IonMonkey: Crash [@ js::ion::CodeGenerator::visitCallKnown] or "Assertion failure: hasScript(),"

VERIFIED FIXED in Firefox 20

Status

()

Core
JavaScript Engine
--
critical
VERIFIED FIXED
6 years ago
5 years ago

People

(Reporter: gkw, Assigned: h4writer)

Tracking

(Blocks: 2 bugs, 6 keywords)

Trunk
mozilla20
x86_64
All
assertion, crash, csectype-dos, regression, sec-other, testcase
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(firefox17 unaffected, firefox18 unaffected, firefox19 unaffected, firefox20- fixed, firefox-esr10 unaffected, firefox-esr17 unaffected)

Details

(Whiteboard: [adv-main20-], crash signature)

Attachments

(3 attachments)

(Reporter)

Description

6 years ago
Created attachment 690220 [details]
stack

x = y = z = this
toSource = (function() {
    return function() {
        (function() {
            y.eval
        })()
    }
})()
__defineGetter__("eval", Array.reduce)
uneval(z)

asserts js debug shell on IonMonkey changeset 725eb8792d27 with --ion-eager at Assertion failure: hasScript(), and crashes js opt shell at js::ion::CodeGenerator::visitCallKnown

Setting s-s just-in-case but seems to be a null deref, so assuming sec-moderate and csec-dos.
(Reporter)

Comment 1

6 years ago
Created attachment 690226 [details]
regressing changeset range
(Reporter)

Updated

6 years ago
status-firefox-esr10: --- → unaffected
status-firefox17: --- → unaffected
status-firefox18: --- → unaffected
status-firefox19: --- → unaffected
status-firefox-esr17: --- → unaffected
(Assignee)

Comment 2

6 years ago
Created attachment 690244 [details] [diff] [review]
Create script of lazy function

Create the script of a lazy function, before taking the script to do checks on...
Assignee: general → hv1989
Attachment #690244 - Flags: review?(dvander)
(Reporter)

Updated

6 years ago
Keywords: sec-moderate → sec-other
(Reporter)

Comment 3

6 years ago
Null derefs are marked sec-other instead of sec-moderate unless otherwise discovered.
Attachment #690244 - Flags: review?(dvander) → review+
(Reporter)

Updated

6 years ago
Flags: in-testsuite?
Keywords: checkin-needed
(Assignee)

Comment 4

6 years ago
https://hg.mozilla.org/integration/mozilla-inbound/rev/1181c5df5866

I had no idea if I could just upload the testcase. Is that allowed in security bugs?
Flags: in-testsuite? → in-testsuite-
Keywords: checkin-needed
Flags: in-testsuite- → in-testsuite?
(Reporter)

Comment 5

6 years ago
> I had no idea if I could just upload the testcase. Is that allowed in
> security bugs?

For nightly-only bugs, it should be alright.

Comment 6

6 years ago
https://hg.mozilla.org/mozilla-central/rev/a4a0aa798038
https://hg.mozilla.org/mozilla-central/rev/1181c5df5866
Status: NEW → RESOLVED
Last Resolved: 6 years ago
status-firefox20: affected → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla20
Status: RESOLVED → VERIFIED
JSBugMon: This bug has been automatically verified fixed.
(Reporter)

Updated

6 years ago
Flags: in-testsuite? → in-testsuite+
tracking-firefox20: ? → -
Whiteboard: [adv-main20-]

Updated

5 years ago
Depends on: 853154
Unmarking S-S: fixed in all builds.
Group: core-security
You need to log in before you can comment on or make changes to this bug.