Closed Bug 1499999 Opened 3 years ago Closed 3 years ago
Assertion failure: fun->is
Interpreted Lazy(), at .../js/src/vm/JSFunction .cpp:1774
tested on m-c bfd23ad81ef4 Configure flags: --enable-warnings-as-errors --disable-optimize --enable-debug Runtime flag: -B lazy.binjs Result: Assertion failure: fun->isInterpretedLazy(), at .../js/src/vm/JSFunction.cpp:1774 The file is encoded from https://searchfox.org/mozilla-central/source/js/src/jit-test/tests/debug/bug1370905.js
Is it bad (in a security sense) the function is not interpreted lazily when we expected it to be?
The fun->isInterpretedLazy() assertion seems in general like type-confusion (sec-high I guess?), but this is BinAST which isn't in the wild yet. Marking sec-other.
looks like, delazification is partially done and the state isn't recovered.
Assignee: nobody → arai.unmht
Status: NEW → ASSIGNED
The actual problem is the redundant NameFunctions call (which is already done in emitFunctionScript), which is performed after JSScript::fullyInitFromEmitter. JSScript::fullyInitFromEmitter modifies JSFunction instance and no operation after that is allowed to fail, for delazification. so, removed the redundant call, and added assertion classes, in the same way as regular lazy function.
Attachment #9018484 - Flags: review?(efaustbmo)
Comment on attachment 9018484 [details] [diff] [review] Remove unnecessary NameFunctions call. Review of attachment 9018484 [details] [diff] [review]: ----------------------------------------------------------------- Looks like this was just rot from a change that never got ported to this case, right?
Attachment #9018484 - Flags: review?(efaustbmo) → review+
Yeah, this was a recent fix for regular JS part.
https://hg.mozilla.org/integration/mozilla-inbound/rev/b253f12c1eecac7a0c1276b8591d26279a91bc6c Bug 1499999 - Remove unnecessary NameFunctions call. r=efaust
You need to log in before you can comment on or make changes to this bug.