Closed
Bug 866611
Opened 12 years ago
Closed 12 years ago
Assertion failure: length <= MAX_LENGTH, at vm/String.h
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
mozilla23
| Tracking | Status | |
|---|---|---|
| firefox22 | --- | unaffected |
| firefox23 | --- | verified |
| firefox-esr17 | --- | unaffected |
| b2g18 | --- | unaffected |
People
(Reporter: gkw, Assigned: jandem)
References
Details
(5 keywords, Whiteboard: [jsbugmon:update][adv-main23-])
Attachments
(1 file)
|
1.28 KB,
patch
|
h4writer
:
review+
|
Details | Diff | Splinter Review |
try {
y = 'x'
Object.defineProperty(this, "z", {
get: function() {
y += y
return z
}
})
Uint8Array(z)
} catch (e) {}
for (v of y) {}
asserts js debug shell on m-c changeset 05533d50f2f7 with --ion-eager at Assertion failure: length <= MAX_LENGTH, at vm/String.h
|
Assignee | |
Comment 1•12 years ago
|
||
Good catch. Regression from bug 863018. temp2 holds the length of the LHS, temp2 holds the result length and is the one we want to test against JSString::MAX_LENGTH.
|
||
Comment 2•12 years ago
|
||
Comment on attachment 742966 [details] [diff] [review]
Patch
Review of attachment 742966 [details] [diff] [review]:
-----------------------------------------------------------------
Indeed an easy one to overlook.
Attachment #742966 -
Flags: review?(hv1989) → review+
|
||
Updated•12 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
|
|
||
Comment 3•12 years ago
|
||
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: 130142:3b7a2cbccaaa
user: Jan de Mooij
date: Fri Apr 26 14:08:54 2013 +0200
summary: Bug 863018 part 2 - Add JSShortString path back to ConcatStrings and LConcat. r=luke
This iteration took 149.557 seconds to run.
|
|
||
Comment 4•12 years ago
|
||
I'm pretty sure this is s-s and at least sec-high. I'm seeing this trace in my fuzzer with the same assertion:
Program terminated with signal 11, Segmentation fault.
#0 0x0000000000672298 in JSString::buildLengthAndFlags (
flags=<optimized out>, length=<optimized out>, this=<optimized out>)
at ../vm/String.h:231
231 JS_ASSERT(length <= MAX_LENGTH);
#0 0x0000000000672298 in JSString::buildLengthAndFlags (flags=<optimized out>, length=<optimized out>, this=<optimized out>) at ../vm/String.h:231
#1 0x0000000000674380 in buildLengthAndFlags (flags=<optimized out>, length=<optimized out>, this=<optimized out>) at ../vm/String.h:231
#2 JSRope::flattenInternal<(JSRope::UsingBarrier)1> (this=<error reading variable: Cannot access memory at address 0x64006300620061>, maybecx=<optimized out>) at js/src/vm/String.cpp:276
Notice the memory address in frame #2 consisting of a string (in 16 bit unicode).
Group: core-security
Keywords: csec-wildptr,
sec-high
|
|
Assignee | |
Comment 6•12 years ago
|
||
|
||
Comment 7•12 years ago
|
||
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
status-firefox23:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla23
|
|
||
Updated•12 years ago
|
Status: RESOLVED → VERIFIED
|
|
||
Comment 8•12 years ago
|
||
JSBugMon: This bug has been automatically verified fixed.
|
||
Updated•12 years ago
|
status-b2g18:
--- → unaffected
status-firefox22:
--- → unaffected
status-firefox-esr17:
--- → unaffected
Marking status-firefox23:verified based on comment 8.
|
||
Updated•12 years ago
|
Whiteboard: [jsbugmon:update] → [jsbugmon:update][adv-main23-]
|
|
||
Updated•11 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•