Closed
Bug 883972
Opened 11 years ago
Closed 11 years ago
Assertion failure: hasArgs(), at ../vm/Stack.h:514 or Assertion failure: script->function(), at jsscript.cpp:2852 or Crash [@ js::ArgumentsObject::create<CopyFrameArgs>]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 883623
People
(Reporter: decoder, Unassigned)
Details
(4 keywords, Whiteboard: [jsbugmon:])
Crash Data
Attachments
(1 file, 2 obsolete files)
2.69 KB,
text/plain
|
Details |
The following testcase asserts on mozilla-central revision 36da3cb92193 (no options required): function test() { eval("\ o = {\ x : arguments.length\ };\ with(o) {}\ "); } test();
Reporter | ||
Comment 1•11 years ago
|
||
Reporter | ||
Comment 2•11 years ago
|
||
This seems to be s-s. A slightly different test crashes opt: function test() { eval("\ var o = {\ x : arguments['4294967295']\ };\ with(o){}\ "); } test(); Program received signal SIGSEGV, Segmentation fault. js::ArgumentsObject::create<CopyFrameArgs> (cx=0x162e510, script=0x7ffff5e51280, callee=(JSFunction * const) 0x7ffff5e5f240 [object Function "test"], numActuals=4125430400, copy=...) at js/src/vm/ArgumentsObject.cpp:212 212 copy.copyArgs(cx, dst, numArgs); #0 js::ArgumentsObject::create<CopyFrameArgs> (cx=0x162e510, script=0x7ffff5e51280, callee=(JSFunction * const) 0x7ffff5e5f240 [object Function "test"], numActuals=4125430400, copy=...) at js/src/vm/ArgumentsObject.cpp:212 #1 0x0000000000877159 in js::ArgumentsObject::createExpected (cx=<optimized out>, frame=...) at js/src/vm/ArgumentsObject.cpp:242 #2 0x00000000005e9aff in JSScript::argumentsOptimizationFailed (cx=0x162e510, script=0x7ffff5e51280) at js/src/jsscript.cpp:2907 #3 0x0000000000457a87 in GetElemOptimizedArguments (done=<synthetic pointer>, res=$jsmagic(JS_OPTIMIZED_ARGUMENTS), rref=$jsval(4294967295), lref=$jsmagic(JS_OPTIMIZED_ARGUMENTS), frame=..., cx=0x162e510) at ../vm/Interpreter-inl.h:841 #4 GetElementOperation (res=$jsmagic(JS_OPTIMIZED_ARGUMENTS), rref=$jsval(4294967295), lref=$jsmagic(JS_OPTIMIZED_ARGUMENTS), op=JSOP_GETELEM, cx=0x162e510) at ../vm/Interpreter-inl.h:869 #5 Interpret (cx=0x162e510, entryFrame=<optimized out>) at js/src/vm/Interpreter.cpp:2101 #6 0x000000000045a8ea in js::RunScript (cx=0x162e510, fp=0x7ffff60ee128) at js/src/vm/Interpreter.cpp:348 #7 0x000000000045af18 in js::ExecuteKernel (cx=0x162e510, script=0xe000007ffff5e608, scopeChainArg=..., thisv=..., type=<optimized out>, evalInFrame=..., result=0x7ffff60ee100) at js/src/vm/Interpreter.cpp:533 rsi 0x46e64d28 140704318115112 rdi 0x27fac030 140733864132656 => 0x876b40 <js::ArgumentsObject::create<CopyFrameArgs>(JSContext*, JS::HandleScript, JS::HandleFunction, unsigned int, CopyFrameArgs&)+528>: movsq %ds:(%rsi),%es:(%rdi) The test also asserts in debug builds with this assertion: Assertion failure: script->function(), at jsscript.cpp:2852 I'll update the signature in a few.
Group: core-security
Crash Signature: [@ js::ArgumentsObject::create<CopyFrameArgs>]
Keywords: crash
Summary: Assertion failure: hasArgs(), at ../vm/Stack.h:514 → Assertion failure: hasArgs(), at ../vm/Stack.h:514 or Assertion failure: script->function(), at jsscript.cpp:2852 or Crash [@ js::ArgumentsObject::create<CopyFrameArgs>]
Whiteboard: [jsbugmon:update,bisect]
Reporter | ||
Comment 3•11 years ago
|
||
Attachment #763695 -
Attachment is obsolete: true
Reporter | ||
Comment 4•11 years ago
|
||
Attachment #763713 -
Attachment is obsolete: true
Reporter | ||
Updated•11 years ago
|
Crash Signature: [@ js::ArgumentsObject::create<CopyFrameArgs>] → [@ js::ArgumentsObject::create<CopyFrameArgs>]
[@ unaliasedActual]
[@ CopyStackFrameArguments]
Keywords: sec-critical
Reporter | ||
Comment 5•11 years ago
|
||
This might already be fixed on tip (could be a dup), so let's wait what JSBugMon says.
Reporter | ||
Updated•11 years ago
|
Crash Signature: [@ js::ArgumentsObject::create<CopyFrameArgs>]
[@ unaliasedActual]
[@ CopyStackFrameArguments] → [@ js::ArgumentsObject::create<CopyFrameArgs>]
[@ unaliasedActual]
[@ CopyStackFrameArguments]
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update,ignore]
Reporter | ||
Comment 6•11 years ago
|
||
JSBugMon: The testcase found in this bug no longer reproduces (tried revision b7175c5829b5). JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: http://hg.mozilla.org/mozilla-central/rev/ce43d28276e4 user: Brian Hackett date: Fri Jun 14 05:58:28 2013 -0600 summary: Bug 678037 - Enable lazy JS parsing and fix various bugs, r=waldo,evilpie,nobody. This iteration took 332.219 seconds to run.
Reporter | ||
Updated•11 years ago
|
Crash Signature: [@ js::ArgumentsObject::create<CopyFrameArgs>]
[@ unaliasedActual]
[@ CopyStackFrameArguments] → [@ js::ArgumentsObject::create<CopyFrameArgs>]
[@ unaliasedActual]
[@ CopyStackFrameArguments]
Whiteboard: [jsbugmon:update,ignore] → [jsbugmon:bisectfix]
Reporter | ||
Updated•11 years ago
|
Crash Signature: [@ js::ArgumentsObject::create<CopyFrameArgs>]
[@ unaliasedActual]
[@ CopyStackFrameArguments] → [@ js::ArgumentsObject::create<CopyFrameArgs>]
[@ unaliasedActual]
[@ CopyStackFrameArguments]
Whiteboard: [jsbugmon:bisectfix] → [jsbugmon:]
Reporter | ||
Comment 7•11 years ago
|
||
JSBugMon: Fix Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first good revision is: changeset: http://hg.mozilla.org/mozilla-central/rev/8a22078d93b2 user: Brian Hackett date: Sun Jun 16 07:12:20 2013 -0600 summary: Bug 883623 - Check free variables within eval'ed code before restarting processing of top level statements in the eval. This iteration took 322.343 seconds to run.
Reporter | ||
Comment 8•11 years ago
|
||
Indeed a dup to bug 883623, only on central and fixed.
Group: core-security
Status: NEW → RESOLVED
Crash Signature: [@ js::ArgumentsObject::create<CopyFrameArgs>]
[@ unaliasedActual]
[@ CopyStackFrameArguments] → [@ js::ArgumentsObject::create<CopyFrameArgs>]
[@ unaliasedActual]
[@ CopyStackFrameArguments]
Closed: 11 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•