Closed
Bug 623859
Opened 14 years ago
Closed 14 years ago
Crash [@ js::NewDenseCopiedArray] or [@ JSObject::getClass]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
Tracking | Status | |
---|---|---|
blocking2.0 | --- | betaN+ |
People
(Reporter: gkw, Assigned: paul.biggar)
References
Details
(Keywords: crash, regression, testcase, Whiteboard: [ccbr][softblocker][fixed-in-tracemonkey])
Crash Data
Attachments
(1 file)
(deleted),
patch
|
luke
:
review+
|
Details | Diff | Splinter Review |
(function() {
Iterator((function() {
switch ((7)) {
default:
return (Float32Array).call([], 4300018)
case Proxy.create((function() {
return {
e:
function() {}
}
})):
}
})())
})()
crashes js opt shell at js::NewDenseCopiedArray and debug shell at JSObject::getClass on TM changeset ca11457ed5fe without -m nor -j.
also s-s because no idea what the testcase is doing.
===
opt console output:
Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_PROTECTION_FAILURE at address: 0x0000001c
0x00025ecc in js::NewDenseCopiedArray ()
(gdb) bt
#0 0x00025ecc in js::NewDenseCopiedArray ()
#1 0x0009a0e1 in Enumerate<ValueEnumeration> ()
#2 0x0009d6b7 in js::GetIterator ()
#3 0x0009dfc0 in Iterator ()
#4 0x0008bd89 in js::Interpret ()
#5 0x00096492 in js::Execute ()
#6 0x00018e18 in JS_ExecuteScript ()
#7 0x00006774 in Process ()
#8 0x0000af22 in Shell ()
#9 0x0000b4bf in main ()
(gdb) x/i $eip
0x25ecc <_ZN2js19NewDenseCopiedArrayEP9JSContextjPNS_5ValueEP8JSObject+140>: mov %esi,0x1c(%eax)
(gdb) x/b $esi
0x2: Cannot access memory at address 0x2
debug console output:
Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_PROTECTION_FAILURE at address: 0x00000004
0x0019b465 in JSObject::getClass (this=0x0) at jsobj.h:391
391 js::Class *getClass() const { return clasp; }
(gdb) bt
#0 0x0019b465 in JSObject::getClass (this=0x0) at jsobj.h:391
#1 0x00038da4 in JSObject::isDenseArray (this=0x0) at jsarray.h:146
#2 0x00038dfd in JSObject::isArray (this=0x0) at jsarray.h:158
#3 0x00111d50 in JSObject::setArrayLength (this=0x0, length=2) at jsobjinlines.h:298
#4 0x0004323b in js::NewArray<true> (cx=0x70f8b0, length=2, proto=0x0) at /Users/fuzz2/Desktop/jsfunfuzz-dbg-32-tm-59849-ca11457ed5fe/compilePath/jsarray.cpp:3000
#5 0x00043290 in js::NewDenseCopiedArray (cx=0x70f8b0, length=2, vp=0xbfffe518, proto=0x0) at /Users/fuzz2/Desktop/jsfunfuzz-dbg-32-tm-59849-ca11457ed5fe/compilePath/jsarray.cpp:3029
#6 0x000eb5de in NewKeyValuePair (cx=0x70f8b0, id={asBits = 5896797}, val=@0xe97e970, rval=0xe97e970) at /Users/fuzz2/Desktop/jsfunfuzz-dbg-32-tm-59849-ca11457ed5fe/compilePath/jsiter.cpp:168
#7 0x000f20e9 in ValueEnumeration::append (cx=0x70f8b0, vals=@0xbfffe790, obj=0x15026e0, id={asBits = 5896797}, flags=14) at /Users/fuzz2/Desktop/jsfunfuzz-dbg-32-tm-59849-ca11457ed5fe/compilePath/jsiter.cpp:203
#8 0x000eb806 in Enumerate<ValueEnumeration> (cx=0x70f8b0, obj=0x15026e0, pobj=0x15026e0, id={asBits = 5896797}, enumerable=true, sharedPermanent=false, flags=14, ht=@0xbfffe620, props=0xbfffe790) at /Users/fuzz2/Desktop/jsfunfuzz-dbg-32-tm-59849-ca11457ed5fe/compilePath/jsiter.cpp:247
#9 0x000ec61e in Snapshot<ValueEnumeration> (cx=0x70f8b0, obj=0x15026e0, flags=14, props=0xbfffe790) at /Users/fuzz2/Desktop/jsfunfuzz-dbg-32-tm-59849-ca11457ed5fe/compilePath/jsiter.cpp:358
#10 0x000efc8d in js::GetIterator (cx=0x70f8b0, obj=0x15026e0, flags=14, vp=0x10100a0) at /Users/fuzz2/Desktop/jsfunfuzz-dbg-32-tm-59849-ca11457ed5fe/compilePath/jsiter.cpp:721
#11 0x000f005c in js_ValueToIterator (cx=0x70f8b0, flags=14, vp=0x10100a0) at /Users/fuzz2/Desktop/jsfunfuzz-dbg-32-tm-59849-ca11457ed5fe/compilePath/jsiter.cpp:839
#12 0x000f00fd in Iterator (cx=0x70f8b0, argc=1, vp=0x10100a0) at /Users/fuzz2/Desktop/jsfunfuzz-dbg-32-tm-59849-ca11457ed5fe/compilePath/jsiter.cpp:760
#13 0x000e94da in js::CallJSNative (cx=0x70f8b0, native=0xf006b <Iterator(JSContext*, unsigned int, js::Value*)>, argc=1, vp=0x10100a0) at jscntxtinlines.h:692
#14 0x000d25b5 in js::Interpret () at /Users/fuzz2/Desktop/jsfunfuzz-dbg-32-tm-59849-ca11457ed5fe/compilePath/jsinterp.cpp:4806
#15 0x000e6084 in js::RunScript (cx=0x70f8b0, script=0x713370, fp=0x1010030) at jsinterp.cpp:657
#16 0x000e661b in js::Execute (cx=0x70f8b0, chain=0x1502028, script=0x713370, prev=0x0, flags=0, result=0xbffff6c0) at jsinterp.cpp:1024
#17 0x00023e9f in JS_ExecuteScript (cx=0x70f8b0, obj=0x1502028, script=0x713370, rval=0xbffff6c0) at /Users/fuzz2/Desktop/jsfunfuzz-dbg-32-tm-59849-ca11457ed5fe/compilePath/jsapi.cpp:4932
#18 0x000168c8 in Process (cx=0x70f8b0, obj=0x1502028, filename=0x0, forceTTY=0) at /Users/fuzz2/Desktop/jsfunfuzz-dbg-32-tm-59849-ca11457ed5fe/compilePath/shell/js.cpp:548
#19 0x00017386 in ProcessArgs (cx=0x70f8b0, obj=0x1502028, argv=0xbffff858, argc=0) at /Users/fuzz2/Desktop/jsfunfuzz-dbg-32-tm-59849-ca11457ed5fe/compilePath/shell/js.cpp:951
#20 0x000174c4 in Shell (cx=0x70f8b0, argc=0, argv=0xbffff858, envp=0xbffff85c) at /Users/fuzz2/Desktop/jsfunfuzz-dbg-32-tm-59849-ca11457ed5fe/compilePath/shell/js.cpp:5464
#21 0x0001762b in main (argc=0, argv=0xbffff858, envp=0xbffff85c) at /Users/fuzz2/Desktop/jsfunfuzz-dbg-32-tm-59849-ca11457ed5fe/compilePath/shell/js.cpp:5572
Reporter | ||
Updated•14 years ago
|
blocking2.0: --- → ?
Comment 1•14 years ago
|
||
I'm going softblocker for now, since we don't know yet if this affects the web. Is autobisect running on this? A regressing changeset would help with triage.
blocking2.0: ? → betaN+
Whiteboard: [ccbr] → [ccbr][softblocker]
Comment 2•14 years ago
|
||
The first bad revision is:
changeset: aae231781a45
user: Paul Biggar
date: Mon Dec 13 16:22:59 2010 -0800
summary: Bug 612292 - Rename array allocation functions (r=lw)
Blocks: 612292
blocking2.0: betaN+ → ?
Comment 3•14 years ago
|
||
Jesse, by the renom are you saying you think this shouldn't block?
Assignee | ||
Updated•14 years ago
|
Assignee: general → pbiggar
Comment 4•14 years ago
|
||
The renom was an unintentional change. Sorry.
Updated•14 years ago
|
blocking2.0: ? → betaN+
Assignee | ||
Comment 5•14 years ago
|
||
I missed two OOM checks in the original refactoring, which this check triggered.
Attachment #502112 -
Flags: review?(lw)
Comment 6•14 years ago
|
||
Comment on attachment 502112 [details] [diff] [review]
Check for missing OOM conditions
>+ if (!obj)
>+ return NULL;
4 spaces of indent here.
Attachment #502112 -
Flags: review?(lw) → review+
Assignee | ||
Comment 7•14 years ago
|
||
Whiteboard: [ccbr][softblocker] → [ccbr][softblocker][fixed-in-tracemonkey]
Comment 8•14 years ago
|
||
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Updated•13 years ago
|
Crash Signature: [@ js::NewDenseCopiedArray]
[@ JSObject::getClass]
Comment 9•13 years ago
|
||
JSBugMon: This bug has been automatically verified fixed.
Updated•13 years ago
|
Status: RESOLVED → VERIFIED
Updated•9 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•