Assertion failure: tag <= CalleeToken_Script, at jit/IonFrames.h:32 or Assertion failure: false (MOZ_ASSERT_UNREACHABLE: invalid callee token tag), at jit/IonFrames.h:72

VERIFIED FIXED in Firefox 33, Firefox OS v2.1

Status

()

--
critical
VERIFIED FIXED
4 years ago
4 years ago

People

(Reporter: decoder, Assigned: nbp)

Tracking

(Blocks: 1 bug, {assertion, testcase})

Trunk
mozilla34
x86_64
Linux
assertion, testcase
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(firefox32 unaffected, firefox33 fixed, firefox34 verified, firefox-esr24 unaffected, firefox-esr31 unaffected, b2g-v1.3 unaffected, b2g-v1.3T unaffected, b2g-v1.4 unaffected, b2g-v2.0 unaffected, b2g-v2.1 fixed)

Details

(Whiteboard: [jsbugmon:update,bisect])

Attachments

(2 attachments, 1 obsolete attachment)

(Reporter)

Description

4 years ago
The following testcase asserts on mozilla-central revision 005424a764da (run with --no-threads --fuzzing-safe):


a = {}
b = __proto__
for (i = 0; i < 9000; i++) {
    __proto__ &=  a
    a.__proto__ = b
}
(Reporter)

Comment 1

4 years ago
Marked s-s because the assertions sound possibly security-related.
status-firefox34: --- → affected
Whiteboard: [jsbugmon:update,bisect]
(Assignee)

Updated

4 years ago
Blocks: 1033873
(Assignee)

Comment 2

4 years ago
Created attachment 8466267 [details]
bug analysis

2 NameIC::update calls, the failure happens in the second one.
Likely cause of failure is a bad stub which does not correctly balance the stack.

The descriptor is interpreted as a CalleeToken, thus the produced IC stub does one extra push which is not balanced.

The issue is in the fix made for Bug 1033873.
(Assignee)

Comment 3

4 years ago
Created attachment 8466277 [details] [diff] [review]
Balance stack in failures cases.
Attachment #8466277 - Flags: review?(efaustbmo)
(Assignee)

Comment 4

4 years ago
Created attachment 8466279 [details] [diff] [review]
Balance stack in failures cases.

(Compiling version)
Fix this test case and Bug 1046675.
Attachment #8466277 - Attachment is obsolete: true
Attachment #8466277 - Flags: review?(efaustbmo)
Attachment #8466279 - Flags: review?(efaustbmo)
(Assignee)

Updated

4 years ago
Duplicate of this bug: 1046675

Comment 6

4 years ago
Comment on attachment 8466279 [details] [diff] [review]
Balance stack in failures cases.

Review of attachment 8466279 [details] [diff] [review]:
-----------------------------------------------------------------

Yeah, my bad. Thanks for fixing this. r=me
Attachment #8466279 - Flags: review?(efaustbmo) → review+
https://hg.mozilla.org/mozilla-central/rev/e77250bf9c07
Assignee: nobody → nicolas.b.pierron
Status: NEW → RESOLVED
Last Resolved: 4 years ago
status-b2g-v1.3: --- → unaffected
status-b2g-v1.3T: --- → unaffected
status-b2g-v1.4: --- → unaffected
status-b2g-v2.0: --- → unaffected
status-b2g-v2.1: --- → fixed
status-firefox32: --- → unaffected
status-firefox34: affected → fixed
status-firefox-esr24: --- → unaffected
status-firefox-esr31: --- → unaffected
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla34
(Reporter)

Updated

4 years ago
Status: RESOLVED → VERIFIED
status-firefox34: fixed → verified
(Reporter)

Comment 9

4 years ago
JSBugMon: This bug has been automatically verified fixed.
The fix for this was included in the backport of bug 1033873 to beta in order to fix bug 1067153.
https://hg.mozilla.org/releases/mozilla-beta/rev/2dbe6d8a5c30
status-firefox33: unaffected → fixed
Group: core-security
You need to log in before you can comment on or make changes to this bug.