Closed
Bug 898734
Opened 11 years ago
Closed 11 years ago
Assertion failure: is<T>(), at ../jsobj.h:1003 or Crash [@ JS::LossyTwoByteCharsToNewLatin1CharsZ] when calling uint8() without arguments
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
mozilla25
Tracking | Status | |
---|---|---|
firefox23 | --- | unaffected |
firefox24 | --- | unaffected |
firefox25 | --- | fixed |
firefox-esr17 | --- | unaffected |
b2g18 | --- | unaffected |
People
(Reporter: decoder, Assigned: nsm)
References
Details
(5 keywords, Whiteboard: [jsbugmon:update,ignore])
Crash Data
Attachments
(2 files, 1 obsolete file)
1.75 KB,
text/plain
|
Details | |
2.61 KB,
patch
|
nmatsakis
:
review+
|
Details | Diff | Splinter Review |
The following testcase asserts on mozilla-central revision fb48c7d58b8b (run with --fuzzing-safe --ion-eager): uint8();
Reporter | ||
Comment 1•11 years ago
|
||
Reporter | ||
Comment 2•11 years ago
|
||
Crash trace: Program received signal SIGSEGV, Segmentation fault. JS::LossyTwoByteCharsToNewLatin1CharsZ (cx=0x1629280, tbchars=...) at js/src/vm/CharacterEncoding.cpp:23 23 latin1[i] = static_cast<unsigned char>(tbchars[i]); (gdb) bt 8 #0 JS::LossyTwoByteCharsToNewLatin1CharsZ (cx=0x1629280, tbchars=...) at js/src/vm/CharacterEncoding.cpp:23 #1 0x000000000052a967 in JS_EncodeString (cx=0x1629280, str=<optimized out>) at js/src/jsapi.cpp:6223 #2 0x000000000086f56e in js::NumericType<unsigned char>::call (cx=0x1629280, argc=<optimized out>, vp=0x7fffffffceb8) at js/src/builtin/BinaryData.cpp:397 #3 0x0000000000451449 in CallJSNative (args=..., native=<optimized out>, cx=0x1629280) at ../jscntxtinlines.h:225 #4 js::Invoke (cx=0x1629280, args=..., construct=<optimized out>) at js/src/vm/Interpreter.cpp:486 #5 0x0000000000451cd4 in js::Invoke (cx=0x1629280, thisv=..., fval=..., argc=0, argv=<optimized out>, rval=...) at js/src/vm/Interpreter.cpp:536 #6 0x0000000000689824 in js::ion::DoCallFallback (cx=0x1629280, frame=0x7fffffffd248, stub=0x164ac40, argc=0, vp=0x7fffffffd200, res=...) at js/src/ion/BaselineIC.cpp:7051 #7 0x00007ffff6bc6e96 in ?? () (More stack frames follow...) (gdb) x /i $pc => 0x41e013 <JS::LossyTwoByteCharsToNewLatin1CharsZ(js::ThreadSafeContext*, JS::TwoByteChars)+83>: movzwl 0x0(%rbp,%rcx,2),%ecx (gdb) info reg ebp rcx ecx ebp 0xf6954040 -157990848 rcx 0xd5fe0 876512 ecx 0xd5fe0 876512 It looks like this is caused by the error reporting when the uint8() function is called without parameters. If that function is available in the browser, then this could be sec-high. If this is a shell-only testing function, please remove the security rating.
Reporter | ||
Comment 3•11 years ago
|
||
Attachment #782113 -
Attachment is obsolete: true
Reporter | ||
Comment 4•11 years ago
|
||
uint16() also crashes, updated the attached crash signature to match that as well.
Reporter | ||
Updated•11 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
Reporter | ||
Comment 5•11 years ago
|
||
JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: http://hg.mozilla.org/mozilla-central/rev/2aa4435cd798 user: Nikhil Marathe date: Thu Jul 25 17:58:50 2013 -0700 summary: Bug 578700 - Numeric types implementation. r=nmatsakis This iteration took 353.268 seconds to run.
Updated•11 years ago
|
Blocks: harmony:typedobjects
Updated•11 years ago
|
Flags: needinfo?(nsm.nikhil)
Keywords: regression
Assignee | ||
Comment 6•11 years ago
|
||
I'm waiting to land 898661 so that all these bugs don't block a release.
Flags: needinfo?(nsm.nikhil)
Assignee | ||
Comment 7•11 years ago
|
||
Attachment #782277 -
Flags: review?(nmatsakis)
Assignee | ||
Updated•11 years ago
|
Assignee: general → nsm.nikhil
Updated•11 years ago
|
status-b2g18:
--- → unaffected
status-firefox23:
--- → unaffected
status-firefox24:
--- → unaffected
status-firefox25:
--- → disabled
status-firefox-esr17:
--- → unaffected
Updated•11 years ago
|
Attachment #782277 -
Flags: review?(nmatsakis) → review+
Reporter | ||
Updated•11 years ago
|
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
Reporter | ||
Comment 8•11 years ago
|
||
JSBugMon: The testcase found in this bug no longer reproduces (tried revision b8c7acba4b40).
Assignee | ||
Comment 9•11 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/4e20058bb808
Comment 10•11 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/4e20058bb808
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla25
Updated•11 years ago
|
Flags: in-testsuite+
Reporter | ||
Updated•11 years ago
|
Status: RESOLVED → VERIFIED
Reporter | ||
Comment 11•11 years ago
|
||
JSBugMon: This bug has been automatically verified fixed.
Updated•10 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•