Closed
Bug 896126
Opened 11 years ago
Closed 11 years ago
Assertion failure: parent, at jswrapper.cpp
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
mozilla25
| Tracking | Status | |
|---|---|---|
| firefox23 | --- | affected |
| firefox24 | --- | fixed |
| firefox25 | --- | fixed |
| firefox-esr17 | --- | unaffected |
| b2g18 | --- | unaffected |
People
(Reporter: gkw, Assigned: bholley)
References
Details
(4 keywords, Whiteboard: [jsbugmon:update][adv-main24+])
Attachments
(4 files)
({
r: function() {
function f() {
w[0xe56241c6 >> 3]
}
},
s: function() {
"use asm"
return (1 for
asserts js debug shell on m-c changeset 0d0263a58f06 without any CLI arguments at Assertion failure: parent, at jswrapper.cpp
|
Reporter | |
Comment 1•11 years ago
|
||
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: http://hg.mozilla.org/mozilla-central/rev/d09d109a7e88
user: Bobby Holley
date: Wed Jul 17 11:53:52 2013 -0700
summary: Bug 887334 - Use the new AutoCompartment overload for the atoms compartment and remove AutoEnterAtomsCompartment. r=bhackett
Blocks: CVE-2013-1738
Flags: needinfo?(bobbyholley+bmo)
|
||
Comment 2•11 years ago
|
||
LangFuzz also found tests for this, but they involve gczeal:
gczeal(2,1);
function runTestCase(testcase) {
$ERROR('Test case returned non-true value!');
}
function newFunc(x) { new Function(x)(); };
newFunc("\
function testcase() {\
\"use strict\";\
try {} catch (eval) {}\
}\
runTestCase(testcase);\
");
Marking s-s based on that.
Group: core-security
|
|
||
Comment 3•11 years ago
|
||
|
|
Reporter | |
Comment 4•11 years ago
|
||
I can reproduce using:
http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2013-07-22-mozilla-central-debug/jsshell-mac64.zip
./js testcase.js
Assertion failure: parent, at ../../../js/src/jswrapper.cpp:35
|
Assignee | |
Comment 5•11 years ago
|
||
Ah, I was doing |./js < testcase.js|. Gary explained IRL that I need to drop the |<|.
Flags: needinfo?(bobbyholley+bmo)
|
|
Assignee | |
Updated•11 years ago
|
Assignee: general → bobbyholley+bmo
|
|
Assignee | |
Comment 6•11 years ago
|
||
Attachment #779368 -
Flags: review?
|
|
Assignee | |
Updated•11 years ago
|
Attachment #779368 -
Flags: review? → review?(luke)
|
|
Assignee | |
Comment 7•11 years ago
|
||
|
|
||
Updated•11 years ago
|
Attachment #779368 -
Flags: review?(luke) → review+
|
|
Assignee | |
Comment 8•11 years ago
|
||
|
|
||
Updated•11 years ago
|
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
|
|
||
Comment 9•11 years ago
|
||
JSBugMon: The testcase found in this bug no longer reproduces (tried revision b717a7945dfb).
|
||
Comment 10•11 years ago
|
||
Status: NEW → RESOLVED
Closed: 11 years ago
status-firefox25:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla25
|
|
Reporter | |
Updated•11 years ago
|
Whiteboard: [jsbugmon:update,ignore] → [jsbugmon:update]
|
|
||
Updated•11 years ago
|
Status: RESOLVED → VERIFIED
|
|
||
Comment 11•11 years ago
|
||
JSBugMon: This bug has been automatically verified fixed.
|
|
Assignee | |
Comment 12•11 years ago
|
||
status-firefox24:
--- → fixed
(In reply to Bobby Holley (:bholley) from comment #12)
> https://hg.mozilla.org/releases/mozilla-aurora/
> pushloghtml?changeset=84b828b63115
Backed out from Aurora for possibly causing xpcshell crashes along with the other changes from bholley's push in https://hg.mozilla.org/releases/mozilla-aurora/rev/659b0d61fbc6
|
|
Assignee | |
Comment 14•11 years ago
|
||
|
||
Comment 15•11 years ago
|
||
Backed out for xpcshell failures.
https://hg.mozilla.org/releases/mozilla-aurora/rev/b3d0c2498b42
|
|
Assignee | |
Comment 16•11 years ago
|
||
|
|
Assignee | |
Updated•11 years ago
|
|
||
Comment 17•11 years ago
|
||
(In reply to Gary Kwong [:gkw] [:nth10sd] from comment #1)
> autoBisect shows this is probably related to the following changeset:
>
> The first bad revision is:
> changeset: http://hg.mozilla.org/mozilla-central/rev/d09d109a7e88
> user: Bobby Holley
> date: Wed Jul 17 11:53:52 2013 -0700
> summary: Bug 887334 - Use the new AutoCompartment overload for the atoms
> compartment and remove AutoEnterAtomsCompartment. r=bhackett
If this was the regression, why did this affect Firefox 24? Firefox 25 was trunk then.
|
|
Reporter | |
Comment 18•11 years ago
|
||
Probably the wrong regressing bug? bholley might know.
|
|
Assignee | |
Comment 19•11 years ago
|
||
(In reply to Al Billings [:abillings] from comment #17)
> (In reply to Gary Kwong [:gkw] [:nth10sd] from comment #1)
> > autoBisect shows this is probably related to the following changeset:
> >
> > The first bad revision is:
> > changeset: http://hg.mozilla.org/mozilla-central/rev/d09d109a7e88
> > user: Bobby Holley
> > date: Wed Jul 17 11:53:52 2013 -0700
> > summary: Bug 887334 - Use the new AutoCompartment overload for the atoms
> > compartment and remove AutoEnterAtomsCompartment. r=bhackett
>
> If this was the regression, why did this affect Firefox 24? Firefox 25 was
> trunk then.
Because I backported bug 887334 to 24.
|
|
||
Updated•11 years ago
|
status-firefox23:
--- → affected
Whiteboard: [jsbugmon:update] → [jsbugmon:update][adv-main24+]
|
||
Comment 20•11 years ago
|
||
regressing bug was not backported to ESR17 or b2g18
status-b2g18:
--- → unaffected
status-firefox-esr17:
--- → unaffected
|
|
||
Updated•10 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•