Closed Bug 976697 Opened 11 years ago Closed 11 years ago

Assertion failure: obj->getPrivate() == nullptr, at vm/ArrayBufferObject.cpp

Categories

(Core :: JavaScript Engine: JIT, defect)

Product:
Core
Component:
JavaScript Engine: JIT
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla30
Tracking Flags:
Tracking Status
firefox29 --- unaffected
firefox30 --- verified
firefox-esr24 --- unaffected

People

(Reporter: gkw, Assigned: nmatsakis)

References

Details

(4 keywords, Whiteboard: [fuzzblocker][jsbugmon:update])

Attachments

(3 files)

stack
(deleted), text/plain
Details
Bug976697.diff
(deleted), patch
sfink
: review+
Details | Diff | Splinter Review
[crash-signature] Machine-readable crash signature
(deleted), text/plain
Details
Attached file stack (deleted) —
x = ArrayBuffer(); neuter(x); Uint32Array(x); gc(); asserts js debug shell on m-c changeset 1507f021ac93 without any CLI arguments at Assertion failure: obj->getPrivate() == nullptr, at vm/ArrayBufferObject.cpp This happens fairly often so setting as [fuzzblocker], and setting s-s because this involves gc. My configure flags are: CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar sh ./configure --target=x86_64-apple-darwin12.5.0 --enable-optimize --enable-debug --enable-profiling --enable-gczeal --enable-debug-symbols --enable-methodjit --enable-type-inference --disable-tests --enable-exact-rooting --with-ccache --enable-threadsafe <other NSPR options> autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: http://hg.mozilla.org/mozilla-central/rev/03355461606c user: Nicholas D. Matsakis date: Fri Feb 21 12:32:24 2014 -0500 summary: Bug 975456 -- Preserve invariant that views on a neutered buffer have a NULL data pointer r=shu
Flags: needinfo?
Flags: needinfo?
Didn't mean to reset the flag, assuming Gary wanted to add Niko.
Flags: needinfo?(nmatsakis)
Assignee: nobody → nmatsakis
Flags: needinfo?(nmatsakis)
Looks like fallout from bug 975456, I'll look into it.
Indeed, I didn't consider case where you instantiate a new typed array atop a neutered buffer. Sigh.
Attached patch Bug976697.diff (deleted) — Splinter Review
Attachment #8382294 - Flags: review?(sphink)
Comment on attachment 8382294 [details] [diff] [review] Bug976697.diff Review of attachment 8382294 [details] [diff] [review]: ----------------------------------------------------------------- ::: js/src/jit-test/tests/TypedObject/bug976697.js @@ +1,2 @@ > +// Test that instantiating a typed array on top of a neutered buffer > +// doesn't trip any asserts. Public domain. Looks like the standard fancy way to do this is /* * Any copyright is dedicated to the Public Domain. * http://creativecommons.org/licenses/publicdomain/ */ Though a number of tests don't have a prefix at all. One or the other.
Attachment #8382294 - Flags: review?(sphink) → review+
Try run (green, as far as I can tell): https://tbpl.mozilla.org/?tree=Try&rev=a6d2715798c8
https://hg.mozilla.org/mozilla-central/rev/719629050761
Status: NEW → RESOLVED
Closed: 11 years ago
status-firefox30: affectedfixed
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla30
Status: RESOLVED → VERIFIED
JSBugMon: This bug has been automatically verified fixed.
JSBugMon: This bug has been automatically verified fixed on Fx30
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: