Closed Bug 649761 Opened 13 years ago Closed 13 years ago

TM: Assertion failure: from < *limit, at ./jscntxtinlines.h:212

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
All
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 644074

People

(Reporter: decoder, Unassigned)

Details

(Keywords: assertion, testcase)

Attachments

(1 file)

shell testcase, unpack, chdir and run main.js with options "-j -m -a"
1.20 KB, application/x-compressed-tar
Details 
The attached testcase causes the assertion on TM rev eee087772f45 (unpack, chdir and run main.js with options -j -m -a), tested on 32 and 64 bit.

There is so far no sign of a memory corruption here but I looked at the code and the assertion seems to be a range protection and would cause an integer overflow in the next line so I assume this could get critical.

The test files are not syntax minimized yet, I was not able to condense this into one file.
Hah, incredible! I just simplified the limit code in bug 644074 and removed what I thought was a very rare/hard-to-hit bug and indeed, toggling the one line that fixes the bug toggles whether the assert hits.
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → DUPLICATE
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: