Closed
Bug 762324
Opened 13 years ago
Closed 13 years ago
"Assertion failure: pc == bce->code(top + tableSize),"
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
mozilla16
| Tracking | Status | |
|---|---|---|
| firefox14 | --- | unaffected |
| firefox15 | --- | fixed |
| firefox16 | --- | fixed |
| firefox-esr10 | --- | unaffected |
People
(Reporter: gkw, Assigned: Benjamin)
References
Details
(4 keywords, Whiteboard: [js:p1][advisory-tracking-])
Attachments
(3 files)
|
927 bytes,
text/plain
|
Details | |
|
11.76 KB,
text/plain
|
Details | |
|
2.74 KB,
patch
|
jorendorff
:
review+
akeybl
:
approval-mozilla-aurora+
|
Details | Diff | Splinter Review |
The attached testcase asserts js debug shell on m-c changeset f918d74f736c without any CLI arguments at Assertion failure: pc == bce->code(top + tableSize),
|
Reporter | |
Comment 1•13 years ago
|
||
|
|
Reporter | |
Comment 2•13 years ago
|
||
Unfortunately I was not able to get a bisection in time.
|
||
Updated•13 years ago
|
Whiteboard: js-triage-needed → [js:p3]
|
|
Reporter | |
Comment 4•13 years ago
|
||
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: 95044:699a613bf616
user: Benjamin Peterson
date: Sat May 26 09:33:53 2012 -0400
summary: Bug 757676 - Implement JS default parameters. r=jorendorff
Blocks: harmony:defaults
|
|
Reporter | |
Updated•13 years ago
|
Group: core-security
|
Assignee | |
Updated•13 years ago
|
Whiteboard: [js:p3] → [js:p1]
|
|
Assignee | |
Comment 5•13 years ago
|
||
Interesting bug!
Assignee: general → bpeterson
Attachment #636033 -
Flags: review?(jorendorff)
|
|
Assignee | |
Comment 6•13 years ago
|
||
The security sensitivity of this bug comes from its potential to write to memory not owned by the JS engine.
|
|
Reporter | |
Updated•13 years ago
|
Keywords: sec-critical
|
||
Updated•13 years ago
|
Attachment #636033 -
Flags: review?(jorendorff) → review+
|
|
Assignee | |
Comment 7•13 years ago
|
||
Comment on attachment 636033 [details] [diff] [review]
don't let the memory change under us
[Approval Request Comment]
Bug caused by (feature/regressing bug #): Bug 757676
User impact if declined: JS can potentially write to random memory
Testing completed (on m-c, etc.): Features is well tested by js engine tests.
Risk to taking this patch (and alternatives if risky): None; only sane solution really.
String or UUID changes made by this patch: None
Attachment #636033 -
Flags: approval-mozilla-aurora?
|
||
Comment 8•13 years ago
|
||
Comment on attachment 636033 [details] [diff] [review]
don't let the memory change under us
[Triage Comment]
Low risk sg:crit fix for Aurora 15.
Attachment #636033 -
Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
|
|
Assignee | |
Updated•13 years ago
|
Keywords: checkin-needed
|
|
Reporter | |
Comment 9•13 years ago
|
||
Keywords: checkin-needed
Target Milestone: --- → mozilla16
|
|
Reporter | |
Comment 10•13 years ago
|
||
Removed checkin-needed for the moment; we should let it bake on inbound / central for at least a few days before landing on aurora.
|
||
Comment 11•13 years ago
|
||
Status: NEW → RESOLVED
Closed: 13 years ago
status-firefox15:
--- → affected
status-firefox16:
--- → fixed
Resolution: --- → FIXED
|
||
Comment 12•13 years ago
|
||
JSBugMon: This bug has been automatically verified fixed.
|
|
||
Updated•13 years ago
|
Status: RESOLVED → VERIFIED
|
|
||
Updated•13 years ago
|
status-firefox-esr10:
--- → unaffected
status-firefox14:
--- → unaffected
|
|
Reporter | |
Comment 13•13 years ago
|
||
|
||
Updated•13 years ago
|
Whiteboard: [js:p1] → [js:p1][advisory-tracking-]
|
||
Updated•13 years ago
|
Group: core-security
|
|
||
Comment 14•13 years ago
|
||
Automatically extracted testcase for this bug was committed:
https://hg.mozilla.org/mozilla-central/rev/efaf8960a929
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•