Closed Bug 621991 Opened 14 years ago Closed 14 years ago

Assertion failure: FUN_FLAT_CLOSURE(callee_fun) / Crash

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 592202

People

(Reporter: decoder, Unassigned)

References

Details

(5 keywords, Whiteboard: [sg:critical?]) 

The following shell testcase:

test();
function test()
{
  var counter = 0;
  function f(x,y) {
      try
      { 
        throw 42;
      }
      catch(e2)
      { 
        foo(function(){ return x; }| "9.2" && 5 || counter && e);
        ++counter;
      }
  }

  f(2, 1);
}

function foo(bar) { return ""+bar; }


causes "Assertion failure: FUN_FLAT_CLOSURE(callee_fun), at jsfun.cpp:1178", tested on mc trunk. In an optimized build it crashes:

==1996== Invalid read of size 8
==1996==    at 0x4643A0: js::GetFlatUpvar(JSContext*, JSObject*, long, js::Value*) (in /scratch/holler/LangFuzz/sources/mozilla-central-hg/js.opt/src/shell/js)
==1996==    by 0x48DE1C: js_GetProperty(JSContext*, JSObject*, JSObject*, long, js::Value*) (in /scratch/holler/LangFuzz/sources/mozilla-central-hg/js.opt/src/shell/js)
==1996==    by 0x5FCD68: js::Interpret(JSContext*, JSStackFrame*, unsigned int, JSInterpMode) (in /scratch/holler/LangFuzz/sources/mozilla-central-hg/js.opt/src/shell/js)
==1996==    by 0x476CF6: js::Execute(JSContext*, JSObject*, JSScript*, JSStackFrame*, unsigned int, js::Value*) (in /scratch/holler/LangFuzz/sources/mozilla-central-hg/js.opt/src/shell/js)
==1996==    by 0x4118F5: JS_ExecuteScript (in /scratch/holler/LangFuzz/sources/mozilla-central-hg/js.opt/src/shell/js)
==1996==    by 0x407850: Process(JSContext*, JSObject*, char*, int) (in /scratch/holler/LangFuzz/sources/mozilla-central-hg/js.opt/src/shell/js)
==1996==    by 0x4085FF: Shell(JSContext*, int, char**, char**) (in /scratch/holler/LangFuzz/sources/mozilla-central-hg/js.opt/src/shell/js)
==1996==    by 0x408904: main (in /scratch/holler/LangFuzz/sources/mozilla-central-hg/js.opt/src/shell/js)
==1996==  Address 0xfff2000000000000 is not stack'd, malloc'd or (recently) free'd

Flagged as security because I didn't have time to inspect the crash further.
Slightly simpler:

function p() { }
function test()
{
  var counter = 0;

  function f(x) {
      try
      { 
        throw 42;
      }
      catch(e)
      { 
        counter;
        p(function(){x;});
        counter = 1;
      }
  }

  f(2);
}
test();
Regression range seems to blame bug 558451.

Dup of bug 592202?
Blocks: 558451
Keywords: assertion, crash, regression, reproducible, testcase
Whiteboard: [sg:critical?]
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → DUPLICATE
Fixed for a long time and not affecting old branches (according to duped bug), opening this.
Group: core-security
A testcase for this bug was already added in the original bug (bug 592202).
Flags: in-testsuite-
You need to log in before you can comment on or make changes to this bug.