The following testcase crashes on mozilla-central revision 1e9f169c9715 (run with --fuzzing-safe): gczeal(9, 2); function toString() { TypedObject.uint32.array(3); } var o = {valueOf: undefined, toString: toString}; for (var i = 0; i < 100; i++) var q = 5 + o;

Debug crash trace: Program received signal SIGSEGV, Segmentation fault. compartment (this=<optimized out>) at js/src/frontend/NameFunctions.cpp:358 358 } #0 compartment (this=<optimized out>) at js/src/frontend/NameFunctions.cpp:358 #1 IsObjectValueInCompartment (comp=<optimized out>, v=...) at js/src/vm/ObjectImpl.h:1641 #2 js::ObjectImpl::initSlot (this=0x7ffff615d0c0, slot=0, value=...) at js/src/vm/ObjectImpl.h:1367 #3 0x00000000004dfad8 in initReservedSlot (v=..., index=0, this=<optimized out>) at js/src/jsobj.h:445 #4 js::ArrayMetaTypeDescr::create<js::SizedArrayTypeDescr> (cx=0x1831f70, arrayTypePrototype=..., arrayTypeReprObj=..., elementType=...) at js/src/builtin/TypedObject.cpp:550 #5 0x00000000004c2b51 in js::UnsizedArrayTypeDescr::dimension (cx=0x1831f70, argc=<optimized out>, vp=0x182e318) at js/src/builtin/TypedObject.cpp:669 #6 0x00000000009210a1 in js::CallJSNative (cx=0x1831f70, native=0x4c2870 <js::UnsizedArrayTypeDescr::dimension(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:220 #7 0x000000000090e30d in js::Invoke (cx=0x1831f70, args=..., construct=<optimized out>) at js/src/vm/Interpreter.cpp:466 rax 0xdadadada -2676586395008836902 rip 0x4db271 <js::ObjectImpl::initSlot(unsigned int, JS::Value const&)+257> => 0x4db271 <js::ObjectImpl::initSlot(unsigned int, JS::Value const&)+257>: mov (%rax),%rax Marked s-s due to use-after-free.

I'm still seeing this on tip, needinfo from :nmatsakis because this is related to TypedObject.

JSBugMon: The testcase found in this bug no longer reproduces (tried revision 18e7634d4094).

So far I've only succeed in reducing the test case to: gczeal(9, 2); function toString() { TypedObject.uint32.array(3); } for (var i = 0; i < 100; i++) toString(); Removing any part of this, including the intermediate function toString(), seems to remove the crash.

JSBugMon: Fix Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first good revision is: changeset: http://hg.mozilla.org/mozilla-central/rev/22d628a02331 user: Nicholas D. Matsakis date: Thu Jan 30 15:21:02 2014 -0500 summary: Bug 966575 part 9 -- Remove unused type object r=sfink This iteration took 351.294 seconds to run.

I was investigating this more. Clearly this is a bug with the weak pointer support for type representations. I can dig more into this, however I'm inclined not to, because this bug is also fixed by the patches currently under review for bug 966575.

Here's a test that still reproduces on tip (Revision 6de7f6039a68): gczeal(8, 1); try { function TestCase( ... a ) {} for (var i = 0; i < 2; ++i) TypedObject.uint32.array(3); } catch(exc1) {}

Hi Niko, have all the bug 966575 patches landed? I'm guessing not based on comment 7 + comment 8.

The remaining two patches have not landed due to a lingering ASAN failure I observe on try but haven't been able to reproduce locally. I really want to land them since I have other patches gated on them as well, so I will try to prioritize diagnosing that problem next week. I need to find an appropriate machine to run the tests on.

Update: I've resolved the failure that was blocking bug 966575, but waiting on review.

JSBugMon: The testcase found in this bug no longer reproduces (tried revision 5b6e82e7bbbf).

JSBugMon: Fix Bisection requested, result: === Tinderbox Build Bisection Results by autoBisect === The "bad" changeset has the timestamp "20140401044332" and the hash "5641d9a1653f". The "good" changeset has the timestamp "20140401052932" and the hash "e06713a76a41". Likely fix window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=5641d9a1653f&tochange=e06713a76a41

Fixed by bug 966575 :)

JSBugMon: This bug has been automatically verified fixed.