Closed
Bug 896126
Opened 11 years ago
Closed 11 years ago
Assertion failure: parent, at jswrapper.cpp
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
mozilla25
| Tracking | Status | |
|---|---|---|
| firefox23 | --- | affected |
| firefox24 | --- | fixed |
| firefox25 | --- | fixed |
| firefox-esr17 | --- | unaffected |
| b2g18 | --- | unaffected |
People
(Reporter: gkw, Assigned: bholley)
References
Details
(4 keywords, Whiteboard: [jsbugmon:update][adv-main24+])
Attachments
(4 files)
({
r: function() {
function f() {
w[0xe56241c6 >> 3]
}
},
s: function() {
"use asm"
return (1 for
asserts js debug shell on m-c changeset 0d0263a58f06 without any CLI arguments at Assertion failure: parent, at jswrapper.cpp
|
Reporter | |
Comment 1•11 years ago
|
||
autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: http://hg.mozilla.org/mozilla-central/rev/d09d109a7e88 user: Bobby Holley date: Wed Jul 17 11:53:52 2013 -0700 summary: Bug 887334 - Use the new AutoCompartment overload for the atoms compartment and remove AutoEnterAtomsCompartment. r=bhackett
Blocks: CVE-2013-1738
Flags: needinfo?(bobbyholley+bmo)
|
||
Comment 2•11 years ago
|
||
LangFuzz also found tests for this, but they involve gczeal:
gczeal(2,1);
function runTestCase(testcase) {
$ERROR('Test case returned non-true value!');
}
function newFunc(x) { new Function(x)(); };
newFunc("\
function testcase() {\
\"use strict\";\
try {} catch (eval) {}\
}\
runTestCase(testcase);\
");
Marking s-s based on that.Group: core-security
|
|
||
Comment 3•11 years ago
|
||
|
|
Reporter | |
Comment 4•11 years ago
|
||
I can reproduce using: http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2013-07-22-mozilla-central-debug/jsshell-mac64.zip ./js testcase.js Assertion failure: parent, at ../../../js/src/jswrapper.cpp:35
|
Assignee | |
Comment 5•11 years ago
|
||
Ah, I was doing |./js < testcase.js|. Gary explained IRL that I need to drop the |<|.
Flags: needinfo?(bobbyholley+bmo)
|
|
Assignee | |
Updated•11 years ago
|
Assignee: general → bobbyholley+bmo
|
|
Assignee | |
Comment 6•11 years ago
|
||
Attachment #779368 -
Flags: review?
|
|
Assignee | |
Updated•11 years ago
|
Attachment #779368 -
Flags: review? → review?(luke)
|
|
Assignee | |
Comment 7•11 years ago
|
||
https://tbpl.mozilla.org/?tree=Try&rev=5ff314641023
|
|
||
Updated•11 years ago
|
Attachment #779368 -
Flags: review?(luke) → review+
|
|
Assignee | |
Comment 8•11 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/de1042bf3026
|
|
||
Updated•11 years ago
|
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
|
|
||
Comment 9•11 years ago
|
||
JSBugMon: The testcase found in this bug no longer reproduces (tried revision b717a7945dfb).
|
||
Comment 10•11 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/de1042bf3026
Status: NEW → RESOLVED
Closed: 11 years ago
status-firefox25:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla25
|
|
Reporter | |
Updated•11 years ago
|
Whiteboard: [jsbugmon:update,ignore] → [jsbugmon:update]
|
|
||
Updated•11 years ago
|
Status: RESOLVED → VERIFIED
|
|
||
Comment 11•11 years ago
|
||
JSBugMon: This bug has been automatically verified fixed.
|
|
Assignee | |
Comment 12•11 years ago
|
||
https://hg.mozilla.org/releases/mozilla-aurora/pushloghtml?changeset=84b828b63115
status-firefox24:
--- → fixed
(In reply to Bobby Holley (:bholley) from comment #12) > https://hg.mozilla.org/releases/mozilla-aurora/ > pushloghtml?changeset=84b828b63115 Backed out from Aurora for possibly causing xpcshell crashes along with the other changes from bholley's push in https://hg.mozilla.org/releases/mozilla-aurora/rev/659b0d61fbc6
|
|
Assignee | |
Comment 14•11 years ago
|
||
https://hg.mozilla.org/releases/mozilla-aurora/pushloghtml?changeset=5f9484e134f9
|
||
Comment 15•11 years ago
|
||
Backed out for xpcshell failures. https://hg.mozilla.org/releases/mozilla-aurora/rev/b3d0c2498b42
|
|
Assignee | |
Comment 16•11 years ago
|
||
https://hg.mozilla.org/releases/mozilla-aurora/pushloghtml?changeset=3266c1d73816
|
|
Assignee | |
Updated•11 years ago
|
|
||
Comment 17•11 years ago
|
||
(In reply to Gary Kwong [:gkw] [:nth10sd] from comment #1) > autoBisect shows this is probably related to the following changeset: > > The first bad revision is: > changeset: http://hg.mozilla.org/mozilla-central/rev/d09d109a7e88 > user: Bobby Holley > date: Wed Jul 17 11:53:52 2013 -0700 > summary: Bug 887334 - Use the new AutoCompartment overload for the atoms > compartment and remove AutoEnterAtomsCompartment. r=bhackett If this was the regression, why did this affect Firefox 24? Firefox 25 was trunk then.
|
|
Reporter | |
Comment 18•11 years ago
|
||
Probably the wrong regressing bug? bholley might know.
|
|
Assignee | |
Comment 19•11 years ago
|
||
(In reply to Al Billings [:abillings] from comment #17) > (In reply to Gary Kwong [:gkw] [:nth10sd] from comment #1) > > autoBisect shows this is probably related to the following changeset: > > > > The first bad revision is: > > changeset: http://hg.mozilla.org/mozilla-central/rev/d09d109a7e88 > > user: Bobby Holley > > date: Wed Jul 17 11:53:52 2013 -0700 > > summary: Bug 887334 - Use the new AutoCompartment overload for the atoms > > compartment and remove AutoEnterAtomsCompartment. r=bhackett > > If this was the regression, why did this affect Firefox 24? Firefox 25 was > trunk then. Because I backported bug 887334 to 24.
|
|
||
Updated•11 years ago
|
status-firefox23:
--- → affected
Whiteboard: [jsbugmon:update] → [jsbugmon:update][adv-main24+]
|
||
Comment 20•11 years ago
|
||
regressing bug was not backported to ESR17 or b2g18
status-b2g18:
--- → unaffected
status-firefox-esr17:
--- → unaffected
|
|
||
Updated•10 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•