Closed
Bug 783924
Opened 12 years ago
Closed 12 years ago
Crash [@ js::ParallelArrayObject::IndexInfo::initialize] or "Assertion failure: dimensions.length() > 0," or "Assertion failure: !unknownProperties(),"
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
mozilla17
Tracking | Status | |
---|---|---|
firefox14 | --- | unaffected |
firefox15 | --- | unaffected |
firefox16 | --- | unaffected |
firefox17 | --- | verified |
firefox-esr10 | --- | unaffected |
People
(Reporter: gkw, Assigned: shu)
References
Details
(4 keywords, Whiteboard: [fuzzblocker][adv-track-main17-])
Crash Data
Attachments
(5 files)
ParallelArray(/x/, /x/); asserts js debug shell on m-c changeset 35b8d6ef5d46 without any CLI arguments at Assertion failure: dimensions.length() > 0, Another [fuzzblocker] similar to bug 783923. autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: 102665:ea2ad8970f3e user: Shu-yu Guo date: Fri Aug 17 10:38:59 2012 -0700 summary: Bug 778559 - Implement ParallelArray API with sequential execution (r=dmandelin)
Reporter | ||
Updated•12 years ago
|
Group: core-security
Reporter | ||
Comment 1•12 years ago
|
||
I just rechecked, this is very bad, 0xffffffff is being accessed.
Reporter | ||
Updated•12 years ago
|
status-firefox-esr10:
--- → unaffected
status-firefox14:
--- → unaffected
status-firefox15:
--- → unaffected
status-firefox16:
--- → unaffected
status-firefox17:
--- → affected
Keywords: sec-critical
Reporter | ||
Updated•12 years ago
|
Crash Signature: [@ js::ParallelArrayObject::IndexInfo::initialize]
Summary: "Assertion failure: dimensions.length() > 0," → Crash [@ js::ParallelArrayObject::IndexInfo::initialize] or "Assertion failure: dimensions.length() > 0,"
Reporter | ||
Comment 2•12 years ago
|
||
One more testcase: Function("ParallelArray([])")() Assertion failure: !unknownProperties(),
Assignee | ||
Comment 3•12 years ago
|
||
Assignee | ||
Comment 4•12 years ago
|
||
Assignee | ||
Comment 5•12 years ago
|
||
Note that the fix for !unknownProperties() patch requires patch in bug 783923 to be already applied.
Assignee | ||
Updated•12 years ago
|
Attachment #653234 -
Flags: review?
Assignee | ||
Updated•12 years ago
|
Attachment #653235 -
Flags: review?
Assignee | ||
Updated•12 years ago
|
Attachment #653234 -
Flags: review? → review?(dmandelin)
Assignee | ||
Updated•12 years ago
|
Attachment #653235 -
Flags: review? → review?(dmandelin)
Assignee | ||
Comment 6•12 years ago
|
||
Comment on attachment 653235 [details] [diff] [review] fix for !unknownProperties() assert Actually, this makes more sense to be reviewed by bhackett.
Attachment #653235 -
Flags: review?(dmandelin) → review?(bhackett1024)
Reporter | ||
Updated•12 years ago
|
Summary: Crash [@ js::ParallelArrayObject::IndexInfo::initialize] or "Assertion failure: dimensions.length() > 0," → Crash [@ js::ParallelArrayObject::IndexInfo::initialize] or "Assertion failure: dimensions.length() > 0," or "Assertion failure: !unknownProperties(),"
Updated•12 years ago
|
Attachment #653234 -
Flags: review?(dmandelin) → review+
Updated•12 years ago
|
Attachment #653235 -
Flags: review?(bhackett1024) → review+
Assignee | ||
Comment 7•12 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/6087ddaf9911 https://hg.mozilla.org/integration/mozilla-inbound/rev/f6ff05c68a61
Comment 8•12 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/6087ddaf9911 https://hg.mozilla.org/mozilla-central/rev/f6ff05c68a61
Assignee: general → shu
Status: NEW → RESOLVED
Closed: 12 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla17
Updated•12 years ago
|
Updated•12 years ago
|
Status: RESOLVED → VERIFIED
Comment 9•12 years ago
|
||
JSBugMon: This bug has been automatically verified fixed.
Comment 10•12 years ago
|
||
(In reply to Gary Kwong [:gkw, :nth10sd] from comment #1) > I just rechecked, this is very bad, 0xffffffff is being accessed. If %rax is always null then it doesn't really matter where the other address is, it's still going to crash before it does anything nasty. Is it always null? That seems to be the case the patch is protecting against.
Depends on: 783923
Reporter | ||
Comment 11•12 years ago
|
||
The instruction at %pc register is: movl $0x1,(%rax,%rcx,4) Does this mean storing 0x1 at %rax and %rcx, not accessing %rax and %rcx themselves?
Updated•12 years ago
|
Whiteboard: [fuzzblocker] → [fuzzblocker][adv-track-main17-]
Updated•11 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•