Closed
Bug 1398397
Opened 7 years ago
Closed 7 years ago
Assertion failure: stackPosition_ < nslots(), at js/src/jit/MIRGraph.h:214 | EXCEPTION_ACCESS_VIOLATION_EXEC on Windows
Categories
(Core :: JavaScript Engine: JIT, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1398105
People
(Reporter: bc, Unassigned)
References
()
Details
(5 keywords, Whiteboard: [adv-main57-])
Crash Data
Attachments
(2 files)
[Tracking Requested - why for this release]: 1. https://genius.com/Dua-lipa-idgaf-lyrics or https://quizlet.com/42962870/cardiac-pharmacology-flash-cards/ Assertion failure: stackPosition_ < nslots(), at /mozilla/builds/nightly/mozilla/js/src/jit/MIRGraph.h:214 Linux and Windows On Windows there is an exploitable crash for opt TotalOperandCount js::jit::LSnapshot::New js::jit::LIRGeneratorShared::buildSnapshot js::jit::LIRGeneratorShared::assignSafepoint js::jit::LIRGenerator::visitInstruction bp-c77508b0-c1af-4c36-84da-840590170909 [@ js::jit::LIRGeneratorShared::assignSafepoint ] I believe this has regressed in the last day. I could not reproduce it with a custom local build from yesterday but could with one from this afternoon: https://hg.mozilla.org/mozilla-central/rev/ea7b55d65d76214f97aaae502d65cb26fc6f5659 Log contains sections, you might need to search for ==== or scroll ==== Marionette Log ==== ==== Gecko Log ====
|
Reporter | |
Comment 1•7 years ago
|
||
Assertion failure: stackPosition_ < nslots(), at z:/build/build/src/js/src/jit/MIRGraph.h:214 and Assertion failure: state.mApzcTreeManagerParent == parent, at z:/build/build/src/gfx/layers/ipc/CrossProcessCompositorBridgeParent.cpp:153 PS. The opt crash was labeled content but the debug crash was labelled gpu.
|
||
Updated•7 years ago
|
Group: core-security → javascript-core-security
|
||
Comment 2•7 years ago
|
||
nbp, could this be the crash you're investigating?
Flags: needinfo?(nicolas.b.pierron)
|
|
||
Comment 3•7 years ago
|
||
(In reply to Jan de Mooij [:jandem] from comment #2) > nbp, could this be the crash you're investigating? Bug 1398105.
|
||
Updated•7 years ago
|
Keywords: sec-critical
|
|
Reporter | |
Comment 5•7 years ago
|
||
Bug 1398105 mentions a bestbuy.ca which are also included in the assertion failures for this bug so it is very likely they are related. I have a total of 32 urls so far that show this assertion. One is from genius.com while the remaining are from bestbuy.ca and quizlet.com.
|
||
Comment 6•7 years ago
|
||
(In reply to Bob Clary [:bc:] from comment #1) > Assertion failure: stackPosition_ < nslots(), at > z:/build/build/src/js/src/jit/MIRGraph.h:214 (In reply to Jan de Mooij [:jandem] from comment #3) > (In reply to Jan de Mooij [:jandem] from comment #2) > > nbp, could this be the crash you're investigating? > > Bug 1398105. Yes, this is exactly this bug. This is caused by Bug 966743, because we do not resize the slots_ vector of the MBasicBlock when doing a "pushFormals" which came from a a fun.apply call to Array.prototype.push. This issue will cause a buffer overflow, which strangely fails at unexpected locations. Currently, this only affect 57, and I am waiting for inbound to open again before landing it.
Flags: needinfo?(nicolas.b.pierron)
|
||
Updated•7 years ago
|
Flags: needinfo?(nicolas.b.pierron)
|
|
||
Updated•7 years ago
|
Status: NEW → RESOLVED
Closed: 7 years ago
Flags: needinfo?(nicolas.b.pierron)
Resolution: --- → DUPLICATE
|
||
Comment 8•7 years ago
|
||
calling 57 fixed per bug 1398105
|
||
Updated•7 years ago
|
Whiteboard: [adv-main57-]
|
|
||
Updated•6 years ago
|
Group: core-security-release
|
|
||
Updated•6 years ago
|
Group: javascript-core-security, core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•