Last Comment Bug 762324 - "Assertion failure: pc == bce->code(top + tableSize),"
: "Assertion failure: pc == bce->code(top + tableSize),"
: assertion, regression, sec-critical, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: x86_64 Windows 7
-- critical (vote)
: mozilla16
Assigned To: :Benjamin Peterson
: Jason Orendorff [:jorendorff]
Depends on:
Blocks: jsfunfuzz harmony:defaults
  Show dependency treegraph
Reported: 2012-06-06 17:43 PDT by Gary Kwong [:gkw] [:nth10sd]
Modified: 2013-01-19 14:19 PST (History)
8 users (show)
choller: in‑testsuite+
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---

testcase (927 bytes, text/plain)
2012-06-06 17:43 PDT, Gary Kwong [:gkw] [:nth10sd]
no flags Details
stack (11.76 KB, text/plain)
2012-06-06 17:44 PDT, Gary Kwong [:gkw] [:nth10sd]
no flags Details
don't let the memory change under us (2.74 KB, patch)
2012-06-22 23:07 PDT, :Benjamin Peterson
jorendorff: review+
akeybl: approval‑mozilla‑aurora+
Details | Diff | Splinter Review

Description User image Gary Kwong [:gkw] [:nth10sd] 2012-06-06 17:43:47 PDT
Created attachment 630785 [details]

The attached testcase asserts js debug shell on m-c changeset f918d74f736c without any CLI arguments at Assertion failure: pc == bce->code(top + tableSize),
Comment 1 User image Gary Kwong [:gkw] [:nth10sd] 2012-06-06 17:44:38 PDT
Created attachment 630786 [details]
Comment 2 User image Gary Kwong [:gkw] [:nth10sd] 2012-06-06 17:45:48 PDT
Unfortunately I was not able to get a bisection in time.
Comment 3 User image Gary Kwong [:gkw] [:nth10sd] 2012-06-06 17:46:04 PDT
Tested on 64-bit Windows 7.
Comment 4 User image Gary Kwong [:gkw] [:nth10sd] 2012-06-22 22:21:16 PDT
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   95044:699a613bf616
user:        Benjamin Peterson
date:        Sat May 26 09:33:53 2012 -0400
summary:     Bug 757676 - Implement JS default parameters. r=jorendorff
Comment 5 User image :Benjamin Peterson 2012-06-22 23:07:32 PDT
Created attachment 636033 [details] [diff] [review]
don't let the memory change under us

Interesting bug!
Comment 6 User image :Benjamin Peterson 2012-06-22 23:29:28 PDT
The security sensitivity of this bug comes from its potential to write to memory not owned by the JS engine.
Comment 7 User image :Benjamin Peterson 2012-06-25 13:04:38 PDT
Comment on attachment 636033 [details] [diff] [review]
don't let the memory change under us

[Approval Request Comment]
Bug caused by (feature/regressing bug #): Bug 757676
User impact if declined: JS can potentially write to random memory
Testing completed (on m-c, etc.): Features is well tested by js engine tests.
Risk to taking this patch (and alternatives if risky): None; only sane solution really.
String or UUID changes made by this patch: None
Comment 8 User image Alex Keybl [:akeybl] 2012-06-26 10:05:10 PDT
Comment on attachment 636033 [details] [diff] [review]
don't let the memory change under us

[Triage Comment]
Low risk sg:crit fix for Aurora 15.
Comment 9 User image Gary Kwong [:gkw] [:nth10sd] 2012-06-26 13:10:46 PDT
Comment 10 User image Gary Kwong [:gkw] [:nth10sd] 2012-06-26 13:11:53 PDT
Removed checkin-needed for the moment; we should let it bake on inbound / central for at least a few days before landing on aurora.
Comment 11 User image Ed Morley [:emorley] 2012-06-27 03:40:36 PDT
Comment 12 User image Christian Holler (:decoder) 2012-06-28 15:07:10 PDT
JSBugMon: This bug has been automatically verified fixed.
Comment 13 User image Gary Kwong [:gkw] [:nth10sd] 2012-07-09 13:46:43 PDT
Comment 14 User image Christian Holler (:decoder) 2013-01-19 14:19:22 PST
Automatically extracted testcase for this bug was committed:

Note You need to log in before you can comment on or make changes to this bug.