IonMonkey: Assertion failure: (extendedJumpTable_ + i * SizeOfJumpTableEntry) < size() - SizeOfJumpTableEntry, at ion/x64/Assembler-x64.cpp:158

RESOLVED FIXED

Status

()

Core
JavaScript Engine
--
major
RESOLVED FIXED
5 years ago
4 years ago

People

(Reporter: decoder, Assigned: jandem)

Tracking

(Blocks: 2 bugs, {assertion, testcase})

Other Branch
x86_64
Linux
assertion, testcase
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite -

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [jsbugmon:update])

Attachments

(2 attachments)

(Reporter)

Description

5 years ago
Created attachment 626404 [details]
Testcase for shell

The attached testcase asserts on ionmonkey revision d5545e6d927b (run with --ion -n).
(Reporter)

Comment 1

5 years ago
As discussed with jandem already, the testcase here is highly fragile and might not reproduce easily. It might also be necessary to use --ion-eager.
(Assignee)

Comment 2

5 years ago
Created attachment 626462 [details] [diff] [review]
Patch

We discussed this a bit on IRC, I don't know the code very well but it seems the assert should use <= instead of <.

If we have the following jumps:

jump 0 - offset 0
jump 1 - offset 16
jump 2 - offset 32

size() -> 48

Then (extendedJumpTable_ + i * SizeOfJumpTableEntry) is 32 for i == 2. In this case size() - SizeOfJumpTableEntry is also 32.
Assignee: general → jdemooij
Status: NEW → ASSIGNED
Attachment #626462 - Flags: review?(dvander)
Given that the patch simply changes the assert we're saying there's no possible security bug here, right?
Attachment #626462 - Flags: review?(dvander) → review+
(In reply to Daniel Veditz [:dveditz] from comment #3)
> Given that the patch simply changes the assert we're saying there's no
> possible security bug here, right?

Yup.
Group: core-security
(Assignee)

Comment 5

5 years ago
https://hg.mozilla.org/projects/ionmonkey/rev/082a0b357b50
Status: ASSIGNED → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED
(Reporter)

Comment 6

4 years ago
Testcase is too complex to add.
Flags: in-testsuite-
You need to log in before you can comment on or make changes to this bug.