Closed Bug 622041 Opened 14 years ago Closed 14 years ago

Assertion failure: fun->isFlatClosure() or null-pointer crash [@ JS_GetAnonymousString]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 592202

People

(Reporter: alexander.miller, Unassigned)

Details

(Whiteboard: [sg:dupe 592202])

Attachments

(2 files)

Really screwed up stack trace
432 bytes, text/plain
Details
Correcting the above testcase
104 bytes, text/plain
Details 
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13
Build Identifier: 

While it is only a null pointer dereference crash, further investigation shows that various parameters on the stack are 0xFEEEFEEE, which is the pattern left behind by Microsoft's HeapFree() function. Also, memory is executed at 0xFFFF0001, which seems a bit scary.

Testcase: 
x2 = 1;
eval("let(x, x3 = 1e4.__proto__) ((function(){let(x1 = x) ((function(){(x) = x2;})());})());");

(I ran this on the tracemonkey repo)

Reproducible: Always
Summary: Assertion failure: FUN_FLAT_CLOSURE(callee_fun) or null-pointer crash → Assertion failure: FUN_FLAT_CLOSURE(callee_fun) or null-pointer crash [@ JS_GetAnonymousString]
That is the weirdest stack trace I've ever seen.

    
    

    
  
Also, the stacktrace from this crash with -j and -m makes a little more sense in that the previous frames were JS-related. However, regardless of any JITs in use, there is still a call to 0xFFFF0001 and one parameter is 0xFEEEFEEE.

    
  
OS: Windows 7 → All

    
    

    
  
I think this is purely a semantic issue, but now the assertion I am getting is Assertion failure: fun->isFlatClosure()

    
    

    
  
I think this is purely a semantic issue, but now the assertion I am getting is Assertion failure: fun->isFlatClosure(), but the null pointer deref crash is still at the same place.

    
  
Summary: Assertion failure: FUN_FLAT_CLOSURE(callee_fun) or null-pointer crash [@ JS_GetAnonymousString] → Assertion failure: fun->isFlatClosure() or null-pointer crash [@ JS_GetAnonymousString]

    
    

    
  
Yeah, I rejiggered this code a little and changed the assertion slightly -- it happens.

    
    

    
  
On a linux opt build this crashes the same way bug 592202 does. ([@js::SetFlatUpvar])
Status: UNCONFIRMED → RESOLVED
Closed: 14 years ago
Resolution: --- → DUPLICATE
Group: core-security
Whiteboard: [sg:dupe 592202]

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: