Closed
Bug 1398397
Opened 8 years ago
Closed 8 years ago
Assertion failure: stackPosition_ < nslots(), at js/src/jit/MIRGraph.h:214 | EXCEPTION_ACCESS_VIOLATION_EXEC on Windows
Categories
(Core :: JavaScript Engine: JIT, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1398105
People
(Reporter: bc, Unassigned)
References
()
Details
(5 keywords, Whiteboard: [adv-main57-])
Crash Data
Attachments
(2 files)
[Tracking Requested - why for this release]:
1. https://genius.com/Dua-lipa-idgaf-lyrics
or
https://quizlet.com/42962870/cardiac-pharmacology-flash-cards/
Assertion failure: stackPosition_ < nslots(), at /mozilla/builds/nightly/mozilla/js/src/jit/MIRGraph.h:214
Linux and Windows
On Windows there is an exploitable crash for opt
TotalOperandCount js::jit::LSnapshot::New js::jit::LIRGeneratorShared::buildSnapshot js::jit::LIRGeneratorShared::assignSafepoint js::jit::LIRGenerator::visitInstruction
bp-c77508b0-c1af-4c36-84da-840590170909
[@ js::jit::LIRGeneratorShared::assignSafepoint ]
I believe this has regressed in the last day. I could not reproduce it with a custom local build from yesterday but could with one from this afternoon: https://hg.mozilla.org/mozilla-central/rev/ea7b55d65d76214f97aaae502d65cb26fc6f5659
Log contains sections, you might need to search for ==== or scroll
==== Marionette Log ====
==== Gecko Log ====
|
Reporter | |
Comment 1•8 years ago
|
||
Assertion failure: stackPosition_ < nslots(), at z:/build/build/src/js/src/jit/MIRGraph.h:214
and
Assertion failure: state.mApzcTreeManagerParent == parent, at z:/build/build/src/gfx/layers/ipc/CrossProcessCompositorBridgeParent.cpp:153
PS. The opt crash was labeled content but the debug crash was labelled gpu.
|
||
Updated•8 years ago
|
Group: core-security → javascript-core-security
|
||
Comment 2•8 years ago
|
||
nbp, could this be the crash you're investigating?
Flags: needinfo?(nicolas.b.pierron)
|
|
||
Comment 3•8 years ago
|
||
(In reply to Jan de Mooij [:jandem] from comment #2)
> nbp, could this be the crash you're investigating?
Bug 1398105.
|
||
Updated•8 years ago
|
Keywords: sec-critical
|
|
Reporter | |
Comment 5•8 years ago
|
||
Bug 1398105 mentions a bestbuy.ca which are also included in the assertion failures for this bug so it is very likely they are related. I have a total of 32 urls so far that show this assertion. One is from genius.com while the remaining are from bestbuy.ca and quizlet.com.
|
||
Comment 6•8 years ago
|
||
(In reply to Bob Clary [:bc:] from comment #1)
> Assertion failure: stackPosition_ < nslots(), at
> z:/build/build/src/js/src/jit/MIRGraph.h:214
(In reply to Jan de Mooij [:jandem] from comment #3)
> (In reply to Jan de Mooij [:jandem] from comment #2)
> > nbp, could this be the crash you're investigating?
>
> Bug 1398105.
Yes, this is exactly this bug.
This is caused by Bug 966743, because we do not resize the slots_ vector of the MBasicBlock when doing a "pushFormals" which came from a a fun.apply call to Array.prototype.push.
This issue will cause a buffer overflow, which strangely fails at unexpected locations.
Currently, this only affect 57, and I am waiting for inbound to open again before landing it.
Flags: needinfo?(nicolas.b.pierron)
|
||
Updated•8 years ago
|
Flags: needinfo?(nicolas.b.pierron)
|
|
||
Updated•8 years ago
|
Status: NEW → RESOLVED
Closed: 8 years ago
Flags: needinfo?(nicolas.b.pierron)
Resolution: --- → DUPLICATE
|
||
Comment 8•8 years ago
|
||
calling 57 fixed per bug 1398105
|
||
Updated•8 years ago
|
Whiteboard: [adv-main57-]
|
|
||
Updated•7 years ago
|
Group: core-security-release
|
|
||
Updated•7 years ago
|
Group: javascript-core-security, core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•