilla-central revision df82be9d89a5 (threadsafe build, run with --fuzzing-safe --thread-count=2):


var ArrayType = TypedObject.ArrayType;
var StructType = TypedObject.StructType;
var uint8 = TypedObject.uint8;
var uint32 = TypedObject.uint32;
var ObjectType = TypedObject.Object;
function runTests() {
  (function DimensionLinkedToUndimension() {
    var UintsA = uint32.array();
    var FiveUintsA = UintsA.dimension(5);
    var FiveUintsB = uint32.array(5);
    assertEq(true, 
	FiveUintsA.equivalent(FiveUintsB)
	);
  })();
  (function PrototypeHierarchy() {
    schedulegc(3);
    var Uint8s = uint8.array();
  })();
}
runTests();
(Reporter)

Comment 1

5 years ago
This is a gc hazard, Jonco and mjrosenb are already investigating :) Marked sec-critical because some object is being modified while finalized, and that doesn't sound like a good idea.
Keywords: sec-critical
(Assignee)

Comment 2

5 years ago
Created attachment 8345961 [details] [diff] [review]
bug948423-typerep-fuzz

We need to call relookupOrAdd() rather than add() here as creating a new type object may have caused a GC, which may have modified the hash table.
Assignee: general → jcoppeard
Attachment #8345961 - Flags: review?(sphink)
status-b2g18: --- → unaffected
status-b2g-v1.2: --- → unaffected
status-b2g-v1.3: --- → disabled
status-firefox27: --- → disabled
status-firefox28: --- → disabled
status-firefox29: --- → affected
status-firefox-esr24: --- → disabled
Comment on attachment 8345961 [details] [diff] [review]
bug948423-typerep-fuzz

Review of attachment 8345961 [details] [diff] [review]:
-----------------------------------------------------------------

Nasty little typerepresentationses playing with my preciousss hashtableses while I is sleepings. Nasty nasssty.
Attachment #8345961 - Flags: review?(sphink) → review+
https://hg.mozilla.org/mozilla-central/rev/463a1bf8508f
status-firefox29: affected → fixed
Target Milestone: --- → mozilla29
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED
(Reporter)

Updated

5 years ago
Status: RESOLVED → VERIFIED
(Reporter)

Comment 6

5 years ago
JSBugMon: This bug has been automatically verified fixed.
Unfortunately, TypedObject is nightly only, so as https://tbpl.mozilla.org/?tree=Try&rev=9e4d891154f4 shows you need a followup to bail out if TypedObject is undefined so we won't be permaorange on aurora at the next merge.
(Assignee)

Updated

5 years ago
Depends on: 950617
Group: core-security
You need to log in before you can comment on or make changes to this bug.