690650 – TI: Crash [@ js_InternalInterpret] or "Assertion failure: codeArray[offset],"

Last Comment Bug 690650 - TI: Crash [@ js_InternalInterpret] or "Assertion failure: codeArray[offset],"


Summary:	TI: Crash [@ js_InternalInterpret] or "Assertion failure: codeArray[offset],"

Status:	RESOLVED FIXED
Whiteboard:	[sg:dos] js-triage-needed
Keywords:	assertion, crash, testcase

Product:	Core
Classification:	Components
Component:	JavaScript Engine (show other bugs)
Version:	Trunk
Platform:	x86 Mac OS X

Importance:	-- critical (vote)
Target Milestone:	---
Assigned To:	Brian Hackett (:bhackett)
QA Contact:
Mentors:

URL:

Depends on:
Blocks:	jsfunfuzz infer-regress 630996
	Show dependency tree / graph

Reported:

2011-09-29 21:26 PDT by Gary Kwong [:gkw] [:nth10sd]

Modified:

2013-01-19 14:31 PST (History)

CC List:

5 users (show)

Flags:

choller: in‑testsuite+

See Also:

Crash Signature:

(edit)

QA Whiteboard:

Iteration:

---

Points:

---

Has Regression Range:

---

Has STR:

---

Tracking Flags:

Attachments
testcase (192.13 KB, text/plain) 2011-09-29 21:26 PDT, Gary Kwong [:gkw] [:nth10sd]	no flags	Details
stack (2.81 KB, text/plain) 2011-09-29 21:30 PDT, Gary Kwong [:gkw] [:nth10sd]	no flags	Details
patch (764 bytes, patch) 2011-10-05 18:16 PDT, Brian Hackett (:bhackett)	dvander: review+	Details \| Diff \| Splinter Review
View All Add an attachment (proposed patch, testcase, etc.)

Description

Gary Kwong [:gkw] [:nth10sd] 2011-09-29 21:26:34 PDT

Created attachment 563647 [details]
testcase

The attached testcase asserts js debug shell on JM changeset 44ef245b8706 and m-c changeset db9e99d537f2 with -m, -a and -n at Assertion failure: codeArray[offset], and crashes js opt shell at js_InternalInterpret

This was found using a combination of jsfunfuzz and jandem's method fuzzer.

Since it seems to be a null deref, assuming sg:dos and locking s-s to be safe.

Comment 1

Gary Kwong [:gkw] [:nth10sd] 2011-09-29 21:30:46 PDT

Created attachment 563650 [details]
stack

Comment 2

Brian Hackett (:bhackett) 2011-10-05 18:16:23 PDT

Created attachment 565103 [details] [diff] [review]
patch

Use of GET_JUMP_OFFSET which did not watch for JOF_JUMPX opcodes.  No other suspicious uses of GET_JUMP_OFFSET in analysis/compilation code, though I'd kind of like to kill GET_JUMP_OFFSET / GET_JUMP_OFFSETX completely and use a common function to compute offsets for both.

Comment 3

Brian Hackett (:bhackett) 2011-10-06 11:37:40 PDT

https://hg.mozilla.org/integration/mozilla-inbound/rev/cfda40f4a5c8

Comment 4

Christian Holler (:decoder) 2011-10-07 05:38:27 PDT

https://hg.mozilla.org/mozilla-central/rev/cfda40f4a5c8

Comment 5

Christian Holler (:decoder) 2013-01-19 14:31:08 PST

Automatically extracted testcase for this bug was committed:

https://hg.mozilla.org/mozilla-central/rev/efaf8960a929

Note You need to log in before you can comment on or make changes to this bug.