Closed
Bug 916761
Opened 11 years ago
Closed 11 years ago
Crash on Heap with ParallelArray
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
mozilla27
Tracking | Status | |
---|---|---|
firefox24 | --- | unaffected |
firefox25 | --- | unaffected |
firefox26 | --- | unaffected |
firefox27 | + | fixed |
firefox-esr17 | --- | unaffected |
firefox-esr24 | --- | unaffected |
b2g18 | --- | unaffected |
People
(Reporter: decoder, Assigned: jandem)
References
Details
(4 keywords, Whiteboard: [jsbugmon:update])
Attachments
(1 file)
(deleted),
patch
|
nmatsakis
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision dc909122bcf5 (run with --fuzzing-safe --ion-eager):
Array.prototype[2] = '';
function toString(r) {
var result = "";
for (var i = 0; i < 100; i++)
result += r.get(i);
}
toString(new ParallelArray(['x', 'x']));
Reporter | ||
Updated•11 years ago
|
Whiteboard: [jsbugmon:update,bisect]
Reporter | ||
Comment 1•11 years ago
|
||
This looks like a null-deref, but the crash is on the heap without any symbols, so marking as s-s until triaged.
Reporter | ||
Updated•11 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
Reporter | ||
Comment 2•11 years ago
|
||
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: http://hg.mozilla.org/mozilla-central/rev/d660739f7498
user: Jan de Mooij
date: Fri Sep 06 13:52:16 2013 +0200
summary: Bug 913424 - IonMonkey: Handle JSOP_THIS primitive this case. r=bhackett
This iteration took 0.958 seconds to run.
Reporter | ||
Comment 3•11 years ago
|
||
Needinfo from Jandem based on comment 2 :)
Flags: needinfo?(jdemooij)
Updated•11 years ago
|
Assignee | ||
Comment 4•11 years ago
|
||
Bug 913424 may have exposed this by Ion-compiling more self-hosted PJS code (yay) but the bug itself is a regression from bug 841621.
makeInliningDecision should not return true without calling HeapTypeSet::WatchObjectStateChange (this call ensures the outer script is invalidated when types of the inlined script change).
Attachment #810572 -
Flags: review?(nmatsakis)
Flags: needinfo?(jdemooij)
Assignee | ||
Comment 5•11 years ago
|
||
PJS is disabled on aurora and beta.
status-firefox24:
--- → unaffected
status-firefox25:
--- → unaffected
status-firefox26:
--- → unaffected
status-firefox27:
--- → affected
tracking-firefox27:
--- → ?
Comment 6•11 years ago
|
||
Comment on attachment 810572 [details] [diff] [review]
Patch
Review of attachment 810572 [details] [diff] [review]:
-----------------------------------------------------------------
Ah, good catch. I recall being a bit confused by a big change of structure when merging that pass, I see I missed some crucial code there at the end!
Attachment #810572 -
Flags: review?(nmatsakis) → review+
Comment 7•11 years ago
|
||
jandem, is this really just a null-deref, or should it be rated more severely, security-wise? Thanks.
Flags: needinfo?(jdemooij)
Assignee | ||
Comment 8•11 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/346ce9e416cb
(In reply to Andrew McCreight [:mccr8] from comment #7)
> jandem, is this really just a null-deref, or should it be rated more
> severely, security-wise? Thanks.
It's more dangerous than that, marking sec-critical.
Flags: needinfo?(jdemooij)
Keywords: sec-critical
Comment 9•11 years ago
|
||
This is trunk only so it doesn't need sec-approval+ to go in.
status-b2g18:
--- → unaffected
status-firefox-esr17:
--- → unaffected
status-firefox-esr24:
--- → unaffected
Comment 10•11 years ago
|
||
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla27
Reporter | ||
Updated•11 years ago
|
Status: RESOLVED → VERIFIED
Reporter | ||
Comment 11•11 years ago
|
||
JSBugMon: This bug has been automatically verified fixed.
Updated•11 years ago
|
Updated•10 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•