Closed Bug 1308575 Opened 9 years ago Closed 9 years ago

Assertion failure: begin + len <= length(), at js/src/jsscript.cpp:1575 with Debugger

Categories

(Core :: JavaScript Engine, defect)

x86
Linux
defect
Not set
critical

Tracking

()

RESOLVED DUPLICATE of bug 1161312
Tracking Status
firefox52 --- wontfix

People

(Reporter: decoder, Unassigned)

Details

(5 keywords, Whiteboard: [jsbugmon:update])

The following testcase crashes on mozilla-central revision ea104eeb14cc (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug --without-intl-api --enable-optimize --target=i686-pc-linux-gnu, run with --fuzzing-safe --ion-offthread-compile=off min.js): var g = newGlobal(); var dbg = new Debugger; var gw = dbg.addDebuggee(g); g.evaluate("function f(x) { return 2*x; }", new RangeError()); var fw = gw.getOwnPropertyDescriptor('f').value; Backtrace: received signal SIGSEGV, Segmentation fault. 0x08618f39 in js::ScriptSource::chars (this=0xf13742c0, cx=0xf792d000, holder=..., begin=55, len=19) at js/src/jsscript.cpp:1575 #0 0x08618f39 in js::ScriptSource::chars (this=0xf13742c0, cx=0xf792d000, holder=..., begin=55, len=19) at js/src/jsscript.cpp:1575 #1 0x085731d2 in JSFunction::createScriptForLazilyInterpretedFunction (cx=0xf792d000, fun=...) at js/src/jsfun.cpp:1498 #2 0x080a3029 in JSFunction::getOrCreateScript (this=0xf1589740, cx=0xf792d000) at js/src/jsfun.h:396 #3 0x08572ed8 in js::LazyScript::functionDelazifying (cx=0xf792d000, this=<optimized out>) at js/src/jsscriptinlines.h:81 #4 JSFunction::createScriptForLazilyInterpretedFunction (cx=0xf792d000, fun=...) at js/src/jsfun.cpp:1455 #5 0x086b8c3c in JSFunction::getOrCreateScript (cx=0xf792d000, this=<optimized out>) at js/src/jsfun.h:396 #6 EnsureFunctionHasScript (fun=..., cx=0xf792d000) at js/src/vm/Debugger.cpp:225 #7 js::Debugger::wrapDebuggeeObject (this=0xf795a000, cx=0xf792d000, obj=..., result=...) at js/src/vm/Debugger.cpp:1165 #8 0x086b9199 in js::Debugger::wrapDebuggeeValue (this=0xf795a000, cx=0xf792d000, vp=...) at js/src/vm/Debugger.cpp:1121 #9 0x086bf517 in js::DebuggerObject::getOwnPropertyDescriptor (cx=0xf792d000, object=..., id=..., desc=...) at js/src/vm/Debugger.cpp:9773 #10 0x086bf836 in js::DebuggerObject::getOwnPropertyDescriptorMethod (cx=0xf792d000, argc=1, vp=0xf1220060) at js/src/vm/Debugger.cpp:8963 #11 0x0874f63b in js::CallJSNative (cx=0xf792d000, native=0x86bf6c0 <js::DebuggerObject::getOwnPropertyDescriptorMethod(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:239 [...] #25 main (argc=4, argv=0xffffd8b4, envp=0xffffd8c8) at js/src/shell/js.cpp:7848 eax 0x0 0 ebx 0x13 19 ecx 0xf7da4864 -136689564 edx 0x0 0 esi 0x37 55 edi 0x4a 74 ebp 0xffffc918 4294953240 esp 0xffffc890 4294953104 eip 0x8618f39 <js::ScriptSource::chars(JSContext*, js::UncompressedSourceCache::AutoHoldEntry&, unsigned int, unsigned int)+953> => 0x8618f39 <js::ScriptSource::chars(JSContext*, js::UncompressedSourceCache::AutoHoldEntry&, unsigned int, unsigned int)+953>: movl $0x0,0x0 0x8618f43 <js::ScriptSource::chars(JSContext*, js::UncompressedSourceCache::AutoHoldEntry&, unsigned int, unsigned int)+963>: ud2
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result: === Treeherder Build Bisection Results by autoBisect === The "good" changeset has the timestamp "20160923033900" and the hash "c4d91d17c8ed2e385f4a4a3d97f861eee722626f". The "bad" changeset has the timestamp "20160923040159" and the hash "52459cfd15765aa82ff26501b9c1a56272d49f0d". Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=c4d91d17c8ed2e385f4a4a3d97f861eee722626f&tochange=52459cfd15765aa82ff26501b9c1a56272d49f0d
Jan, is bug 1304390 a likely regressor here?
Flags: needinfo?(jdemooij)
(In reply to Ryan VanderMeulen [:RyanVM] from comment #2) > Jan, is bug 1304390 a likely regressor here? The assert may be new but the underlying issue is pre-existing, bug 1161312 :( Marking this sec-audit like bug 1161312. As mentioned in that bug, this is probably shell-only.
Group: javascript-core-security
Status: NEW → RESOLVED
Closed: 9 years ago
Flags: needinfo?(jdemooij)
Keywords: sec-audit
Resolution: --- → DUPLICATE
Group: javascript-core-security
You need to log in before you can comment on or make changes to this bug.