Closed Bug 876642 Opened 11 years ago Closed 11 years ago

Assertion failure: s <= end, at ../jsstrinlines.h:98

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 875804

People

(Reporter: decoder, Unassigned)

Details

(Keywords: assertion, crash, testcase, Whiteboard: [jsbugmon:update])

Attachments

(1 file)

[crash-signature] Machine-readable crash signature
758 bytes, text/plain
Details 
The following testcase asserts on mozilla-central revision c190422547ed (no options required):


function my_iterator_next() { return my_iterator_next; }
function testCustomIterator() {
  var o = {
    __iterator__: function () {
      return {
        next: my_iterator_next,
      };
    }
  };
  for(var j in o) {
    unescape(1 + (j >> 0));
    // Use this line instead to get a straight unsafe crash
    //unescape(j);
  }
}
testCustomIterator();
This range assertion can be turned quickly into a non-safe crash:


Program received signal SIGSEGV, Segmentation fault.
0x0831cab5 in str_unescape (cx=0x92693c8, argc=1, vp=0xffffc654) at js/src/jsstr.cpp:290
290             jschar c = chars[k];
(gdb) bt
#0  0x0831cab5 in str_unescape (cx=0x92693c8, argc=1, vp=0xffffc654) at js/src/jsstr.cpp:290
#1  0xf7fd2784 in ?? ()
Cannot access memory at address 0xffffff8b
(gdb) info register
edx            0xf7600000       -144703488
(gdb) x /i $pc
=> 0x831cab5 <str_unescape(JSContext*, unsigned int, JS::Value*)+245>:  movzwl (%edx),%edi


I assume this is some form of confusion between a string and something else. Bug 876458 might be pointing to the same problem, but I'll wait for the bisect result to confirm that they both have the same regressor.
Keywords: crash
Whiteboard: [jsbugmon:update,bisect]
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   132801:4370f503d69f
user:        Brian Hackett
date:        Thu May 23 13:25:19 2013 -0600
summary:     Bug 875276 - Don't profile types in scripts until they are compiled by baseline, r=jandem.

This iteration took 9.865 seconds to run.
Needinfo from Brian based on comment 3 :)
Flags: needinfo?(bhackett1024)
Status: NEW → RESOLVED
Closed: 11 years ago
Flags: needinfo?(bhackett1024)
Resolution: --- → DUPLICATE
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: