Last Comment Bug 690650 - TI: Crash [@ js_InternalInterpret] or "Assertion failure: codeArray[offset],"
: TI: Crash [@ js_InternalInterpret] or "Assertion failure: codeArray[offset],"
Status: RESOLVED FIXED
[sg:dos] js-triage-needed
: assertion, crash, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: x86 Mac OS X
: -- critical (vote)
: ---
Assigned To: Brian Hackett (:bhackett)
:
: Jason Orendorff [:jorendorff]
Mentors:
Depends on:
Blocks: jsfunfuzz infer-regress 630996
  Show dependency treegraph
 
Reported: 2011-09-29 21:26 PDT by Gary Kwong [:gkw] [:nth10sd]
Modified: 2013-01-19 14:31 PST (History)
5 users (show)
choller: in‑testsuite+
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
testcase (192.13 KB, text/plain)
2011-09-29 21:26 PDT, Gary Kwong [:gkw] [:nth10sd]
no flags Details
stack (2.81 KB, text/plain)
2011-09-29 21:30 PDT, Gary Kwong [:gkw] [:nth10sd]
no flags Details
patch (764 bytes, patch)
2011-10-05 18:16 PDT, Brian Hackett (:bhackett)
dvander: review+
Details | Diff | Splinter Review

Description Gary Kwong [:gkw] [:nth10sd] 2011-09-29 21:26:34 PDT
Created attachment 563647 [details]
testcase

The attached testcase asserts js debug shell on JM changeset 44ef245b8706 and m-c changeset db9e99d537f2 with -m, -a and -n at Assertion failure: codeArray[offset], and crashes js opt shell at js_InternalInterpret

This was found using a combination of jsfunfuzz and jandem's method fuzzer.

Since it seems to be a null deref, assuming sg:dos and locking s-s to be safe.
Comment 1 Gary Kwong [:gkw] [:nth10sd] 2011-09-29 21:30:46 PDT
Created attachment 563650 [details]
stack
Comment 2 Brian Hackett (:bhackett) 2011-10-05 18:16:23 PDT
Created attachment 565103 [details] [diff] [review]
patch

Use of GET_JUMP_OFFSET which did not watch for JOF_JUMPX opcodes.  No other suspicious uses of GET_JUMP_OFFSET in analysis/compilation code, though I'd kind of like to kill GET_JUMP_OFFSET / GET_JUMP_OFFSETX completely and use a common function to compute offsets for both.
Comment 3 Brian Hackett (:bhackett) 2011-10-06 11:37:40 PDT
https://hg.mozilla.org/integration/mozilla-inbound/rev/cfda40f4a5c8
Comment 4 Christian Holler (:decoder) 2011-10-07 05:38:27 PDT
https://hg.mozilla.org/mozilla-central/rev/cfda40f4a5c8
Comment 5 Christian Holler (:decoder) 2013-01-19 14:31:08 PST
Automatically extracted testcase for this bug was committed:

https://hg.mozilla.org/mozilla-central/rev/efaf8960a929

Note You need to log in before you can comment on or make changes to this bug.