Last Comment Bug 757811 - IonMonkey: Assertion failure: (extendedJumpTable_ + i * SizeOfJumpTableEntry) < size() - SizeOfJumpTableEntry, at ion/x64/Assembler-x64.cpp:158
: IonMonkey: Assertion failure: (extendedJumpTable_ + i * SizeOfJumpTableEntry)...
Status: RESOLVED FIXED
[jsbugmon:update]
: assertion, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Other Branch
: x86_64 Linux
: -- major (vote)
: ---
Assigned To: Jan de Mooij [:jandem]
:
Mentors:
Depends on:
Blocks: langfuzz IonFuzz
  Show dependency treegraph
 
Reported: 2012-05-23 05:44 PDT by Christian Holler (:decoder)
Modified: 2013-02-05 05:57 PST (History)
7 users (show)
choller: in‑testsuite-
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
Testcase for shell (12.45 KB, text/javascript)
2012-05-23 05:44 PDT, Christian Holler (:decoder)
no flags Details
Patch (1.94 KB, patch)
2012-05-23 08:33 PDT, Jan de Mooij [:jandem]
dvander: review+
Details | Diff | Review

Description Christian Holler (:decoder) 2012-05-23 05:44:43 PDT
Created attachment 626404 [details]
Testcase for shell

The attached testcase asserts on ionmonkey revision d5545e6d927b (run with --ion -n).
Comment 1 Christian Holler (:decoder) 2012-05-23 05:45:44 PDT
As discussed with jandem already, the testcase here is highly fragile and might not reproduce easily. It might also be necessary to use --ion-eager.
Comment 2 Jan de Mooij [:jandem] 2012-05-23 08:33:01 PDT
Created attachment 626462 [details] [diff] [review]
Patch

We discussed this a bit on IRC, I don't know the code very well but it seems the assert should use <= instead of <.

If we have the following jumps:

jump 0 - offset 0
jump 1 - offset 16
jump 2 - offset 32

size() -> 48

Then (extendedJumpTable_ + i * SizeOfJumpTableEntry) is 32 for i == 2. In this case size() - SizeOfJumpTableEntry is also 32.
Comment 3 Daniel Veditz [:dveditz] 2012-05-23 10:13:15 PDT
Given that the patch simply changes the assert we're saying there's no possible security bug here, right?
Comment 4 David Anderson [:dvander] 2012-05-23 12:41:26 PDT
(In reply to Daniel Veditz [:dveditz] from comment #3)
> Given that the patch simply changes the assert we're saying there's no
> possible security bug here, right?

Yup.
Comment 5 Jan de Mooij [:jandem] 2012-05-24 02:51:40 PDT
https://hg.mozilla.org/projects/ionmonkey/rev/082a0b357b50
Comment 6 Christian Holler (:decoder) 2013-02-05 05:57:35 PST
Testcase is too complex to add.

Note You need to log in before you can comment on or make changes to this bug.