Closed
Bug 757811
Opened 12 years ago
Closed 12 years ago
IonMonkey: Assertion failure: (extendedJumpTable_ + i * SizeOfJumpTableEntry) < size() - SizeOfJumpTableEntry, at ion/x64/Assembler-x64.cpp:158
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: decoder, Assigned: jandem)
References
Details
(Keywords: assertion, testcase, Whiteboard: [jsbugmon:update])
Attachments
(2 files)
12.45 KB,
text/javascript
|
Details | |
1.94 KB,
patch
|
dvander
:
review+
|
Details | Diff | Splinter Review |
The attached testcase asserts on ionmonkey revision d5545e6d927b (run with --ion -n).
Reporter | ||
Comment 1•12 years ago
|
||
As discussed with jandem already, the testcase here is highly fragile and might not reproduce easily. It might also be necessary to use --ion-eager.
Assignee | ||
Comment 2•12 years ago
|
||
We discussed this a bit on IRC, I don't know the code very well but it seems the assert should use <= instead of <. If we have the following jumps: jump 0 - offset 0 jump 1 - offset 16 jump 2 - offset 32 size() -> 48 Then (extendedJumpTable_ + i * SizeOfJumpTableEntry) is 32 for i == 2. In this case size() - SizeOfJumpTableEntry is also 32.
Comment 3•12 years ago
|
||
Given that the patch simply changes the assert we're saying there's no possible security bug here, right?
Updated•12 years ago
|
Attachment #626462 -
Flags: review?(dvander) → review+
(In reply to Daniel Veditz [:dveditz] from comment #3) > Given that the patch simply changes the assert we're saying there's no > possible security bug here, right? Yup.
Group: core-security
Assignee | ||
Comment 5•12 years ago
|
||
https://hg.mozilla.org/projects/ionmonkey/rev/082a0b357b50
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•