Closed Bug 730810 Opened 8 years ago Closed 8 years ago

Assertion failure: ((js_CodeSpec[lhs->getOp()].format) & 0x001f) != 2, at js/src/frontend/BytecodeEmitter.cpp:3707 or Crash [@ JSScript::getAtom]

Categories

(Core :: JavaScript Engine, defect, critical)

x86_64
Linux
defect
Not set
critical

Tracking

()

VERIFIED FIXED
Tracking Status
firefox-esr10 --- unaffected

People

(Reporter: decoder, Assigned: Waldo)

References

(Blocks 1 open bug)

Details

(4 keywords, Whiteboard: js-triage-needed)

Crash Data

Attachments

(1 file)

The following test crashes on mozilla-central revision 2dc40eb83023 (no options required):

const K = 20; K += "0";


Stepping through the assertion reveals a (likely exploitable) crash:

Program received signal SIGABRT, Aborted.
Assertion failure: index < natoms, at ../../jsscript.h:721

Program received signal SIGABRT, Aborted.

Program received signal SIGSEGV, Segmentation fault.
0x000000000041361e in JSScript::getAtom (this=0x7ffff6107180, index=15616) at ../../jsscript.h:722
722             return atoms[index];
The first bad revision is:
changeset:   87695:f4e955f78de9
user:        Jeff Walden
date:        Fri Feb 03 18:53:29 2012 -0800
summary:     Bug 720316 - Use uint32_t indexes for JOF_ATOM opcodes.  r=jorendorff
Keywords: regression
Blocks: 720316
                if (lhs->isOp(JSOP_CALLEE)) {
                    if (Emit1(cx, bce, JSOP_CALLEE) < 0)
                        return false;
                } else if (lhs->isOp(JSOP_NAME)) {
                    if (!EmitIndex32(cx, lhs->getOp(), atomIndex, bce))
                        return false;
                } else {
                    JS_ASSERT(JOF_OPTYPE(lhs->getOp()) != JOF_ATOM);
                    EMIT_UINT16_IMM_OP(lhs->getOp(), atomIndex);
                }

The middle block needs to also handle isOp(JSOP_GETGNAME).  I'll get a patch together when I get to the office.
Assignee: general → jwalden+bmo
Status: NEW → ASSIGNED
Attached patch Patch and testSplinter Review
Attachment #600997 - Flags: review?(luke)
Attachment #600997 - Flags: review?(luke) → review+
Status: RESOLVED → VERIFIED
Group: core-security
You need to log in before you can comment on or make changes to this bug.