Closed Bug 621991 Opened 14 years ago Closed 14 years ago

Assertion failure: FUN_FLAT_CLOSURE(callee_fun) / Crash

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 592202

People

(Reporter: decoder, Unassigned)

References

Details

(5 keywords, Whiteboard: [sg:critical?])

The following shell testcase: test(); function test() { var counter = 0; function f(x,y) { try { throw 42; } catch(e2) { foo(function(){ return x; }| "9.2" && 5 || counter && e); ++counter; } } f(2, 1); } function foo(bar) { return ""+bar; } causes "Assertion failure: FUN_FLAT_CLOSURE(callee_fun), at jsfun.cpp:1178", tested on mc trunk. In an optimized build it crashes: ==1996== Invalid read of size 8 ==1996== at 0x4643A0: js::GetFlatUpvar(JSContext*, JSObject*, long, js::Value*) (in /scratch/holler/LangFuzz/sources/mozilla-central-hg/js.opt/src/shell/js) ==1996== by 0x48DE1C: js_GetProperty(JSContext*, JSObject*, JSObject*, long, js::Value*) (in /scratch/holler/LangFuzz/sources/mozilla-central-hg/js.opt/src/shell/js) ==1996== by 0x5FCD68: js::Interpret(JSContext*, JSStackFrame*, unsigned int, JSInterpMode) (in /scratch/holler/LangFuzz/sources/mozilla-central-hg/js.opt/src/shell/js) ==1996== by 0x476CF6: js::Execute(JSContext*, JSObject*, JSScript*, JSStackFrame*, unsigned int, js::Value*) (in /scratch/holler/LangFuzz/sources/mozilla-central-hg/js.opt/src/shell/js) ==1996== by 0x4118F5: JS_ExecuteScript (in /scratch/holler/LangFuzz/sources/mozilla-central-hg/js.opt/src/shell/js) ==1996== by 0x407850: Process(JSContext*, JSObject*, char*, int) (in /scratch/holler/LangFuzz/sources/mozilla-central-hg/js.opt/src/shell/js) ==1996== by 0x4085FF: Shell(JSContext*, int, char**, char**) (in /scratch/holler/LangFuzz/sources/mozilla-central-hg/js.opt/src/shell/js) ==1996== by 0x408904: main (in /scratch/holler/LangFuzz/sources/mozilla-central-hg/js.opt/src/shell/js) ==1996== Address 0xfff2000000000000 is not stack'd, malloc'd or (recently) free'd Flagged as security because I didn't have time to inspect the crash further.
Slightly simpler: function p() { } function test() { var counter = 0; function f(x) { try { throw 42; } catch(e) { counter; p(function(){x;}); counter = 1; } } f(2); } test();
Regression range seems to blame bug 558451. Dup of bug 592202?
Blocks: 558451
Keywords: assertion, crash, regression, reproducible, testcase
Whiteboard: [sg:critical?]
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → DUPLICATE
Fixed for a long time and not affecting old branches (according to duped bug), opening this.
Group: core-security
A testcase for this bug was already added in the original bug (bug 592202).
Flags: in-testsuite-
You need to log in before you can comment on or make changes to this bug.