Closed Bug 1499999 Opened 3 years ago Closed 3 years ago

Assertion failure: fun->isInterpretedLazy(), at .../js/src/vm/JSFunction.cpp:1774

Categories

(Core :: JavaScript Engine, defect, P3)

defect

Tracking

()

RESOLVED FIXED
mozilla65
Tracking Status
firefox-esr60 --- unaffected
firefox62 --- disabled
firefox63 --- disabled
firefox64 --- disabled
firefox65 --- fixed

People

(Reporter: arai, Assigned: arai)

References

Details

(Keywords: assertion, sec-other, testcase, Whiteboard: [post-critsmash-triage])

Attachments

(2 files)

Attached file lazy.binjs
tested on m-c bfd23ad81ef4

Configure flags: --enable-warnings-as-errors --disable-optimize --enable-debug

Runtime flag: -B lazy.binjs

Result:
Assertion failure: fun->isInterpretedLazy(), at .../js/src/vm/JSFunction.cpp:1774

The file is encoded from
https://searchfox.org/mozilla-central/source/js/src/jit-test/tests/debug/bug1370905.js
Group: core-security → javascript-core-security
Is it bad (in a security sense) the function is not interpreted lazily when we expected it to be?
Flags: needinfo?(tcampbell)
The fun->isInterpretedLazy() assertion seems in general like type-confusion (sec-high I guess?), but this is BinAST which isn't in the wild yet. Marking sec-other.
Flags: needinfo?(tcampbell)
Keywords: sec-other
looks like, delazification is partially done and the state isn't recovered.
Assignee: nobody → arai.unmht
Status: NEW → ASSIGNED
The actual problem is the redundant NameFunctions call (which is already done in emitFunctionScript),
which is performed after JSScript::fullyInitFromEmitter.

JSScript::fullyInitFromEmitter modifies JSFunction instance and no operation after that is allowed to fail, for delazification.

so, removed the redundant call, and added assertion classes, in the same way as regular lazy function.
Attachment #9018484 - Flags: review?(efaustbmo)
Attachment #9018484 - Flags: review?(dteller)
Comment on attachment 9018484 [details] [diff] [review]
Remove unnecessary NameFunctions call.

Review of attachment 9018484 [details] [diff] [review]:
-----------------------------------------------------------------

Looks like this was just rot from a change that never got ported to this case, right?
Attachment #9018484 - Flags: review?(efaustbmo) → review+
Attachment #9018484 - Flags: review?(dteller)
Yeah, this was a recent fix for regular JS part.
https://hg.mozilla.org/mozilla-central/rev/b253f12c1eec
Group: javascript-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla65
Flags: qe-verify-
Whiteboard: [post-critsmash-triage]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.