"Assertion failure: pc == bce->code(top + tableSize),"

VERIFIED FIXED in Firefox 15

Status

()

Core
JavaScript Engine
--
critical
VERIFIED FIXED
5 years ago
4 years ago

People

(Reporter: gkw, Assigned: Benjamin)

Tracking

(Blocks: 1 bug, 4 keywords)

Trunk
mozilla16
x86_64
Windows 7
assertion, regression, sec-critical, testcase
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(firefox14 unaffected, firefox15 fixed, firefox16 fixed, firefox-esr10 unaffected)

Details

(Whiteboard: [js:p1][advisory-tracking-])

Attachments

(3 attachments)

(Reporter)

Description

5 years ago
Created attachment 630785 [details]
testcase

The attached testcase asserts js debug shell on m-c changeset f918d74f736c without any CLI arguments at Assertion failure: pc == bce->code(top + tableSize),
(Reporter)

Comment 1

5 years ago
Created attachment 630786 [details]
stack
(Reporter)

Comment 2

5 years ago
Unfortunately I was not able to get a bisection in time.
(Reporter)

Comment 3

5 years ago
Tested on 64-bit Windows 7.
Hardware: x86 → x86_64
Whiteboard: js-triage-needed → [js:p3]
(Reporter)

Comment 4

5 years ago
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   95044:699a613bf616
user:        Benjamin Peterson
date:        Sat May 26 09:33:53 2012 -0400
summary:     Bug 757676 - Implement JS default parameters. r=jorendorff
Blocks: 757676
(Reporter)

Updated

5 years ago
Group: core-security
(Assignee)

Updated

5 years ago
Whiteboard: [js:p3] → [js:p1]
(Assignee)

Comment 5

5 years ago
Created attachment 636033 [details] [diff] [review]
don't let the memory change under us

Interesting bug!
Assignee: general → bpeterson
Attachment #636033 - Flags: review?(jorendorff)
(Assignee)

Comment 6

5 years ago
The security sensitivity of this bug comes from its potential to write to memory not owned by the JS engine.
(Reporter)

Updated

5 years ago
Keywords: sec-critical
Attachment #636033 - Flags: review?(jorendorff) → review+
(Assignee)

Comment 7

5 years ago
Comment on attachment 636033 [details] [diff] [review]
don't let the memory change under us

[Approval Request Comment]
Bug caused by (feature/regressing bug #): Bug 757676
User impact if declined: JS can potentially write to random memory
Testing completed (on m-c, etc.): Features is well tested by js engine tests.
Risk to taking this patch (and alternatives if risky): None; only sane solution really.
String or UUID changes made by this patch: None
Attachment #636033 - Flags: approval-mozilla-aurora?

Comment 8

5 years ago
Comment on attachment 636033 [details] [diff] [review]
don't let the memory change under us

[Triage Comment]
Low risk sg:crit fix for Aurora 15.
Attachment #636033 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
(Assignee)

Updated

5 years ago
Keywords: checkin-needed
(Reporter)

Comment 9

5 years ago
http://hg.mozilla.org/integration/mozilla-inbound/rev/73421f48fe54
Keywords: checkin-needed
Target Milestone: --- → mozilla16
(Reporter)

Comment 10

5 years ago
Removed checkin-needed for the moment; we should let it bake on inbound / central for at least a few days before landing on aurora.
https://hg.mozilla.org/mozilla-central/rev/73421f48fe54
Status: NEW → RESOLVED
Last Resolved: 5 years ago
status-firefox15: --- → affected
status-firefox16: --- → fixed
Resolution: --- → FIXED
JSBugMon: This bug has been automatically verified fixed.
Status: RESOLVED → VERIFIED

Updated

5 years ago
status-firefox-esr10: --- → unaffected
status-firefox14: --- → unaffected
(Reporter)

Comment 13

5 years ago
http://hg.mozilla.org/releases/mozilla-aurora/rev/3f11aed80c16
status-firefox15: affected → fixed
Whiteboard: [js:p1] → [js:p1][advisory-tracking-]
Group: core-security
Automatically extracted testcase for this bug was committed:

https://hg.mozilla.org/mozilla-central/rev/efaf8960a929
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.