Closed Bug 1217645 Opened 9 years ago Closed 9 years ago

Assertion failure: Modified registers between VM call and OsiPoint, at js/src/jit/MacroAssembler.cpp:1531

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1217593
Tracking Flags:
Tracking Status
firefox44 --- affected

People

(Reporter: decoder, Unassigned)

Details

(4 keywords, Whiteboard: [jsbugmon:update,bisect][fuzzblocker])

The following testcase crashes on mozilla-central revision daa7d98525e8 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --no-threads --ion-eager): try { function f() { return this === fnGlobalObject(); }; if (!((function(test) { return f.bind()(); })())) {} } catch (exc0) {} enableOsiPointRegisterChecks(); for (var i = 0; Number < f(); i++) a[i] = --obj[name]; Backtrace: Program received signal SIGTRAP, Trace/breakpoint trap. 0x00007ffff7fbf767 in ?? () #0 0x00007ffff7fbf767 in ?? () #1 0x00007ffff7e61060 in ?? () #2 0xfffc7ffff7e61060 in ?? () #3 0x0000000000000005 in ?? () #4 0x0000000000000001 in ?? () #5 0x00007fffffffc460 in ?? () #6 0x00007fffffffc4b0 in ?? () #7 0x00007ffff7fe8bcd in ?? () #8 0x0000000000000404 in ?? () #9 0x00007ffff7e7d100 in ?? () #10 0x0000000000000000 in ?? () rax 0x7fffffffc3a0 140737488339872 rbx 0x7fffffffc310 140737488339728 rcx 0xfffc7ffff7e61060 -985162554404768 rdx 0x7ffff6907418 140737330050072 rsi 0x7fffffffc130 140737488339248 rdi 0x7ffff7e61060 140737352437856 rbp 0x7fffffffc240 140737488339520 rsp 0x7fffffffc1b0 140737488339376 r8 0x7ffff7e7d100 140737352552704 r9 0x0 0 r10 0x7fffffffc1b0 140737488339376 r11 0x7ffff6c27960 140737333328224 r12 0x8 8 r13 0x7fffffffc930 140737488341296 r14 0x404 1028 r15 0x7ffff6907400 140737330050048 rip 0x7ffff7fbf767 140737353873255 => 0x7ffff7fbf767: pop %rax 0x7ffff7fbf768: mov %rcx,0x18(%rsp) Marking s-s because this assertion could indicate security problems and fuzzblocker because it occurs fairly often and we can't find any other issues with the same assert because there is no stack for these.
In fact, gkw already filed it as it seems :)
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → DUPLICATE
Group: javascript-core-security
Keywords: sec-high
You need to log in before you can comment on or make changes to this bug.