Closed
Bug 629650
Opened 14 years ago
Closed 14 years ago
MethodJIT: Assertion failure: cx->enumerators == obj, at jsiter.cpp:789
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
Tracking | Status | |
---|---|---|
blocking2.0 | --- | final+ |
People
(Reporter: decoder, Assigned: dvander)
Details
(Keywords: assertion, reporter-external, testcase, Whiteboard: [hardblocker][has patch][fixed-in-tracemonkey][sg:critical?])
Attachments
(2 files)
735 bytes,
application/javascript
|
Details | |
4.49 KB,
patch
|
luke
:
review+
|
Details | Diff | Splinter Review |
The attached testcase asserts on 64 bit TM tip, run in shell with "-j -m". Testcase is not minimal and might not terminate if assertion isn't triggered (sorry, didn't have more time for further minimization/rewriting).
Backtrace:
#0 0x00007ffff7bd1ebb in raise () from /lib/libpthread.so.0
#1 0x0000000000598960 in JS_Assert (s=0x736327 "cx->enumerators == obj", file=0x73626b "jsiter.cpp", ln=789) at jsutil.cpp:83
#2 0x00000000004d49e9 in js_CloseIterator (cx=0xae80c0, obj=0x7ffff689a288) at jsiter.cpp:789
#3 0x00000000006b29a5 in FindExceptionHandler (cx=0xae80c0) at ./methodjit/InvokeHelpers.cpp:159
#4 0x00000000006b3b19 in js_InternalThrow (f=...) at ./methodjit/InvokeHelpers.cpp:552
#5 0x000000000064cac8 in JaegerThrowpoline () at ./methodjit/MethodJIT.cpp:139
#6 0x00007ffff7f96400 in ?? ()
[...]
Bisect shows:
Changeset 54650:427282865362: bad
The first bad revision is:
changeset: 54650:427282865362
user: Bill McCloskey <wmccloskey@mozilla.com>
date: Wed Sep 29 13:21:36 2010 -0700
summary: Bug 535912 - Eliminate blockChain from JSStackFrame (r=cdleary)
however, this revision shows a different assertion
"Assertion failure: offset < script->length, at ../methodjit/InvokeHelpers.cpp:90"
This did not crash in my tests, so no security lock. Lock if appropriate.
Updated•14 years ago
|
Group: core-security
Comment 1•14 years ago
|
||
Similar stacks before were exploitable because the iterator stack becomes unbalanced and the next GC can kill the objects on it.
blocking2.0: --- → ?
Updated•14 years ago
|
blocking2.0: ? → final+
Whiteboard: hardblocker
Assignee | ||
Comment 2•14 years ago
|
||
The problem is that stubs::FixupArity leaves an incoherent cx->regs->pc when throwing.
Assignee: general → dvander
Status: NEW → ASSIGNED
Assignee | ||
Comment 3•14 years ago
|
||
Attachment #508298 -
Flags: review?(lw)
Updated•14 years ago
|
Whiteboard: hardblocker → [hardblocker][has patch]
Comment 4•14 years ago
|
||
Comment on attachment 508298 [details] [diff] [review]
fix
r+ with the testcase.
Attachment #508298 -
Flags: review?(lw) → review+
Assignee | ||
Comment 5•14 years ago
|
||
http://hg.mozilla.org/tracemonkey/rev/a7a3317dac32
didn't checkin testcase since it infinite loops
Whiteboard: [hardblocker][has patch] → [hardblocker][has patch][fixed-in-tracemonkey]
Updated•14 years ago
|
Whiteboard: [hardblocker][has patch][fixed-in-tracemonkey] → [hardblocker][has patch][fixed-in-tracemonkey][sg:critical?]
Comment 7•14 years ago
|
||
cdleary-bot mozilla-central merge info:
http://hg.mozilla.org/mozilla-central/rev/a7a3317dac32
Updated•14 years ago
|
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Reporter | ||
Comment 8•13 years ago
|
||
Fixed for a long time and not affecting old branches, opening this.
Group: core-security
Reporter | ||
Updated•13 years ago
|
Status: RESOLVED → VERIFIED
Reporter | ||
Updated•12 years ago
|
Flags: in-testsuite-
Updated•5 months ago
|
Keywords: reporter-external
You need to log in
before you can comment on or make changes to this bug.
Description
•