Closed
Bug 780451
Opened 12 years ago
Closed 12 years ago
IonMonkey: Crash [@ ExpressionDecompiler::decompilePC] or "Assertion failure: pcdepth + ndefs <= StackDepth(script)," or "Assertion failure: pcdepth >= nuses,"
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
Tracking | Status | |
---|---|---|
firefox14 | --- | unaffected |
firefox15 | --- | unaffected |
firefox16 | --- | unaffected |
firefox-esr10 | --- | unaffected |
People
(Reporter: gkw, Assigned: nbp)
References
Details
(4 keywords, Whiteboard: [fuzzblocker][ion:p1:fx18])
Attachments
(3 files)
M: with("") { break M } try { /x/ ({ e: f }) } catch (e) {} this.i.d asserts js debug shell on IonMonkey changeset 0bc212d0183b without any CLI arguments at Assertion failure: pcdepth + ndefs <= StackDepth(script), autoBisect shows this is probably related to the following changeset: (not sure how true this is) The first bad revision is: changeset: 103173:0bc212d0183b tag: tip parent: 103059:b457b592f609 parent: 103172:a7fadfbad932 user: David Anderson date: Fri Aug 03 18:58:30 2012 -0700 summary: Merge from mozilla-central.
Reporter | ||
Comment 1•12 years ago
|
||
This testcase looks related and seems to have a similar regressing range: try {} catch (N if '') {} this.z.z (pass in the testcases as CLI arguments) Assertion failure: pcdepth >= nuses,
Summary: IonMonkey: "Assertion failure: pcdepth + ndefs <= StackDepth(script)," → IonMonkey: "Assertion failure: pcdepth + ndefs <= StackDepth(script)," or "Assertion failure: pcdepth >= nuses,"
Reporter | ||
Comment 2•12 years ago
|
||
Some of these testcases cause (hard-to-reproduce) crashes / invalid reads as recorded by Valgrind involving ExpressionDecompiler::decompilePC and accessing weird memory addresses.
Group: core-security
Summary: IonMonkey: "Assertion failure: pcdepth + ndefs <= StackDepth(script)," or "Assertion failure: pcdepth >= nuses," → IonMonkey: Crash [@ ExpressionDecompiler::decompilePC] or "Assertion failure: pcdepth + ndefs <= StackDepth(script)," or "Assertion failure: pcdepth >= nuses,"
Reporter | ||
Updated•12 years ago
|
status-firefox-esr10:
--- → unaffected
status-firefox14:
--- → unaffected
status-firefox15:
--- → unaffected
status-firefox16:
--- → unaffected
Keywords: sec-critical
Reporter | ||
Comment 3•12 years ago
|
||
Stack showing weird memory address of 0x74006900000000 being accessed.
Reporter | ||
Updated•12 years ago
|
Whiteboard: [fuzzblocker]
Updated•12 years ago
|
Whiteboard: [fuzzblocker] → [fuzzblocker][ion:p1:fx18]
Assignee | ||
Updated•12 years ago
|
Assignee: general → nicolas.b.pierron
Status: NEW → ASSIGNED
OS: Mac OS X → All
Assignee | ||
Comment 4•12 years ago
|
||
A hidden goto (break) was used to jump over a bunch of unused instruction and cause the ReconstructPCStack function to produce a wrong stack depth by restoring the pcdepth took state saved before the GOTO evaluation. + The GOTO now check if the previous instructions were hidden (in which case the GOTO will be to) and update the pcdepth with the value of the hidden pcdepth. + Add an assertion to compare the result of the script analysis when the analysis has information about the bytecode
Attachment #650329 -
Flags: review?(luke)
Attachment #650329 -
Flags: review?(bhackett1024)
Updated•12 years ago
|
Attachment #650329 -
Flags: review?(luke) → review+
Updated•12 years ago
|
Attachment #650329 -
Flags: review?(bhackett1024) → review+
Assignee | ||
Comment 5•12 years ago
|
||
https://hg.mozilla.org/projects/ionmonkey/rev/c0195737650c
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Updated•12 years ago
|
Status: RESOLVED → VERIFIED
Comment 6•12 years ago
|
||
JSBugMon: This bug has been automatically verified fixed.
Updated•9 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•