Closed Bug 757811 Opened 9 years ago Closed 9 years ago
Monkey: Assertion failure: (extended Jump Table _ + i * Size Of Jump Table Entry) < size() - Size Of Jump Table Entry, at ion/x64/Assembler-x64 .cpp:158
The attached testcase asserts on ionmonkey revision d5545e6d927b (run with --ion -n).
As discussed with jandem already, the testcase here is highly fragile and might not reproduce easily. It might also be necessary to use --ion-eager.
We discussed this a bit on IRC, I don't know the code very well but it seems the assert should use <= instead of <. If we have the following jumps: jump 0 - offset 0 jump 1 - offset 16 jump 2 - offset 32 size() -> 48 Then (extendedJumpTable_ + i * SizeOfJumpTableEntry) is 32 for i == 2. In this case size() - SizeOfJumpTableEntry is also 32.
Assignee: general → jdemooij
Status: NEW → ASSIGNED
Attachment #626462 - Flags: review?(dvander)
Given that the patch simply changes the assert we're saying there's no possible security bug here, right?
Attachment #626462 - Flags: review?(dvander) → review+
(In reply to Daniel Veditz [:dveditz] from comment #3) > Given that the patch simply changes the assert we're saying there's no > possible security bug here, right? Yup.
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Testcase is too complex to add.
You need to log in before you can comment on or make changes to this bug.