Closed
Bug 535760
Opened 15 years ago
Closed 15 years ago
Assertion failed: s1->isQuad() && s2->isQuad()
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
Tracking | Status | |
---|---|---|
status1.9.2 | --- | final-fixed |
People
(Reporter: bc, Unassigned)
References
()
Details
(Keywords: assertion, testcase, Whiteboard: fixed-in-tracemonkey)
Attachments
(3 files)
1. http://www.koreaherald.co.kr/service/opencast/ On Windows 2003 Server 1.9.2 it gave: Breakpoint starting at ntdll!DbgBreakPoint+0x0000000000000000 called from mozjs!nanojit::SanityFilter::ins3+0x0000000000000145 (Hash=0x560d5f52.0x267a6b43). Windows XP gave: NanoAssert(s1->isQuad() && s2->isQuad()); +this 0x05224e10 nanojit::SanityFilter * const v LIR_qcmov nanojit::LOpcode +s0 0x05516090 {lastWord={...} dummy=0x374dcdcd } nanojit::LIns * +s1 0x0551578c {lastWord={...} dummy=0x184dcdcd } nanojit::LIns * +s2 0x0551556c {lastWord={...} dummy=0x764dcdcd } nanojit::LIns * dummy looks like it contains uninitialized memory. On Mac OS X 1.9.3 I got: http://www.koreaherald.co.kr/service/opencast/' Assertion failed: s1->isQuad() && s2->isQuad() (/work/mozilla/builds/1.9.3/mozilla/js/src/nanojit/LIR.cpp:2453) untar testcase.tar.bz2 load './www.koreaherald.co.kr/service/opencast/index.html' see also bug 520536
Flags: wanted1.9.2?
Flags: blocking1.9.2?
The first bad revision is: changeset: 30248:c76558a87dd9 user: David Mandelin <dmandelin@mozilla.com> date: Wed Jul 08 11:16:41 2009 -0700 summary: Bug 453730: trace JSOP_ARGUMENTS, r=gal
Updated•15 years ago
|
Flags: blocking1.9.2? → blocking1.9.2+
The problem is that CALLELEM on an argsobj does not update all stack slots in the tracker. Dave, is this the right thing to do here? I'm not sure if this is security sensitive. LIns* usually looks like it has garbage inside because of the way it's encoded. But not updating stack slots is potentially pretty dangerous.
Attachment #418464 -
Flags: review?(dmandelin)
Updated•15 years ago
|
Attachment #418464 -
Flags: review?(dmandelin) → review+
http://hg.mozilla.org/tracemonkey/rev/a2213b12f253
Whiteboard: fixed-in-tracemonkey
Comment 6•15 years ago
|
||
http://hg.mozilla.org/mozilla-central/rev/a2213b12f253
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Comment 7•15 years ago
|
||
http://hg.mozilla.org/releases/mozilla-1.9.2/rev/fe0560bbe9cb
status1.9.2:
--- → final-fixed
Updated•13 years ago
|
Group: core-security
Comment 8•11 years ago
|
||
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/bug535760.js.
Flags: in-testsuite+
Reporter | ||
Updated•9 years ago
|
Flags: wanted1.9.2?
You need to log in
before you can comment on or make changes to this bug.
Description
•