Closed
Bug 637403
Opened 13 years ago
Closed 11 years ago
JM: Assertion failure: stubsGenerated < MAX_PIC_STUBS, at ../methodjit/PolyIC.cpp:1974
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
RESOLVED
WORKSFORME
| Tracking | Status | |
|---|---|---|
| blocking2.0 | --- | - |
People
(Reporter: jandem, Assigned: dmandelin)
References
Details
(Keywords: crash, sec-moderate, testcase, Whiteboard: [sg:moderate] requires debugging)
Attachments
(1 file)
|
1.74 KB,
text/plain
|
Details |
--
var o1 = untrap;
var o2 = {};
o2.__defineGetter__('x', o1);
o2.x();
--
Asserts in debug mode:
32-bit:
$ ./js -a -m -d test.js
Assertion failure: stubsGenerated < MAX_PIC_STUBS, at ../methodjit/PolyIC.cpp:1974
64-bit:
Assertion failure: (strBits >> JSVAL_TAG_SHIFT) == 0, at ../jsval.h:622
Marking s-s because (especially) the 64-bit assertion seems weird, please unmark if this turns out to be shell only.
|
Reporter | |
Comment 1•13 years ago
|
||
A value of 0xdadadadadadadada is passed to setString...
|
Assignee | |
Comment 2•13 years ago
|
||
Looks like something for valgrind.
|
|
Assignee | |
Comment 3•13 years ago
|
||
Here is the cause:
var o1 = untrap;
var o2 = {};
o2.__defineGetter__('x', o1);
o2.x();
In the last statement we call into ic::CallProp, which takes a pointer to a PICInfo as input. First, it does the getprop for 'x'. This calls |untrap|, which recompiles the script and frees all its structures. Then it uses the PICInfo pointer to try to do stuff with the PIC. But that now points to freed memory, and bad things ensue.
We probably don't need to fix this right now, we should just be sure to pick it up when we redo debug mode.
|
||
Updated•13 years ago
|
|
||
Updated•13 years ago
|
blocking2.0: --- → .x+
|
|
||
Comment 4•13 years ago
|
||
(In reply to comment #3) > Then it uses the PICInfo pointer to try to do stuff with the PIC. But > that now points to freed memory, and bad things ensue. > > We probably don't need to fix this right now, we should just be sure to pick it > up when we redo debug mode. I'm having trouble reconciling the first paragraph and the sg:critical rating on the bug, with the second comment. Is this a debug-only problem? If so is it really a security problem?
Assignee: general → dmandelin
|
|
Reporter | |
Comment 5•13 years ago
|
||
Seems debug-mode only and therefore not sg:critical.
|
|
Assignee | |
Comment 6•13 years ago
|
||
After further discussion, we realized that this test case is shell-only. So this might not be sg:critical. The only way it would be is if there is a reliable way to trigger recompilation from a property getter, but I don't think the browser allows direct interaction with breakpoints via script.
|
|
||
Comment 7•13 years ago
|
||
OK, sg:moderate -- IF you can get a developer to use a debugger and interact with bad code in very specific ways it can crash dangerously, but minimal risk in real life.
blocking2.0: .x+ → -
Whiteboard: [sg:critical?] → [sg:moderate] requires debugging
|
||
Updated•12 years ago
|
Keywords: sec-moderate
|
|
Reporter | |
Comment 8•11 years ago
|
||
JM was removed, this is debug-mode only and probably got fixed a long time ago.
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → WORKSFORME
|
||
Updated•9 years ago
|
Group: core-security → core-security-release
|
|
||
Updated•7 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•