Closed
Bug 896126
Opened 11 years ago
Closed 11 years ago
Assertion failure: parent, at jswrapper.cpp
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
mozilla25
Tracking | Status | |
---|---|---|
firefox23 | --- | affected |
firefox24 | --- | fixed |
firefox25 | --- | fixed |
firefox-esr17 | --- | unaffected |
b2g18 | --- | unaffected |
People
(Reporter: gkw, Assigned: bholley)
References
Details
(4 keywords, Whiteboard: [jsbugmon:update][adv-main24+])
Attachments
(4 files)
({ r: function() { function f() { w[0xe56241c6 >> 3] } }, s: function() { "use asm" return (1 for asserts js debug shell on m-c changeset 0d0263a58f06 without any CLI arguments at Assertion failure: parent, at jswrapper.cpp
Reporter | ||
Comment 1•11 years ago
|
||
autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: http://hg.mozilla.org/mozilla-central/rev/d09d109a7e88 user: Bobby Holley date: Wed Jul 17 11:53:52 2013 -0700 summary: Bug 887334 - Use the new AutoCompartment overload for the atoms compartment and remove AutoEnterAtomsCompartment. r=bhackett
Blocks: CVE-2013-1738
Flags: needinfo?(bobbyholley+bmo)
Comment 2•11 years ago
|
||
LangFuzz also found tests for this, but they involve gczeal: gczeal(2,1); function runTestCase(testcase) { $ERROR('Test case returned non-true value!'); } function newFunc(x) { new Function(x)(); }; newFunc("\ function testcase() {\ \"use strict\";\ try {} catch (eval) {}\ }\ runTestCase(testcase);\ "); Marking s-s based on that.
Group: core-security
Comment 3•11 years ago
|
||
Reporter | ||
Comment 4•11 years ago
|
||
I can reproduce using: http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2013-07-22-mozilla-central-debug/jsshell-mac64.zip ./js testcase.js Assertion failure: parent, at ../../../js/src/jswrapper.cpp:35
Assignee | ||
Comment 5•11 years ago
|
||
Ah, I was doing |./js < testcase.js|. Gary explained IRL that I need to drop the |<|.
Flags: needinfo?(bobbyholley+bmo)
Assignee | ||
Updated•11 years ago
|
Assignee: general → bobbyholley+bmo
Assignee | ||
Comment 6•11 years ago
|
||
Attachment #779368 -
Flags: review?
Assignee | ||
Updated•11 years ago
|
Attachment #779368 -
Flags: review? → review?(luke)
Assignee | ||
Comment 7•11 years ago
|
||
https://tbpl.mozilla.org/?tree=Try&rev=5ff314641023
Updated•11 years ago
|
Attachment #779368 -
Flags: review?(luke) → review+
Assignee | ||
Comment 8•11 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/de1042bf3026
Updated•11 years ago
|
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
Comment 9•11 years ago
|
||
JSBugMon: The testcase found in this bug no longer reproduces (tried revision b717a7945dfb).
Comment 10•11 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/de1042bf3026
Status: NEW → RESOLVED
Closed: 11 years ago
status-firefox25:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla25
Reporter | ||
Updated•11 years ago
|
Whiteboard: [jsbugmon:update,ignore] → [jsbugmon:update]
Updated•11 years ago
|
Status: RESOLVED → VERIFIED
Comment 11•11 years ago
|
||
JSBugMon: This bug has been automatically verified fixed.
Assignee | ||
Comment 12•11 years ago
|
||
https://hg.mozilla.org/releases/mozilla-aurora/pushloghtml?changeset=84b828b63115
status-firefox24:
--- → fixed
(In reply to Bobby Holley (:bholley) from comment #12) > https://hg.mozilla.org/releases/mozilla-aurora/ > pushloghtml?changeset=84b828b63115 Backed out from Aurora for possibly causing xpcshell crashes along with the other changes from bholley's push in https://hg.mozilla.org/releases/mozilla-aurora/rev/659b0d61fbc6
Assignee | ||
Comment 14•11 years ago
|
||
https://hg.mozilla.org/releases/mozilla-aurora/pushloghtml?changeset=5f9484e134f9
Comment 15•11 years ago
|
||
Backed out for xpcshell failures. https://hg.mozilla.org/releases/mozilla-aurora/rev/b3d0c2498b42
Assignee | ||
Comment 16•11 years ago
|
||
https://hg.mozilla.org/releases/mozilla-aurora/pushloghtml?changeset=3266c1d73816
Assignee | ||
Updated•11 years ago
|
Comment 17•11 years ago
|
||
(In reply to Gary Kwong [:gkw] [:nth10sd] from comment #1) > autoBisect shows this is probably related to the following changeset: > > The first bad revision is: > changeset: http://hg.mozilla.org/mozilla-central/rev/d09d109a7e88 > user: Bobby Holley > date: Wed Jul 17 11:53:52 2013 -0700 > summary: Bug 887334 - Use the new AutoCompartment overload for the atoms > compartment and remove AutoEnterAtomsCompartment. r=bhackett If this was the regression, why did this affect Firefox 24? Firefox 25 was trunk then.
Reporter | ||
Comment 18•11 years ago
|
||
Probably the wrong regressing bug? bholley might know.
Assignee | ||
Comment 19•11 years ago
|
||
(In reply to Al Billings [:abillings] from comment #17) > (In reply to Gary Kwong [:gkw] [:nth10sd] from comment #1) > > autoBisect shows this is probably related to the following changeset: > > > > The first bad revision is: > > changeset: http://hg.mozilla.org/mozilla-central/rev/d09d109a7e88 > > user: Bobby Holley > > date: Wed Jul 17 11:53:52 2013 -0700 > > summary: Bug 887334 - Use the new AutoCompartment overload for the atoms > > compartment and remove AutoEnterAtomsCompartment. r=bhackett > > If this was the regression, why did this affect Firefox 24? Firefox 25 was > trunk then. Because I backported bug 887334 to 24.
Updated•11 years ago
|
status-firefox23:
--- → affected
Whiteboard: [jsbugmon:update] → [jsbugmon:update][adv-main24+]
Comment 20•11 years ago
|
||
regressing bug was not backported to ESR17 or b2g18
status-b2g18:
--- → unaffected
status-firefox-esr17:
--- → unaffected
Updated•10 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•