Closed
Bug 1496330
Opened 7 years ago
Closed 7 years ago
Assertion failure: JSID_IS_ATOM(id) && frontend::IsIdentifier(JSID_TO_ATOM(id)), at js/src/vm/StringType.cpp:2229
Categories
(Core :: JavaScript Engine, defect, P3)
Core
JavaScript Engine
Tracking
()
RESOLVED
FIXED
mozilla64
| Tracking | Status | |
|---|---|---|
| firefox-esr60 | --- | unaffected |
| firefox62 | --- | disabled |
| firefox63 | --- | disabled |
| firefox64 | --- | fixed |
People
(Reporter: arai, Assigned: efaust)
References
Details
Attachments
(2 files)
|
529 bytes,
application/octet-stream
|
Details | |
|
1.50 KB,
patch
|
arai
:
review+
|
Details | Diff | Splinter Review |
tested on m-i 21b67d2084a6
Configure flags: --enable-warnings-as-errors --disable-optimize --enable-debug
Runtime flag: -B is_atom.binjs
Result:
Assertion failure: JSID_IS_ATOM(id) && frontend::IsIdentifier(JSID_TO_ATOM(id)), at js/src/vm/StringType.cpp:2229
|
Reporter | |
Comment 1•7 years ago
|
||
encoded from js/src/jit-test/tests/basic/bug660597.js
I'll add all testcase in bug 1495611, so no need to add it here
|
||
Updated•7 years ago
|
Group: core-security → javascript-core-security
|
||
Comment 2•7 years ago
|
||
I'm not sure if this assertion is handled in the code below it or not. at least part of it is. What's an appropriate rating here?
Flags: needinfo?(arai.unmht)
|
|
Reporter | |
Comment 3•7 years ago
|
||
the assertion failure itself in the function is safe (just that the behavior seems to be wrong),
but the underlying issue is that internal `.this` binding is missing in the environment, which shouldn't happen.
that results in throwing an error for undefined variable for internal thing (and it results in hitting the assertion failure), that also shouldn't happen.
I haven't yet found any way that this hits more critical issue than just wrong behavior, but there might be issue around dereferencing wrong pointer in scope object etc.
I'm afraid I'm not sure which rating will be suitable.
then, this code is used only when BinAST is enabled, which is disabled by default in pref,
so this shouldn't affect much users. this applies all bugs under bug 1495611.
Flags: needinfo?(arai.unmht)
|
Assignee | |
Updated•7 years ago
|
Status: NEW → ASSIGNED
|
|
Assignee | |
Comment 5•7 years ago
|
||
.this was not set aliased, because the with block didn't properly pollute the outer scope.
Attachment #9015363 -
Flags: review?(arai.unmht)
|
|
Reporter | |
Comment 6•7 years ago
|
||
Comment on attachment 9015363 [details] [diff] [review]
Fix
Review of attachment 9015363 [details] [diff] [review]:
-----------------------------------------------------------------
thanks!
Attachment #9015363 -
Flags: review?(arai.unmht) → review+
|
|
Reporter | |
Updated•7 years ago
|
|
||
Comment 7•7 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/f7d0546ee3cecaef21bf86e44717d84632d61580
https://hg.mozilla.org/mozilla-central/rev/f7d0546ee3ce
Group: javascript-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla64
|
|
||
Updated•7 years ago
|
status-firefox62:
--- → disabled
status-firefox63:
--- → disabled
status-firefox-esr60:
--- → unaffected
|
|
||
Updated•6 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•