Closed Bug 629650 Opened 14 years ago Closed 14 years ago

MethodJIT: Assertion failure: cx->enumerators == obj, at jsiter.cpp:789

Categories

(Core :: JavaScript Engine, defect)

x86_64
Linux
defect
Not set
critical

Tracking

()

VERIFIED FIXED
Tracking Status
blocking2.0 --- final+

People

(Reporter: decoder, Assigned: dvander)

Details

(Keywords: assertion, reporter-external, testcase, Whiteboard: [hardblocker][has patch][fixed-in-tracemonkey][sg:critical?])

Attachments

(2 files)

The attached testcase asserts on 64 bit TM tip, run in shell with "-j -m". Testcase is not minimal and might not terminate if assertion isn't triggered (sorry, didn't have more time for further minimization/rewriting). Backtrace: #0 0x00007ffff7bd1ebb in raise () from /lib/libpthread.so.0 #1 0x0000000000598960 in JS_Assert (s=0x736327 "cx->enumerators == obj", file=0x73626b "jsiter.cpp", ln=789) at jsutil.cpp:83 #2 0x00000000004d49e9 in js_CloseIterator (cx=0xae80c0, obj=0x7ffff689a288) at jsiter.cpp:789 #3 0x00000000006b29a5 in FindExceptionHandler (cx=0xae80c0) at ./methodjit/InvokeHelpers.cpp:159 #4 0x00000000006b3b19 in js_InternalThrow (f=...) at ./methodjit/InvokeHelpers.cpp:552 #5 0x000000000064cac8 in JaegerThrowpoline () at ./methodjit/MethodJIT.cpp:139 #6 0x00007ffff7f96400 in ?? () [...] Bisect shows: Changeset 54650:427282865362: bad The first bad revision is: changeset: 54650:427282865362 user: Bill McCloskey <wmccloskey@mozilla.com> date: Wed Sep 29 13:21:36 2010 -0700 summary: Bug 535912 - Eliminate blockChain from JSStackFrame (r=cdleary) however, this revision shows a different assertion "Assertion failure: offset < script->length, at ../methodjit/InvokeHelpers.cpp:90" This did not crash in my tests, so no security lock. Lock if appropriate.
Group: core-security
Similar stacks before were exploitable because the iterator stack becomes unbalanced and the next GC can kill the objects on it.
blocking2.0: --- → ?
blocking2.0: ? → final+
Whiteboard: hardblocker
The problem is that stubs::FixupArity leaves an incoherent cx->regs->pc when throwing.
Assignee: general → dvander
Status: NEW → ASSIGNED
Attached patch fixSplinter Review
Attachment #508298 - Flags: review?(lw)
Whiteboard: hardblocker → [hardblocker][has patch]
Comment on attachment 508298 [details] [diff] [review] fix r+ with the testcase.
Attachment #508298 - Flags: review?(lw) → review+
http://hg.mozilla.org/tracemonkey/rev/a7a3317dac32 didn't checkin testcase since it infinite loops
Whiteboard: [hardblocker][has patch] → [hardblocker][has patch][fixed-in-tracemonkey]
Whiteboard: [hardblocker][has patch][fixed-in-tracemonkey] → [hardblocker][has patch][fixed-in-tracemonkey][sg:critical?]
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Fixed for a long time and not affecting old branches, opening this.
Group: core-security
Status: RESOLVED → VERIFIED
Flags: in-testsuite-
rforbes-bugspam-for-setting-that-bounty-flag-20130719
Flags: sec-bounty+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: