Closed Bug 784639 Opened 12 years ago Closed 12 years ago

"Assertion failure: pc >= code && pc + sizeof(uint32_t) < code + length,"

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla17
Tracking Flags:
Tracking Status
firefox16 --- unaffected
firefox17 --- verified
firefox-esr10 --- unaffected

People

(Reporter: gkw, Assigned: luke)

References

Details

(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update][fuzzblocker][adv-track-main17-])

Attachments

(2 files)

stack
8.23 KB, text/plain
Details
fix and test
2.83 KB, patch
bhackett1024
: review+
Details | Diff | Splinter Review
Attached file stack 
evalcx("\
  Object.defineProperty(this, \"a\", {});\
  f = (function(j) {\
	  a = Proxy\
  });\
  Object.defineProperty(this, \"g\", {\
	  get: function() {\
		  return ({\
			  r: function() {},\
			  t: function() {}\
		  })\
	  }\
  });\
  for (p in g) {\
	  f(1)\
  }\
", newGlobal())

asserts js debug shell on m-c changeset abc17059522b with -m, -n and -a at Assertion failure: pc >= code && pc + sizeof(uint32_t) < code + length,

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   102943:57c1c330e85f
user:        Luke Wagner
date:        Fri Aug 17 18:09:43 2012 -0700
summary:     Bug 774915 - don't use the property cache for dynamic name lookup (r=bhackett)
Seeing the same here with varying stacks, marking as fuzzblocker.
Whiteboard: [jsbugmon:update][fuzzblocker]
This bug is also causing security-sensitive crashes on opt builds.
Group: core-security
Attached patch fix and testSplinter Review 
Gah, why does cx->fp() even still exist?!
Assignee: general → luke
Status: NEW → ASSIGNED
Attachment #654233 - Flags: review?(bhackett1024)
Attachment #654233 - Flags: review?(bhackett1024) → review+
https://hg.mozilla.org/mozilla-central/rev/236d384dc4f9
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
status-firefox17: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla17
Status: RESOLVED → VERIFIED
JSBugMon: This bug has been automatically verified fixed.
status-firefox16: --- → unaffected
Whiteboard: [jsbugmon:update][fuzzblocker] → [jsbugmon:update][fuzzblocker][adv-track-main17-]
Group: core-security
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/testBug784639.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: