Closed
Bug 819797
Opened 13 years ago
Closed 13 years ago
IonMonkey: Crash [@ js::ion::CodeGenerator::visitCallKnown] or "Assertion failure: hasScript(),"
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
mozilla20
| Tracking | Status | |
|---|---|---|
| firefox17 | --- | unaffected |
| firefox18 | --- | unaffected |
| firefox19 | --- | unaffected |
| firefox20 | - | fixed |
| firefox-esr10 | --- | unaffected |
| firefox-esr17 | --- | unaffected |
People
(Reporter: gkw, Assigned: h4writer)
References
Details
(6 keywords, Whiteboard: [adv-main20-])
Crash Data
Attachments
(3 files)
x = y = z = this
toSource = (function() {
return function() {
(function() {
y.eval
})()
}
})()
__defineGetter__("eval", Array.reduce)
uneval(z)
asserts js debug shell on IonMonkey changeset 725eb8792d27 with --ion-eager at Assertion failure: hasScript(), and crashes js opt shell at js::ion::CodeGenerator::visitCallKnown
Setting s-s just-in-case but seems to be a null deref, so assuming sec-moderate and csec-dos.
|
Reporter | |
Comment 1•13 years ago
|
||
|
|
Reporter | |
Updated•13 years ago
|
status-firefox-esr10:
--- → unaffected
status-firefox17:
--- → unaffected
status-firefox18:
--- → unaffected
status-firefox19:
--- → unaffected
status-firefox-esr17:
--- → unaffected
|
Assignee | |
Comment 2•13 years ago
|
||
Create the script of a lazy function, before taking the script to do checks on...
Assignee: general → hv1989
Attachment #690244 -
Flags: review?(dvander)
|
|
Reporter | |
Updated•13 years ago
|
Keywords: sec-moderate → sec-other
|
|
Reporter | |
Comment 3•13 years ago
|
||
Null derefs are marked sec-other instead of sec-moderate unless otherwise discovered.
|
|
||
Updated•13 years ago
|
Attachment #690244 -
Flags: review?(dvander) → review+
|
|
Reporter | |
Updated•13 years ago
|
Flags: in-testsuite?
Keywords: checkin-needed
|
|
Assignee | |
Comment 4•13 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/1181c5df5866
I had no idea if I could just upload the testcase. Is that allowed in security bugs?
Flags: in-testsuite? → in-testsuite-
Keywords: checkin-needed
|
||
Updated•13 years ago
|
Flags: in-testsuite- → in-testsuite?
|
|
Reporter | |
Comment 5•13 years ago
|
||
> I had no idea if I could just upload the testcase. Is that allowed in
> security bugs?
For nightly-only bugs, it should be alright.
|
||
Comment 6•13 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/a4a0aa798038
https://hg.mozilla.org/mozilla-central/rev/1181c5df5866
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla20
|
||
Updated•13 years ago
|
Status: RESOLVED → VERIFIED
|
|
||
Comment 7•13 years ago
|
||
JSBugMon: This bug has been automatically verified fixed.
|
|
Reporter | |
Updated•13 years ago
|
Flags: in-testsuite? → in-testsuite+
|
||
Updated•13 years ago
|
|
||
Updated•12 years ago
|
Whiteboard: [adv-main20-]
You need to log in
before you can comment on or make changes to this bug.
Description
•