Closed Bug 1192399 Opened 10 years ago Closed 10 years ago

Crash due to Assertion failure: i < argc_, at dist/include/js/CallArgs.h:296

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Version:
42 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: spandan.veggalam, Unassigned)

Details

User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:39.0) Gecko/20100101 Firefox/39.0 Build ID: 20150629114049 Steps to reproduce: mozilla-central revision 892594bdad30 (build with: --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --enable-debug) function toint32() { var ToInteger = getSelfHostedValue("ToInteger"); var result = ToInteger({ set: ToInteger() }); assertEq((assertEq(4294967295 >>> -15.1)), 0); } toint32(); Actual results: Assertion failure: i < argc_, at ../../dist/include/js/CallArgs.h:296 Expected results: Error: assertEq: not enough arguments
By design -- for testing purposes *only* -- getSelfHostedValue lets you access internal functions that aren't for unrestricted public use. Extract UnsafeSetReservedSlot this way, for example, and you'll have a function that is *very much not safe to use on any old object*. That's okay. We use it internally, in places where it *does* happen to be safe, and in no other places. ToInteger is more usable than UnsafeSetReservedSlot, for sure. But it nonetheless too is user-unfriendly in a very particular way: it *must* be called with at least one argument. (And really, we could assert harder and require that *exactly* one argument be passed, if we wanted.) When you call it with no arguments, you trigger an internal assertion indicating this internal method is being misused. Keep reporting bugs -- it's great to know when we screw stuff up! But please ensure your testcases aren't calling getSelfHostedValue, because this function exposes internals that are *not* meant for public consumption, and it itself isn't exposed for public consumption, either. (The shell is our own little testing playground, not something we consider for "public consumption".) One way to do this is to pass the argument --fuzzing-safe to the shell, which will remove all such unsafe functions to give you something that's fine to play in to discover exploits.
Group: core-security
Status: UNCONFIRMED → RESOLVED
Closed: 10 years ago
Resolution: --- → INVALID
Resolution: INVALID → WONTFIX
You need to log in before you can comment on or make changes to this bug.