Closed
Bug 1142993
Opened 10 years ago
Closed 10 years ago
Assertion failure: !has(tmp), at /mozilla/builds/nightly/mozilla/js/src/jit/RegisterSets.h:392
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla39
| Tracking | Status | |
|---|---|---|
| firefox38 | --- | unaffected |
| firefox39 | + | fixed |
| firefox40 | --- | fixed |
| firefox-esr31 | --- | unaffected |
| firefox-esr38 | --- | unaffected |
| b2g-v1.4 | --- | unaffected |
| b2g-v2.0 | --- | unaffected |
| b2g-v2.0M | --- | unaffected |
| b2g-v2.1 | --- | unaffected |
| b2g-v2.1S | --- | unaffected |
| b2g-v2.2 | --- | unaffected |
| b2g-master | --- | fixed |
People
(Reporter: cbook, Assigned: nbp)
References
()
Details
(Keywords: assertion, sec-high)
Attachments
(2 files)
Found via Bughunter and reproduced on a Mac OS 10.9 Trunk Build based on mozilla-central tip
Note: on Windows Bughunter reports this as medium exploitable
Steps to reproduce:
-> Load https://vimeo.com/11892211
--> Assertion failure: !has(tmp), at /mozilla/builds/nightly/mozilla/js/src/jit/RegisterSets.h:392
|
Reporter | |
Comment 1•10 years ago
|
||
|
|
Reporter | |
Comment 2•10 years ago
|
||
|
||
Comment 3•10 years ago
|
||
This seems to be a regression from bug 1140737, but I don't really understand why we're asserting. Maybe a register aliasing issue. The code looks fine to me though...
bz, do you want to take a look? Else I can debug it.
status-firefox39:
--- → affected
tracking-firefox39:
--- → ?
|
|
||
Updated•10 years ago
|
Flags: needinfo?(jdemooij)
|
Assignee | |
Comment 4•10 years ago
|
||
Can this issue be reproduced with Bug 1143011.
|
||
Updated•10 years ago
|
|
|
||
Comment 5•10 years ago
|
||
Based on comment 3 I will mark 38 as unaffected. It sounds like a regression in 39.
status-firefox38:
--- → unaffected
|
|
Assignee | |
Comment 6•10 years ago
|
||
Do we still have new reports since Bug 1143011 landed on mozilla-central?
Flags: needinfo?(cbook)
|
|
Reporter | |
Comment 7•10 years ago
|
||
(In reply to Nicolas B. Pierron [:nbp] from comment #6)
> Do we still have new reports since Bug 1143011 landed on mozilla-central?
yeah does not crash anymore on my testcase \o/
Flags: needinfo?(cbook)
|
|
Assignee | |
Comment 8•10 years ago
|
||
(In reply to Carsten Book [:Tomcat] from comment #7)
> (In reply to Nicolas B. Pierron [:nbp] from comment #6)
> > Do we still have new reports since Bug 1143011 landed on mozilla-central?
>
> yeah does not crash anymore on my testcase \o/
Good :)
The patch got backout from aurora (Bug 1149377), so it might be broken on aurora.
I waiting for tens of PGO build results to find where PGO is failing.
|
|
||
Comment 9•10 years ago
|
||
Clearing needinfo, bug 1143011 should have fixed this.
Flags: needinfo?(jdemooij)
|
|
Reporter | |
Comment 10•10 years ago
|
||
yes marking fixed for firefox 40 by bug 1143011 - for Fx39 this need be landed on aurora where its currently backed out
|
||
Updated•10 years ago
|
Assignee: nobody → nicolas.b.pierron
status-b2g-v1.4:
--- → unaffected
status-b2g-v2.0:
--- → unaffected
status-b2g-v2.0M:
--- → unaffected
status-b2g-v2.1:
--- → unaffected
status-b2g-v2.1S:
--- → unaffected
status-b2g-v2.2:
--- → unaffected
status-b2g-master:
--- → fixed
status-firefox-esr31:
--- → unaffected
status-firefox-esr38:
--- → unaffected
Flags: in-testsuite?
Target Milestone: --- → mozilla39
|
||
Updated•10 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•