Closed
Bug 1499999
Opened 6 years ago
Closed 6 years ago
Assertion failure: fun->isInterpretedLazy(), at .../js/src/vm/JSFunction.cpp:1774
Categories
(Core :: JavaScript Engine, defect, P3)
Core
JavaScript Engine
Tracking
()
RESOLVED
FIXED
mozilla65
Tracking | Status | |
---|---|---|
firefox-esr60 | --- | unaffected |
firefox62 | --- | disabled |
firefox63 | --- | disabled |
firefox64 | --- | disabled |
firefox65 | --- | fixed |
People
(Reporter: arai, Assigned: arai)
References
Details
(Keywords: assertion, sec-other, testcase, Whiteboard: [post-critsmash-triage])
Attachments
(2 files)
1.01 KB,
application/octet-stream
|
Details | |
1.98 KB,
patch
|
efaust
:
review+
|
Details | Diff | Splinter Review |
tested on m-c bfd23ad81ef4
Configure flags: --enable-warnings-as-errors --disable-optimize --enable-debug
Runtime flag: -B lazy.binjs
Result:
Assertion failure: fun->isInterpretedLazy(), at .../js/src/vm/JSFunction.cpp:1774
The file is encoded from
https://searchfox.org/mozilla-central/source/js/src/jit-test/tests/debug/bug1370905.js
Updated•6 years ago
|
Group: core-security → javascript-core-security
status-firefox62:
--- → disabled
status-firefox63:
--- → disabled
status-firefox-esr60:
--- → unaffected
Comment 1•6 years ago
|
||
Is it bad (in a security sense) the function is not interpreted lazily when we expected it to be?
Flags: needinfo?(tcampbell)
Comment 2•6 years ago
|
||
The fun->isInterpretedLazy() assertion seems in general like type-confusion (sec-high I guess?), but this is BinAST which isn't in the wild yet. Marking sec-other.
Flags: needinfo?(tcampbell)
Keywords: sec-other
Assignee | ||
Updated•6 years ago
|
Assignee | ||
Comment 3•6 years ago
|
||
looks like, delazification is partially done and the state isn't recovered.
Assignee | ||
Updated•6 years ago
|
Assignee: nobody → arai.unmht
Status: NEW → ASSIGNED
Assignee | ||
Comment 4•6 years ago
|
||
The actual problem is the redundant NameFunctions call (which is already done in emitFunctionScript),
which is performed after JSScript::fullyInitFromEmitter.
JSScript::fullyInitFromEmitter modifies JSFunction instance and no operation after that is allowed to fail, for delazification.
so, removed the redundant call, and added assertion classes, in the same way as regular lazy function.
Attachment #9018484 -
Flags: review?(efaustbmo)
Assignee | ||
Updated•6 years ago
|
Attachment #9018484 -
Flags: review?(dteller)
Comment 5•6 years ago
|
||
Comment on attachment 9018484 [details] [diff] [review]
Remove unnecessary NameFunctions call.
Review of attachment 9018484 [details] [diff] [review]:
-----------------------------------------------------------------
Looks like this was just rot from a change that never got ported to this case, right?
Attachment #9018484 -
Flags: review?(efaustbmo) → review+
Assignee | ||
Updated•6 years ago
|
Attachment #9018484 -
Flags: review?(dteller)
Assignee | ||
Comment 6•6 years ago
|
||
Yeah, this was a recent fix for regular JS part.
Assignee | ||
Comment 7•6 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/b253f12c1eecac7a0c1276b8591d26279a91bc6c
Bug 1499999 - Remove unnecessary NameFunctions call. r=efaust
Comment 8•6 years ago
|
||
Group: javascript-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
status-firefox65:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla65
Updated•6 years ago
|
Flags: qe-verify-
Whiteboard: [post-critsmash-triage]
Updated•5 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•