Closed Bug 533862 Opened 15 years ago Closed 14 years ago

"Assertion failure: cg->staticLevel >= level, at ../jsemit.cpp" or "Assertion failure: pnu->pn_lexdef == dn, at ../jsemit.cpp"

Categories

(Core :: JavaScript Engine, defect)

x86
macOS
defect
Not set
critical

Tracking

()

RESOLVED DUPLICATE of bug 546615
Tracking Status
blocking2.0 --- beta1+
status1.9.2 --- wanted
status1.9.1 --- wanted

People

(Reporter: gkw, Unassigned)

References

Details

(Keywords: assertion, regression, testcase, Whiteboard: [sg:dupe 546615][3.6.x] fixed-in-tracemonkey)

Attachments

(2 files)

(new Function("with({x:<y {x}={(s\n?o:(\"\"((function (x,l){if(dx.length == znfggl) { ; return gczeal(0); } var bdccqi ; var gsfkvd = a_indexing(bleedx, znfggl + 1); print(eval(\"#3={a:#3#};\")); })([ /x/g/x [ed], (0)], 0))))} />})t(((function f(gm) { ({a}); if (cm1) { retur }i();})(2)));le(((function(){[]((1))})([[][1],x]))for(x in 0)if(<x></x>))"))()

asserts js debug shell without -j on TM tip at Assertion failure: cg->staticLevel >= level, at ../jsemit.cpp:2145


(new Function("({x:<y {x}={(s\n?o:(\"\"((function(x){if(a == bbbbbb) { ; return gczeal(0); } var cccccc;var dddddd = a_indexing(eeeeee, bbbbbb + 1);print(eval(\"#3={a:#3#};\")); })([ /x/g/x [ed], (0)], 0))))} />}) (((function f(gm) { ({});  if (1) {}  i()})())); (((function() { (0)})([[], x]))for(x in 0)if([]))"))

a slightly reduced version of the testcase above asserts js debug shell without -j on TM tip at Assertion failure: pnu->pn_lexdef == dn, at ../jsemit.cpp:1863


Nominating security-sensitive because these testcases seem to involve gczeal.

autoBisecting soon...
autoBisect shows this is probably related to bug 488690:

The first bad revision is:
changeset:   27473:ed4ac8a1494e
user:        Brendan Eich
date:        Mon Apr 20 15:51:27 2009 -0700
summary:     Bug 488690 - "Assertion failure: dn->pn_defn, at ../jsemit.cpp" (r=mrbkap).
Blocks: 488690
Attached file testcase 1
$ ./js-dbg-32-tm-darwin original.js 
Assertion failure: cg->staticLevel >= level, at ../jsemit.cpp:2145
Abort trap
Attached file testcase 2
$ ./js-dbg-32-tm-darwin w5513-reduced.js 
Assertion failure: pnu->pn_lexdef == dn, at ../jsemit.cpp:1863
Abort trap
Nominating for blocking on all platforms due to possibly-related bug 488690 being landed on all platforms from 1.9.1 onwards, but differing to more experienced eyes on whether to set wanted or otherwise.
blocking1.9.1: --- → ?
blocking2.0: --- → ?
Flags: wanted1.9.2?
Flags: blocking1.9.2?
qawanted: does the testcase actually affect 1.9.1 or is that just a guess based on the regressing bug?
status1.9.1: --- → ?
Keywords: qawanted
blocking1.9.1: ? → ---
Flags: blocking1.9.2? → blocking1.9.2+
Does this assert on the 192 branch?
(In reply to comment #5)
> qawanted: does the testcase actually affect 1.9.1 or is that just a guess based
> on the regressing bug?

This _does_ affect 1.9.1.

(In reply to comment #6)
> Does this assert on the 192 branch?

This _does_ affect 1.9.2.

For clarity, this affects 1.9.1, 1.9.2 and TM branches.

=====

1.9.1 changeset 9a04b31d5b46:

$ ./js-dbg-32-191-darwin
js> (new Function("with({x:<y {x}={(s\n?o:(\"\"((function (x,l){if(dx.length == znfggl) { ; return gczeal(0); } var bdccqi ; var gsfkvd = a_indexing(bleedx, znfggl + 1); print(eval(\"#3={a:#3#};\")); })([ /x/g/x [ed], (0)], 0))))} />})t(((function f(gm) { ({a}); if (cm1) { retur }i();})(2)));le(((function(){[]((1))})([[][1],x]))for(x in 0)if(<x></x>))"))()
Assertion failure: cg->staticLevel >= level, at ../jsemit.cpp:2100
Trace/BPT trap

$ ./js-dbg-32-191-darwin
js> (new Function("({x:<y {x}={(s\n?o:(\"\"((function(x){if(a == bbbbbb) { ; return gczeal(0); } var cccccc;var dddddd = a_indexing(eeeeee, bbbbbb + 1);print(eval(\"#3={a:#3#};\")); })([ /x/g/x [ed], (0)], 0))))} />}) (((function f(gm) { ({});  if (1) {}  i()})())); (((function() { (0)})([[], x]))for(x in 0)if([]))"))
Assertion failure: pnu->pn_lexdef == dn, at ../jsemit.cpp:1817
Trace/BPT trap

=====

1.9.2 changeset 162e0fd19bc2:

$ ./js-dbg-32-192-darwin 
js> (new Function("with({x:<y {x}={(s\n?o:(\"\"((function (x,l){if(dx.length == znfggl) { ; return gczeal(0); } var bdccqi ; var gsfkvd = a_indexing(bleedx, znfggl + 1); print(eval(\"#3={a:#3#};\")); })([ /x/g/x [ed], (0)], 0))))} />})t(((function f(gm) { ({a}); if (cm1) { retur }i();})(2)));le(((function(){[]((1))})([[][1],x]))for(x in 0)if(<x></x>))"))()
Assertion failure: cg->staticLevel >= level, at ../jsemit.cpp:2097
Trace/BPT trap

$ ./js-dbg-32-192-darwin 
js> (new Function("({x:<y {x}={(s\n?o:(\"\"((function(x){if(a == bbbbbb) { ; return gczeal(0); } var cccccc;var dddddd = a_indexing(eeeeee, bbbbbb + 1);print(eval(\"#3={a:#3#};\")); })([ /x/g/x [ed], (0)], 0))))} />}) (((function f(gm) { ({});  if (1) {}  i()})())); (((function() { (0)})([[], x]))for(x in 0)if([]))"))
Assertion failure: pnu->pn_lexdef == dn, at ../jsemit.cpp:1815
Trace/BPT trap

=====

TM changeset a2213b12f253:

$ ./js-dbg-32-tm-darwin 
js> (new Function("with({x:<y {x}={(s\n?o:(\"\"((function (x,l){if(dx.length == znfggl) { ; return gczeal(0); } var bdccqi ; var gsfkvd = a_indexing(bleedx, znfggl + 1); print(eval(\"#3={a:#3#};\")); })([ /x/g/x [ed], (0)], 0))))} />})t(((function f(gm) { ({a}); if (cm1) { retur }i();})(2)));le(((function(){[]((1))})([[][1],x]))for(x in 0)if(<x></x>))"))()
Assertion failure: cg->staticLevel >= level, at ../jsemit.cpp:2145
Abort trap

$ ./js-dbg-32-tm-darwin 
js> (new Function("({x:<y {x}={(s\n?o:(\"\"((function(x){if(a == bbbbbb) { ; return gczeal(0); } var cccccc;var dddddd = a_indexing(eeeeee, bbbbbb + 1);print(eval(\"#3={a:#3#};\")); })([ /x/g/x [ed], (0)], 0))))} />}) (((function f(gm) { ({});  if (1) {}  i()})())); (((function() { (0)})([[], x]))for(x in 0)if([]))"))
Assertion failure: pnu->pn_lexdef == dn, at ../jsemit.cpp:1863
Abort trap
blocking1.9.1: --- → ?
Keywords: qawanted
this test case is pretty hairy, using sharps and e4x. We'll go for a point release.
Flags: blocking1.9.2+ → blocking1.9.2-
Flags: wanted1.9.2? → wanted1.9.2+
Whiteboard: [3.6.x]
blocking1.9.1: ? → ---
blocking2.0: ? → alpha1
blocking2.0: alpha1 → beta1
mrbkap, is this a security hole?
This bug got fixed by bug 546615:

changeset:   38077:36487442aeb0
user:        Jason Orendorff
date:        Thu Feb 18 16:01:25 2010 -0600
summary:     Bug 546615 - Crash [@ BindNameToSlot] or "Assertion failure: cg->staticLevel >= level, at ../jsemit.cpp". r=brendan.
Whiteboard: [3.6.x] → [3.6.x] fixed-in-tracemonkey
Status: NEW → RESOLVED
Closed: 14 years ago
Depends on: 546615
Resolution: --- → DUPLICATE
Whiteboard: [3.6.x] fixed-in-tracemonkey → [sg:dupe 546615][3.6.x] fixed-in-tracemonkey
Group: core-security
A testcase for this bug was already added in the original bug (bug 546615).
Flags: in-testsuite-
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: