Closed Bug 819797 Opened 7 years ago Closed 7 years ago

IonMonkey: Crash [@ js::ion::CodeGenerator::visitCallKnown] or "Assertion failure: hasScript(),"

Categories

(Core :: JavaScript Engine, defect, critical)

x86_64
All
defect
Not set
critical

Tracking

()

VERIFIED FIXED
mozilla20
Tracking Status
firefox17 --- unaffected
firefox18 --- unaffected
firefox19 --- unaffected
firefox20 - fixed
firefox-esr10 --- unaffected
firefox-esr17 --- unaffected

People

(Reporter: gkw, Assigned: h4writer)

References

(Blocks 1 open bug)

Details

(6 keywords, Whiteboard: [adv-main20-])

Crash Data

Attachments

(3 files)

Attached file stack
x = y = z = this
toSource = (function() {
    return function() {
        (function() {
            y.eval
        })()
    }
})()
__defineGetter__("eval", Array.reduce)
uneval(z)

asserts js debug shell on IonMonkey changeset 725eb8792d27 with --ion-eager at Assertion failure: hasScript(), and crashes js opt shell at js::ion::CodeGenerator::visitCallKnown

Setting s-s just-in-case but seems to be a null deref, so assuming sec-moderate and csec-dos.
Create the script of a lazy function, before taking the script to do checks on...
Assignee: general → hv1989
Attachment #690244 - Flags: review?(dvander)
Keywords: sec-moderatesec-other
Null derefs are marked sec-other instead of sec-moderate unless otherwise discovered.
Attachment #690244 - Flags: review?(dvander) → review+
Flags: in-testsuite?
Keywords: checkin-needed
https://hg.mozilla.org/integration/mozilla-inbound/rev/1181c5df5866

I had no idea if I could just upload the testcase. Is that allowed in security bugs?
Flags: in-testsuite? → in-testsuite-
Keywords: checkin-needed
Flags: in-testsuite- → in-testsuite?
> I had no idea if I could just upload the testcase. Is that allowed in
> security bugs?

For nightly-only bugs, it should be alright.
https://hg.mozilla.org/mozilla-central/rev/a4a0aa798038
https://hg.mozilla.org/mozilla-central/rev/1181c5df5866
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla20
Status: RESOLVED → VERIFIED
JSBugMon: This bug has been automatically verified fixed.
Flags: in-testsuite? → in-testsuite+
Whiteboard: [adv-main20-]
Depends on: 853154
Unmarking S-S: fixed in all builds.
Group: core-security
You need to log in before you can comment on or make changes to this bug.