(function() { Iterator((function() { switch ((7)) { default: return (Float32Array).call([], 4300018) case Proxy.create((function() { return { e: function() {} } })): } })()) })() crashes js opt shell at js::NewDenseCopiedArray and debug shell at JSObject::getClass on TM changeset ca11457ed5fe without -m nor -j. also s-s because no idea what the testcase is doing. === opt console output: Program received signal EXC_BAD_ACCESS, Could not access memory. Reason: KERN_PROTECTION_FAILURE at address: 0x0000001c 0x00025ecc in js::NewDenseCopiedArray () (gdb) bt #0 0x00025ecc in js::NewDenseCopiedArray () #1 0x0009a0e1 in Enumerate<ValueEnumeration> () #2 0x0009d6b7 in js::GetIterator () #3 0x0009dfc0 in Iterator () #4 0x0008bd89 in js::Interpret () #5 0x00096492 in js::Execute () #6 0x00018e18 in JS_ExecuteScript () #7 0x00006774 in Process () #8 0x0000af22 in Shell () #9 0x0000b4bf in main () (gdb) x/i $eip 0x25ecc <_ZN2js19NewDenseCopiedArrayEP9JSContextjPNS_5ValueEP8JSObject+140>: mov %esi,0x1c(%eax) (gdb) x/b $esi 0x2: Cannot access memory at address 0x2 debug console output: Program received signal EXC_BAD_ACCESS, Could not access memory. Reason: KERN_PROTECTION_FAILURE at address: 0x00000004 0x0019b465 in JSObject::getClass (this=0x0) at jsobj.h:391 391 js::Class *getClass() const { return clasp; } (gdb) bt #0 0x0019b465 in JSObject::getClass (this=0x0) at jsobj.h:391 #1 0x00038da4 in JSObject::isDenseArray (this=0x0) at jsarray.h:146 #2 0x00038dfd in JSObject::isArray (this=0x0) at jsarray.h:158 #3 0x00111d50 in JSObject::setArrayLength (this=0x0, length=2) at jsobjinlines.h:298 #4 0x0004323b in js::NewArray<true> (cx=0x70f8b0, length=2, proto=0x0) at /Users/fuzz2/Desktop/jsfunfuzz-dbg-32-tm-59849-ca11457ed5fe/compilePath/jsarray.cpp:3000 #5 0x00043290 in js::NewDenseCopiedArray (cx=0x70f8b0, length=2, vp=0xbfffe518, proto=0x0) at /Users/fuzz2/Desktop/jsfunfuzz-dbg-32-tm-59849-ca11457ed5fe/compilePath/jsarray.cpp:3029 #6 0x000eb5de in NewKeyValuePair (cx=0x70f8b0, id={asBits = 5896797}, val=@0xe97e970, rval=0xe97e970) at /Users/fuzz2/Desktop/jsfunfuzz-dbg-32-tm-59849-ca11457ed5fe/compilePath/jsiter.cpp:168 #7 0x000f20e9 in ValueEnumeration::append (cx=0x70f8b0, vals=@0xbfffe790, obj=0x15026e0, id={asBits = 5896797}, flags=14) at /Users/fuzz2/Desktop/jsfunfuzz-dbg-32-tm-59849-ca11457ed5fe/compilePath/jsiter.cpp:203 #8 0x000eb806 in Enumerate<ValueEnumeration> (cx=0x70f8b0, obj=0x15026e0, pobj=0x15026e0, id={asBits = 5896797}, enumerable=true, sharedPermanent=false, flags=14, ht=@0xbfffe620, props=0xbfffe790) at /Users/fuzz2/Desktop/jsfunfuzz-dbg-32-tm-59849-ca11457ed5fe/compilePath/jsiter.cpp:247 #9 0x000ec61e in Snapshot<ValueEnumeration> (cx=0x70f8b0, obj=0x15026e0, flags=14, props=0xbfffe790) at /Users/fuzz2/Desktop/jsfunfuzz-dbg-32-tm-59849-ca11457ed5fe/compilePath/jsiter.cpp:358 #10 0x000efc8d in js::GetIterator (cx=0x70f8b0, obj=0x15026e0, flags=14, vp=0x10100a0) at /Users/fuzz2/Desktop/jsfunfuzz-dbg-32-tm-59849-ca11457ed5fe/compilePath/jsiter.cpp:721 #11 0x000f005c in js_ValueToIterator (cx=0x70f8b0, flags=14, vp=0x10100a0) at /Users/fuzz2/Desktop/jsfunfuzz-dbg-32-tm-59849-ca11457ed5fe/compilePath/jsiter.cpp:839 #12 0x000f00fd in Iterator (cx=0x70f8b0, argc=1, vp=0x10100a0) at /Users/fuzz2/Desktop/jsfunfuzz-dbg-32-tm-59849-ca11457ed5fe/compilePath/jsiter.cpp:760 #13 0x000e94da in js::CallJSNative (cx=0x70f8b0, native=0xf006b <Iterator(JSContext*, unsigned int, js::Value*)>, argc=1, vp=0x10100a0) at jscntxtinlines.h:692 #14 0x000d25b5 in js::Interpret () at /Users/fuzz2/Desktop/jsfunfuzz-dbg-32-tm-59849-ca11457ed5fe/compilePath/jsinterp.cpp:4806 #15 0x000e6084 in js::RunScript (cx=0x70f8b0, script=0x713370, fp=0x1010030) at jsinterp.cpp:657 #16 0x000e661b in js::Execute (cx=0x70f8b0, chain=0x1502028, script=0x713370, prev=0x0, flags=0, result=0xbffff6c0) at jsinterp.cpp:1024 #17 0x00023e9f in JS_ExecuteScript (cx=0x70f8b0, obj=0x1502028, script=0x713370, rval=0xbffff6c0) at /Users/fuzz2/Desktop/jsfunfuzz-dbg-32-tm-59849-ca11457ed5fe/compilePath/jsapi.cpp:4932 #18 0x000168c8 in Process (cx=0x70f8b0, obj=0x1502028, filename=0x0, forceTTY=0) at /Users/fuzz2/Desktop/jsfunfuzz-dbg-32-tm-59849-ca11457ed5fe/compilePath/shell/js.cpp:548 #19 0x00017386 in ProcessArgs (cx=0x70f8b0, obj=0x1502028, argv=0xbffff858, argc=0) at /Users/fuzz2/Desktop/jsfunfuzz-dbg-32-tm-59849-ca11457ed5fe/compilePath/shell/js.cpp:951 #20 0x000174c4 in Shell (cx=0x70f8b0, argc=0, argv=0xbffff858, envp=0xbffff85c) at /Users/fuzz2/Desktop/jsfunfuzz-dbg-32-tm-59849-ca11457ed5fe/compilePath/shell/js.cpp:5464 #21 0x0001762b in main (argc=0, argv=0xbffff858, envp=0xbffff85c) at /Users/fuzz2/Desktop/jsfunfuzz-dbg-32-tm-59849-ca11457ed5fe/compilePath/shell/js.cpp:5572

I'm going softblocker for now, since we don't know yet if this affects the web. Is autobisect running on this? A regressing changeset would help with triage.

The first bad revision is: changeset: aae231781a45 user: Paul Biggar date: Mon Dec 13 16:22:59 2010 -0800 summary: Bug 612292 - Rename array allocation functions (r=lw)

Jesse, by the renom are you saying you think this shouldn't block?

The renom was an unintentional change. Sorry.

I missed two OOM checks in the original refactoring, which this check triggered.

Comment on attachment 502112 [details] [diff] [review] Check for missing OOM conditions >+ if (!obj) >+ return NULL; 4 spaces of indent here.

JSBugMon: This bug has been automatically verified fixed.