Closed
Bug 866611
Opened 10 years ago
Closed 10 years ago
Assertion failure: length <= MAX_LENGTH, at vm/String.h
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
mozilla23
Tracking | Status | |
---|---|---|
firefox22 | --- | unaffected |
firefox23 | --- | verified |
firefox-esr17 | --- | unaffected |
b2g18 | --- | unaffected |
People
(Reporter: gkw, Assigned: jandem)
References
Details
(5 keywords, Whiteboard: [jsbugmon:update][adv-main23-])
Attachments
(1 file)
1.28 KB,
patch
|
h4writer
:
review+
|
Details | Diff | Splinter Review |
try { y = 'x' Object.defineProperty(this, "z", { get: function() { y += y return z } }) Uint8Array(z) } catch (e) {} for (v of y) {} asserts js debug shell on m-c changeset 05533d50f2f7 with --ion-eager at Assertion failure: length <= MAX_LENGTH, at vm/String.h
Assignee | ||
Comment 1•10 years ago
|
||
Good catch. Regression from bug 863018. temp2 holds the length of the LHS, temp2 holds the result length and is the one we want to test against JSString::MAX_LENGTH.
Comment 2•10 years ago
|
||
Comment on attachment 742966 [details] [diff] [review] Patch Review of attachment 742966 [details] [diff] [review]: ----------------------------------------------------------------- Indeed an easy one to overlook.
Attachment #742966 -
Flags: review?(hv1989) → review+
Updated•10 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
Comment 3•10 years ago
|
||
JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: 130142:3b7a2cbccaaa user: Jan de Mooij date: Fri Apr 26 14:08:54 2013 +0200 summary: Bug 863018 part 2 - Add JSShortString path back to ConcatStrings and LConcat. r=luke This iteration took 149.557 seconds to run.
Comment 4•10 years ago
|
||
I'm pretty sure this is s-s and at least sec-high. I'm seeing this trace in my fuzzer with the same assertion: Program terminated with signal 11, Segmentation fault. #0 0x0000000000672298 in JSString::buildLengthAndFlags ( flags=<optimized out>, length=<optimized out>, this=<optimized out>) at ../vm/String.h:231 231 JS_ASSERT(length <= MAX_LENGTH); #0 0x0000000000672298 in JSString::buildLengthAndFlags (flags=<optimized out>, length=<optimized out>, this=<optimized out>) at ../vm/String.h:231 #1 0x0000000000674380 in buildLengthAndFlags (flags=<optimized out>, length=<optimized out>, this=<optimized out>) at ../vm/String.h:231 #2 JSRope::flattenInternal<(JSRope::UsingBarrier)1> (this=<error reading variable: Cannot access memory at address 0x64006300620061>, maybecx=<optimized out>) at js/src/vm/String.cpp:276 Notice the memory address in frame #2 consisting of a string (in 16 bit unicode).
Group: core-security
Keywords: csec-wildptr,
sec-high
Assignee | ||
Comment 6•10 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/cf9469c2c3c6
Comment 7•10 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/cf9469c2c3c6
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
status-firefox23:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla23
Updated•10 years ago
|
Status: RESOLVED → VERIFIED
Comment 8•10 years ago
|
||
JSBugMon: This bug has been automatically verified fixed.
Updated•10 years ago
|
status-b2g18:
--- → unaffected
status-firefox22:
--- → unaffected
status-firefox-esr17:
--- → unaffected
Marking status-firefox23:verified based on comment 8.
Updated•10 years ago
|
Whiteboard: [jsbugmon:update] → [jsbugmon:update][adv-main23-]
Updated•9 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•