Closed Bug 1496330 Opened 2 years ago Closed 2 years ago

Assertion failure: JSID_IS_ATOM(id) && frontend::IsIdentifier(JSID_TO_ATOM(id)), at js/src/vm/StringType.cpp:2229

Categories

(Core :: JavaScript Engine, defect, P3)

defect

Tracking

()

RESOLVED FIXED
mozilla64
Tracking Status
firefox-esr60 --- unaffected
firefox62 --- disabled
firefox63 --- disabled
firefox64 --- fixed

People

(Reporter: arai, Assigned: efaust)

References

Details

Attachments

(2 files)

Attached file is_atom.binjs
tested on m-i 21b67d2084a6

Configure flags: --enable-warnings-as-errors --disable-optimize --enable-debug

Runtime flag: -B is_atom.binjs

Result:
Assertion failure: JSID_IS_ATOM(id) && frontend::IsIdentifier(JSID_TO_ATOM(id)), at js/src/vm/StringType.cpp:2229
encoded from js/src/jit-test/tests/basic/bug660597.js

I'll add all testcase in bug 1495611, so no need to add it here
Group: core-security → javascript-core-security
I'm not sure if this assertion is handled in the code below it or not. at least part of it is. What's an appropriate rating here?
Flags: needinfo?(arai.unmht)
the assertion failure itself in the function is safe (just that the behavior seems to be wrong),
but the underlying issue is that internal `.this` binding is missing in the environment, which shouldn't happen.
that results in throwing an error for undefined variable for internal thing (and it results in hitting the assertion failure), that also shouldn't happen.

I haven't yet found any way that this hits more critical issue than just wrong behavior, but there might be issue around dereferencing wrong pointer in scope object etc.
I'm afraid I'm not sure which rating will be suitable.

then, this code is used only when BinAST is enabled, which is disabled by default in pref,
so this shouldn't affect much users.  this applies all bugs under bug 1495611.
Flags: needinfo?(arai.unmht)
Gonna take a look.
Assignee: nobody → efaustbmo
Status: NEW → ASSIGNED
Attached patch FixSplinter Review
.this was not set aliased, because the with block didn't properly pollute the outer scope.
Attachment #9015363 - Flags: review?(arai.unmht)
Comment on attachment 9015363 [details] [diff] [review]
Fix

Review of attachment 9015363 [details] [diff] [review]:
-----------------------------------------------------------------

thanks!
Attachment #9015363 - Flags: review?(arai.unmht) → review+
Depends on: 1497446
https://hg.mozilla.org/integration/mozilla-inbound/rev/f7d0546ee3cecaef21bf86e44717d84632d61580
https://hg.mozilla.org/mozilla-central/rev/f7d0546ee3ce
Group: javascript-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla64
Duplicate of this bug: 1496335
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.