Assertion failure: (ptrBits & 0x7) == 0, at ./dist/include/js/Value.h:703 or Crash [@ ToPrimitive] with controllable invalid read involving rest arguments

RESOLVED DUPLICATE of bug 875957

Status

()

Core
JavaScript Engine
--
critical
RESOLVED DUPLICATE of bug 875957
5 years ago
3 years ago

People

(Reporter: decoder, Unassigned)

Tracking

(Blocks: 1 bug, {assertion, crash, testcase})

Trunk
x86_64
Linux
assertion, crash, testcase
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [jsbugmon:update], crash signature)

Attachments

(1 attachment)

(Reporter)

Description

5 years ago
The following testcase asserts on mozilla-central revision e58336e81395 (run with --ion-eager):


var x = [];
var n = [];
var np = 0xbeef;
function mont_(... y) {
  for (j=1 ; j<y.length; j++)
	undefined * y[j];
}
mont_(x, n, np);
(Reporter)

Comment 1

5 years ago
Created attachment 755553 [details]
[crash-signature] Machine-readable crash signature
(Reporter)

Comment 2

5 years ago
Crashes near 0xbeef, so marking s-s. djvj mentioned this could be a dup of one of the other bugs that crash similarly, but he wasn't sure so we decided to file and track this as the other bugs get fixed.
Crash Signature: [@ ToPrimitive]
Keywords: crash
Whiteboard: [jsbugmon:update,bisect]
(Reporter)

Updated

5 years ago
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
(Reporter)

Comment 3

5 years ago
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   132612:b2216a10f95b
user:        Shu-yu Guo
date:        Tue May 21 23:52:45 2013 -0700
summary:     Bug 867471 - Part 2: Compile rest parameter in Ion for sequential execution. (r=djvj)

This iteration took 0.949 seconds to run.
This is probably a dup of 875957.  Confirming.

Updated

5 years ago
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 875957
Group: core-security
You need to log in before you can comment on or make changes to this bug.