Closed Bug 976697 Opened 6 years ago Closed 6 years ago

Assertion failure: obj->getPrivate() == nullptr, at vm/ArrayBufferObject.cpp

Categories

(Core :: JavaScript Engine: JIT, defect, critical)

x86_64
macOS
defect
Not set
critical

Tracking

()

VERIFIED FIXED
mozilla30
Tracking Status
firefox29 --- unaffected
firefox30 --- verified
firefox-esr24 --- unaffected

People

(Reporter: gkw, Assigned: nmatsakis)

References

(Blocks 1 open bug)

Details

(4 keywords, Whiteboard: [fuzzblocker][jsbugmon:update])

Attachments

(3 files)

Attached file stack
x = ArrayBuffer();
neuter(x);
Uint32Array(x);
gc();

asserts js debug shell on m-c changeset 1507f021ac93 without any CLI arguments at Assertion failure: obj->getPrivate() == nullptr, at vm/ArrayBufferObject.cpp

This happens fairly often so setting as [fuzzblocker], and setting s-s because this involves gc.

My configure flags are:

CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar sh ./configure --target=x86_64-apple-darwin12.5.0 --enable-optimize --enable-debug --enable-profiling --enable-gczeal --enable-debug-symbols --enable-methodjit --enable-type-inference --disable-tests --enable-exact-rooting --with-ccache --enable-threadsafe <other NSPR options>

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   http://hg.mozilla.org/mozilla-central/rev/03355461606c
user:        Nicholas D. Matsakis
date:        Fri Feb 21 12:32:24 2014 -0500
summary:     Bug 975456 -- Preserve invariant that views on a neutered buffer have a NULL data pointer r=shu
Flags: needinfo?
Flags: needinfo?
Didn't mean to reset the flag, assuming Gary wanted to add Niko.
Flags: needinfo?(nmatsakis)
Assignee: nobody → nmatsakis
Flags: needinfo?(nmatsakis)
Looks like fallout from bug 975456, I'll look into it.
Indeed, I didn't consider case where you instantiate a new typed array atop a neutered buffer. Sigh.
Attached patch Bug976697.diffSplinter Review
Attachment #8382294 - Flags: review?(sphink)
Comment on attachment 8382294 [details] [diff] [review]
Bug976697.diff

Review of attachment 8382294 [details] [diff] [review]:
-----------------------------------------------------------------

::: js/src/jit-test/tests/TypedObject/bug976697.js
@@ +1,2 @@
> +// Test that instantiating a typed array on top of a neutered buffer
> +// doesn't trip any asserts. Public domain.

Looks like the standard fancy way to do this is

/*
 * Any copyright is dedicated to the Public Domain.
 * http://creativecommons.org/licenses/publicdomain/
 */

Though a number of tests don't have a prefix at all. One or the other.
Attachment #8382294 - Flags: review?(sphink) → review+
Try run (green, as far as I can tell): https://tbpl.mozilla.org/?tree=Try&rev=a6d2715798c8
https://hg.mozilla.org/mozilla-central/rev/719629050761
Status: NEW → RESOLVED
Closed: 6 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla30
Status: RESOLVED → VERIFIED
JSBugMon: This bug has been automatically verified fixed.
JSBugMon: This bug has been automatically verified fixed on Fx30
Group: core-security
You need to log in before you can comment on or make changes to this bug.