Closed
Bug 1308575
Opened 9 years ago
Closed 9 years ago
Assertion failure: begin + len <= length(), at js/src/jsscript.cpp:1575 with Debugger
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1161312
Tracking | Status | |
---|---|---|
firefox52 | --- | wontfix |
People
(Reporter: decoder, Unassigned)
Details
(5 keywords, Whiteboard: [jsbugmon:update])
The following testcase crashes on mozilla-central revision ea104eeb14cc (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug --without-intl-api --enable-optimize --target=i686-pc-linux-gnu, run with --fuzzing-safe --ion-offthread-compile=off min.js):
var g = newGlobal();
var dbg = new Debugger;
var gw = dbg.addDebuggee(g);
g.evaluate("function f(x) { return 2*x; }", new RangeError());
var fw = gw.getOwnPropertyDescriptor('f').value;
Backtrace:
received signal SIGSEGV, Segmentation fault.
0x08618f39 in js::ScriptSource::chars (this=0xf13742c0, cx=0xf792d000, holder=..., begin=55, len=19) at js/src/jsscript.cpp:1575
#0 0x08618f39 in js::ScriptSource::chars (this=0xf13742c0, cx=0xf792d000, holder=..., begin=55, len=19) at js/src/jsscript.cpp:1575
#1 0x085731d2 in JSFunction::createScriptForLazilyInterpretedFunction (cx=0xf792d000, fun=...) at js/src/jsfun.cpp:1498
#2 0x080a3029 in JSFunction::getOrCreateScript (this=0xf1589740, cx=0xf792d000) at js/src/jsfun.h:396
#3 0x08572ed8 in js::LazyScript::functionDelazifying (cx=0xf792d000, this=<optimized out>) at js/src/jsscriptinlines.h:81
#4 JSFunction::createScriptForLazilyInterpretedFunction (cx=0xf792d000, fun=...) at js/src/jsfun.cpp:1455
#5 0x086b8c3c in JSFunction::getOrCreateScript (cx=0xf792d000, this=<optimized out>) at js/src/jsfun.h:396
#6 EnsureFunctionHasScript (fun=..., cx=0xf792d000) at js/src/vm/Debugger.cpp:225
#7 js::Debugger::wrapDebuggeeObject (this=0xf795a000, cx=0xf792d000, obj=..., result=...) at js/src/vm/Debugger.cpp:1165
#8 0x086b9199 in js::Debugger::wrapDebuggeeValue (this=0xf795a000, cx=0xf792d000, vp=...) at js/src/vm/Debugger.cpp:1121
#9 0x086bf517 in js::DebuggerObject::getOwnPropertyDescriptor (cx=0xf792d000, object=..., id=..., desc=...) at js/src/vm/Debugger.cpp:9773
#10 0x086bf836 in js::DebuggerObject::getOwnPropertyDescriptorMethod (cx=0xf792d000, argc=1, vp=0xf1220060) at js/src/vm/Debugger.cpp:8963
#11 0x0874f63b in js::CallJSNative (cx=0xf792d000, native=0x86bf6c0 <js::DebuggerObject::getOwnPropertyDescriptorMethod(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:239
[...]
#25 main (argc=4, argv=0xffffd8b4, envp=0xffffd8c8) at js/src/shell/js.cpp:7848
eax 0x0 0
ebx 0x13 19
ecx 0xf7da4864 -136689564
edx 0x0 0
esi 0x37 55
edi 0x4a 74
ebp 0xffffc918 4294953240
esp 0xffffc890 4294953104
eip 0x8618f39 <js::ScriptSource::chars(JSContext*, js::UncompressedSourceCache::AutoHoldEntry&, unsigned int, unsigned int)+953>
=> 0x8618f39 <js::ScriptSource::chars(JSContext*, js::UncompressedSourceCache::AutoHoldEntry&, unsigned int, unsigned int)+953>: movl $0x0,0x0
0x8618f43 <js::ScriptSource::chars(JSContext*, js::UncompressedSourceCache::AutoHoldEntry&, unsigned int, unsigned int)+963>: ud2
Updated•9 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
Comment 1•9 years ago
|
||
JSBugMon: Bisection requested, result:
=== Treeherder Build Bisection Results by autoBisect ===
The "good" changeset has the timestamp "20160923033900" and the hash "c4d91d17c8ed2e385f4a4a3d97f861eee722626f".
The "bad" changeset has the timestamp "20160923040159" and the hash "52459cfd15765aa82ff26501b9c1a56272d49f0d".
Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=c4d91d17c8ed2e385f4a4a3d97f861eee722626f&tochange=52459cfd15765aa82ff26501b9c1a56272d49f0d
Comment 3•9 years ago
|
||
(In reply to Ryan VanderMeulen [:RyanVM] from comment #2)
> Jan, is bug 1304390 a likely regressor here?
The assert may be new but the underlying issue is pre-existing, bug 1161312 :(
Marking this sec-audit like bug 1161312. As mentioned in that bug, this is probably shell-only.
Group: javascript-core-security
Status: NEW → RESOLVED
Closed: 9 years ago
Flags: needinfo?(jdemooij)
Keywords: sec-audit
Resolution: --- → DUPLICATE
Updated•8 years ago
|
Updated•6 years ago
|
Group: javascript-core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•