Closed Bug 762324 Opened 11 years ago Closed 11 years ago

"Assertion failure: pc == bce->code(top + tableSize),"

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Windows 7
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla16
Tracking Flags:
Tracking Status
firefox14 --- unaffected
firefox15 --- fixed
firefox16 --- fixed
firefox-esr10 --- unaffected

People

(Reporter: gkw, Assigned: Benjamin)

References

Details

(4 keywords, Whiteboard: [js:p1][advisory-tracking-])

Attachments

(3 files)

testcase
927 bytes, text/plain
Details
stack
11.76 KB, text/plain
Details
don't let the memory change under us
2.74 KB, patch
jorendorff
: review+
akeybl
: approval-mozilla-aurora+
Details | Diff | Splinter Review
Attached file testcase 
The attached testcase asserts js debug shell on m-c changeset f918d74f736c without any CLI arguments at Assertion failure: pc == bce->code(top + tableSize),
Unfortunately I was not able to get a bisection in time.
Tested on 64-bit Windows 7.
Hardware: x86 → x86_64
Whiteboard: js-triage-needed → [js:p3]
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   95044:699a613bf616
user:        Benjamin Peterson
date:        Sat May 26 09:33:53 2012 -0400
summary:     Bug 757676 - Implement JS default parameters. r=jorendorff
Blocks: harmony:defaults
Group: core-security
Whiteboard: [js:p3] → [js:p1]
Interesting bug!
Assignee: general → bpeterson
Attachment #636033 - Flags: review?(jorendorff)
The security sensitivity of this bug comes from its potential to write to memory not owned by the JS engine.
Attachment #636033 - Flags: review?(jorendorff) → review+
Comment on attachment 636033 [details] [diff] [review]
don't let the memory change under us

[Approval Request Comment]
Bug caused by (feature/regressing bug #): Bug 757676
User impact if declined: JS can potentially write to random memory
Testing completed (on m-c, etc.): Features is well tested by js engine tests.
Risk to taking this patch (and alternatives if risky): None; only sane solution really.
String or UUID changes made by this patch: None
Attachment #636033 - Flags: approval-mozilla-aurora?
Comment on attachment 636033 [details] [diff] [review]
don't let the memory change under us

[Triage Comment]
Low risk sg:crit fix for Aurora 15.
Attachment #636033 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Keywords: checkin-needed
Removed checkin-needed for the moment; we should let it bake on inbound / central for at least a few days before landing on aurora.
https://hg.mozilla.org/mozilla-central/rev/73421f48fe54
Status: NEW → RESOLVED
Closed: 11 years ago
status-firefox15: --- → affected
status-firefox16: --- → fixed
Resolution: --- → FIXED
JSBugMon: This bug has been automatically verified fixed.
Status: RESOLVED → VERIFIED
Whiteboard: [js:p1] → [js:p1][advisory-tracking-]
Group: core-security
Automatically extracted testcase for this bug was committed:

https://hg.mozilla.org/mozilla-central/rev/efaf8960a929
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.