Closed Bug 535760 Opened 15 years ago Closed 15 years ago

Assertion failed: s1->isQuad() && s2->isQuad()

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
status1.9.2 --- final-fixed

People

(Reporter: bc, Unassigned)

References

(
URL
)

Details

(Keywords: assertion, testcase, Whiteboard: fixed-in-tracemonkey)

Attachments

(3 files)

testcase.tar.bz2
218.07 KB, application/x-bzip2
Details
reduced test case
211 bytes, application/javascript
Details
possible fix
846 bytes, patch
dmandelin
: review+
Details | Diff | Splinter Review
Attached file testcase.tar.bz2 
1. http://www.koreaherald.co.kr/service/opencast/

On Windows 2003 Server 1.9.2 it gave:

Breakpoint starting at ntdll!DbgBreakPoint+0x0000000000000000 called from mozjs!nanojit::SanityFilter::ins3+0x0000000000000145 (Hash=0x560d5f52.0x267a6b43). 

Windows XP gave:

  NanoAssert(s1->isQuad() && s2->isQuad());

+this	0x05224e10	nanojit::SanityFilter * const
 v	LIR_qcmov	nanojit::LOpcode
+s0	0x05516090 {lastWord={...} dummy=0x374dcdcd }	nanojit::LIns *
+s1	0x0551578c {lastWord={...} dummy=0x184dcdcd }	nanojit::LIns *
+s2	0x0551556c {lastWord={...} dummy=0x764dcdcd }	nanojit::LIns *

dummy looks like it contains uninitialized memory.

On Mac OS X 1.9.3 I got:

http://www.koreaherald.co.kr/service/opencast/'
Assertion failed: s1->isQuad() && s2->isQuad() (/work/mozilla/builds/1.9.3/mozilla/js/src/nanojit/LIR.cpp:2453)

untar testcase.tar.bz2

load './www.koreaherald.co.kr/service/opencast/index.html'

see also bug 520536
Flags: wanted1.9.2?
Flags: blocking1.9.2?
The first bad revision is:
changeset:   30248:c76558a87dd9
user:        David Mandelin <dmandelin@mozilla.com>
date:        Wed Jul 08 11:16:41 2009 -0700
summary:     Bug 453730: trace JSOP_ARGUMENTS, r=gal
Flags: blocking1.9.2? → blocking1.9.2+
dvander: cool.
Keywords: testcase-wantedtestcase
Attached patch possible fixSplinter Review 
The problem is that CALLELEM on an argsobj does not update all stack slots in the tracker. Dave, is this the right thing to do here?

I'm not sure if this is security sensitive. LIns* usually looks like it has garbage inside because of the way it's encoded. But not updating stack slots is potentially pretty dangerous.
Attachment #418464 - Flags: review?(dmandelin)
Attachment #418464 - Flags: review?(dmandelin) → review+
http://hg.mozilla.org/mozilla-central/rev/a2213b12f253
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Group: core-security
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/bug535760.js.
Flags: in-testsuite+
Flags: wanted1.9.2?
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: