Closed
Bug 622041
Opened 14 years ago
Closed 14 years ago
Assertion failure: fun->isFlatClosure() or null-pointer crash [@ JS_GetAnonymousString]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 592202
People
(Reporter: alexander.miller, Unassigned)
Details
(Whiteboard: [sg:dupe 592202])
Attachments
(2 files)
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13 Build Identifier: While it is only a null pointer dereference crash, further investigation shows that various parameters on the stack are 0xFEEEFEEE, which is the pattern left behind by Microsoft's HeapFree() function. Also, memory is executed at 0xFFFF0001, which seems a bit scary. Testcase: x2 = 1; eval("let(x, x3 = 1e4.__proto__) ((function(){let(x1 = x) ((function(){(x) = x2;})());})());"); (I ran this on the tracemonkey repo) Reproducible: Always
Reporter | ||
Updated•14 years ago
|
Summary: Assertion failure: FUN_FLAT_CLOSURE(callee_fun) or null-pointer crash → Assertion failure: FUN_FLAT_CLOSURE(callee_fun) or null-pointer crash [@ JS_GetAnonymousString]
Reporter | ||
Comment 1•14 years ago
|
||
That is the weirdest stack trace I've ever seen.
Reporter | ||
Comment 2•14 years ago
|
||
Reporter | ||
Comment 3•14 years ago
|
||
Also, the stacktrace from this crash with -j and -m makes a little more sense in that the previous frames were JS-related. However, regardless of any JITs in use, there is still a call to 0xFFFF0001 and one parameter is 0xFEEEFEEE.
Reporter | ||
Updated•14 years ago
|
OS: Windows 7 → All
Reporter | ||
Comment 4•14 years ago
|
||
I think this is purely a semantic issue, but now the assertion I am getting is Assertion failure: fun->isFlatClosure()
Reporter | ||
Comment 5•14 years ago
|
||
I think this is purely a semantic issue, but now the assertion I am getting is Assertion failure: fun->isFlatClosure(), but the null pointer deref crash is still at the same place.
Reporter | ||
Updated•14 years ago
|
Summary: Assertion failure: FUN_FLAT_CLOSURE(callee_fun) or null-pointer crash [@ JS_GetAnonymousString] → Assertion failure: fun->isFlatClosure() or null-pointer crash [@ JS_GetAnonymousString]
Comment 6•14 years ago
|
||
Yeah, I rejiggered this code a little and changed the assertion slightly -- it happens.
Reporter | ||
Comment 7•14 years ago
|
||
On a linux opt build this crashes the same way bug 592202 does. ([@js::SetFlatUpvar])
Updated•14 years ago
|
Status: UNCONFIRMED → RESOLVED
Closed: 14 years ago
Resolution: --- → DUPLICATE
Updated•12 years ago
|
Group: core-security
Whiteboard: [sg:dupe 592202]
You need to log in
before you can comment on or make changes to this bug.
Description
•