Closed Bug 976697 Opened 10 years ago Closed 10 years ago

Assertion failure: obj->getPrivate() == nullptr, at vm/ArrayBufferObject.cpp

Categories

(Core :: JavaScript Engine: JIT, defect)

Product:
Core
Component:
JavaScript Engine: JIT
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla30
Tracking Flags:
Tracking Status
firefox29 --- unaffected
firefox30 --- verified
firefox-esr24 --- unaffected

People

(Reporter: gkw, Assigned: nmatsakis)

References

Details

(4 keywords, Whiteboard: [fuzzblocker][jsbugmon:update])

Attachments

(3 files)

stack
4.89 KB, text/plain
Details
Bug976697.diff
5.44 KB, patch
sfink
: review+
Details | Diff | Splinter Review
[crash-signature] Machine-readable crash signature
643 bytes, text/plain
Details
Attached file stack 
x = ArrayBuffer();
neuter(x);
Uint32Array(x);
gc();

asserts js debug shell on m-c changeset 1507f021ac93 without any CLI arguments at Assertion failure: obj->getPrivate() == nullptr, at vm/ArrayBufferObject.cpp

This happens fairly often so setting as [fuzzblocker], and setting s-s because this involves gc.

My configure flags are:

CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar sh ./configure --target=x86_64-apple-darwin12.5.0 --enable-optimize --enable-debug --enable-profiling --enable-gczeal --enable-debug-symbols --enable-methodjit --enable-type-inference --disable-tests --enable-exact-rooting --with-ccache --enable-threadsafe <other NSPR options>

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   http://hg.mozilla.org/mozilla-central/rev/03355461606c
user:        Nicholas D. Matsakis
date:        Fri Feb 21 12:32:24 2014 -0500
summary:     Bug 975456 -- Preserve invariant that views on a neutered buffer have a NULL data pointer r=shu
Flags: needinfo?
Flags: needinfo?
Didn't mean to reset the flag, assuming Gary wanted to add Niko.
Flags: needinfo?(nmatsakis)
Assignee: nobody → nmatsakis
Flags: needinfo?(nmatsakis)
Looks like fallout from bug 975456, I'll look into it.
Indeed, I didn't consider case where you instantiate a new typed array atop a neutered buffer. Sigh.
Attached patch Bug976697.diffSplinter Review 

        Attachment #8382294 -
        Flags: review?(sphink)

    
    

    
  
Comment on attachment 8382294 [details] [diff] [review]
Bug976697.diff

Review of attachment 8382294 [details] [diff] [review]:
-----------------------------------------------------------------

::: js/src/jit-test/tests/TypedObject/bug976697.js
@@ +1,2 @@
> +// Test that instantiating a typed array on top of a neutered buffer
> +// doesn't trip any asserts. Public domain.

Looks like the standard fancy way to do this is

/*
 * Any copyright is dedicated to the Public Domain.
 * http://creativecommons.org/licenses/publicdomain/
 */

Though a number of tests don't have a prefix at all. One or the other.

        Attachment #8382294 -
        Flags: review?(sphink) → review+

    
    

    
  
Try run (green, as far as I can tell): https://tbpl.mozilla.org/?tree=Try&rev=a6d2715798c8

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/719629050761
Status: NEW → RESOLVED
Closed: 10 years ago

          status-firefox30:
          affectedfixed
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla30
Status: RESOLVED → VERIFIED

    
    

    
  
JSBugMon: This bug has been automatically verified fixed.

    
    

    
  
JSBugMon: This bug has been automatically verified fixed on Fx30
Group: core-security

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: