for each(let b in [{x:3},{x:3},{x:3},{x:3}]) { new Iterator(b) } crashes js opt and debug shell on TM tip with -j at js_IteratorClass or JSObject::enumerate: Program received signal SIGSEGV, Segmentation fault. 0x0000000000856120 in js_IteratorClass () (gdb) bt #0 0x0000000000856120 in js_IteratorClass () #1 0x000000000042788b in JSObject::enumerate (this=0x7ffff6c02340, cx=0x8a2450, op=JSENUMERATE_DESTROY, statep=0x7fffffffdf10, idp=0x0) at ../jsobj.h:530 #2 0x0000000000486801 in CloseNativeIterator (cx=0x8a2450, iterobj=0x7ffff6c02400) at ../jsiter.cpp:119 #3 0x0000000000486847 in iterator_finalize (cx=0x8a2450, obj=0x7ffff6c02400) at ../jsiter.cpp:127 #4 0x000000000047f143 in FinalizeObject (cx=0x8a2450, obj=0x7ffff6c02400, thingKind=0) at ../jsgc.cpp:2550 #5 0x000000000047baee in FinalizeArenaList<JSObject, FinalizeObject> (cx=0x8a2450, thingKind=0, releaser=0x7fffffffe0b0) at ../jsgc.cpp:2755 #6 0x000000000047b0bb in GC (cx=0x8a2450, gckind=GC_LAST_CONTEXT) at ../jsgc.cpp:3045 #7 0x000000000047b294 in GCUntilDone (cx=0x8a2450, gckind=GC_LAST_CONTEXT) at ../jsgc.cpp:3163 #8 0x000000000047b708 in js_GC (cx=0x8a2450, gckind=GC_LAST_CONTEXT) at ../jsgc.cpp:3456 #9 0x000000000043b8f6 in js_DestroyContext (cx=0x8a2450, mode=JSDCM_FORCE_GC) at ../jscntxt.cpp:818 #10 0x000000000041c8bb in JS_DestroyContext (cx=0x8a2450) at ../jsapi.cpp:920 #11 0x000000000040c1a4 in DestroyContext (cx=0x8a2450, withGC=true) at ../../shell/js.cpp:4846 #12 0x000000000040c518 in main (argc=2, argv=0x7fffffffe350, envp=0x7fffffffe368) at ../../shell/js.cpp:5035 (gdb)

bug 558754 will fix this by removing FINALIZE_ITER and js_NewGCIter. The actual bug here is that trace code creates new objects by calling js_NewInstance, which doesn't correctly call js_NewGCIter, leading to an iterator in the Object arena so it calls enumerate(...JSENUMERATE_FINALIZE) on its iterated object which has already been finalized.

Assigning to gal, since he's fixing bug 558754 and we're trying to avoid sg:crit bugs with no owner.

There is an easy fix for this. If 558754 is held up for whatever reason, I will whip up a patch for this bug. This is trunk only and not shipped.

autoBisect shows this is probably related to bug 557914. The first bad revision is: changeset: 40655:121debb9ff3d user: Andreas Gal date: Sat Apr 10 16:08:14 2010 -0700 summary: Remove gcIteratorTable (557914, r=brendan).

Andreas, got an ETA for this patch? Blocking 1.9.3 beta 1.

I comprehensive replacement of the code causing this is being fuzzed and should land within a week. If its not done by this weekend I will do a direct fix for this bug. Does that work with your beta schedule?

Andreas, we didn't get a fix in the timeframe you mentioned in Comment 6. Going to do a one-off patch for this?

Marking old branches unaffected based on the regressing patch.

Very close. 1 failure left. I will try land today.

Andreas, going to land/close this?

The patch matched above has landed on tracemonkey. Those code that caused this crash no longer exists in our code base. We can open this bug as soon the patch is merged into m-c. ETA: 2-3 days.

"FIXED" is a better resolution: we are no longer vulnerable to this security bug, and it was actively taken out of our tree by a known specific patch (therefore not "worksforme"). "WONTFIX" implies it continues to exist, broken.

Tracer has been long gone on trunk, marking verified.