Closed
Bug 1046597
Opened 10 years ago
Closed 10 years ago
Assertion failure: tag <= CalleeToken_Script, at jit/IonFrames.h:32 or Assertion failure: false (MOZ_ASSERT_UNREACHABLE: invalid callee token tag), at jit/IonFrames.h:72
Categories
(Core :: JavaScript Engine: JIT, defect)
Tracking
()
VERIFIED
FIXED
mozilla34
| Tracking | Status | |
|---|---|---|
| firefox32 | --- | unaffected |
| firefox33 | --- | fixed |
| firefox34 | --- | verified |
| firefox-esr24 | --- | unaffected |
| firefox-esr31 | --- | unaffected |
| b2g-v1.3 | --- | unaffected |
| b2g-v1.3T | --- | unaffected |
| b2g-v1.4 | --- | unaffected |
| b2g-v2.0 | --- | unaffected |
| b2g-v2.1 | --- | fixed |
People
(Reporter: decoder, Assigned: nbp)
References
Details
(Keywords: assertion, testcase, Whiteboard: [jsbugmon:update,bisect])
Attachments
(2 files, 1 obsolete file)
|
6.19 KB,
text/plain
|
Details | |
|
2.32 KB,
patch
|
efaust
:
review+
|
Details | Diff | Splinter Review |
The following testcase asserts on mozilla-central revision 005424a764da (run with --no-threads --fuzzing-safe):
a = {}
b = __proto__
for (i = 0; i < 9000; i++) {
__proto__ &= a
a.__proto__ = b
}
|
Reporter | |
Comment 1•10 years ago
|
||
Marked s-s because the assertions sound possibly security-related.
status-firefox34:
--- → affected
Whiteboard: [jsbugmon:update,bisect]
|
Assignee | |
Comment 2•10 years ago
|
||
2 NameIC::update calls, the failure happens in the second one. Likely cause of failure is a bad stub which does not correctly balance the stack. The descriptor is interpreted as a CalleeToken, thus the produced IC stub does one extra push which is not balanced. The issue is in the fix made for Bug 1033873.
|
|
Assignee | |
Comment 3•10 years ago
|
||
Attachment #8466277 -
Flags: review?(efaustbmo)
|
|
Assignee | |
Comment 4•10 years ago
|
||
(Compiling version) Fix this test case and Bug 1046675.
Attachment #8466277 -
Attachment is obsolete: true
Attachment #8466277 -
Flags: review?(efaustbmo)
Attachment #8466279 -
Flags: review?(efaustbmo)
|
||
Comment 6•10 years ago
|
||
Comment on attachment 8466279 [details] [diff] [review] Balance stack in failures cases. Review of attachment 8466279 [details] [diff] [review]: ----------------------------------------------------------------- Yeah, my bad. Thanks for fixing this. r=me
Attachment #8466279 -
Flags: review?(efaustbmo) → review+
|
|
Assignee | |
Comment 7•10 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/e77250bf9c07
status-firefox33:
--- → unaffected
|
||
Comment 8•10 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/e77250bf9c07
Assignee: nobody → nicolas.b.pierron
Status: NEW → RESOLVED
Closed: 10 years ago
status-b2g-v1.3:
--- → unaffected
status-b2g-v1.3T:
--- → unaffected
status-b2g-v1.4:
--- → unaffected
status-b2g-v2.0:
--- → unaffected
status-b2g-v2.1:
--- → fixed
status-firefox32:
--- → unaffected
status-firefox-esr24:
--- → unaffected
status-firefox-esr31:
--- → unaffected
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla34
|
|
Reporter | |
Updated•10 years ago
|
Status: RESOLVED → VERIFIED
|
|
Reporter | |
Comment 9•10 years ago
|
||
JSBugMon: This bug has been automatically verified fixed.
|
|
||
Comment 10•10 years ago
|
||
The fix for this was included in the backport of bug 1033873 to beta in order to fix bug 1067153. https://hg.mozilla.org/releases/mozilla-beta/rev/2dbe6d8a5c30
|
||
Updated•10 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•