Closed Bug 1001052 Opened 11 years ago Closed 10 years ago

Assertion failure: hasScript(), at jsfun.h:313

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
ARM
Linux
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla32
Tracking Flags:
Tracking Status
firefox30 --- fixed
firefox31 + fixed
firefox32 + fixed
firefox33 + verified
firefox-esr24 --- fixed
b2g-v1.2 --- fixed
b2g-v1.3 --- fixed
b2g-v1.3T --- fixed
b2g-v1.4 --- fixed
b2g-v2.0 --- fixed
b2g-v2.1 --- fixed
seamonkey2.26 --- wontfix

People

(Reporter: decoder, Assigned: mjrosenb)

References

Details

(Keywords: assertion, sec-critical, testcase, Whiteboard: [jsbugmon:])

The following testcase asserts on mozilla-central revision 1d0496e30feb (x86 ARM simulator build, run with --fuzzing-safe --ion-eager --ion-check-range-analysis --ion-regalloc=backtracking): loadFile("\ var M4x4 = {};\ M4x4.mul = function M4x4_mul(a, b, r) {\ a11 = a[0];\ a12 = a[4];\ a14 = a[12];\ SyntaxError[3];\ b13 = b[8];\ b23 = b[9];\ b33 = b[10];\ b43 = b[11];\ a14 * b43;\ return r;\ };\ M4x4.makeLookAt = function M4x4_makeLookAt() {\ tm1 = new Float32Array(16);\ tm2 = new Float32Array(16);\ r = new Float32Array(16);\ return M4x4.mul(tm1, tm2, r);\ };\ var jellyfish = {};\ function jellyfishInstance() {}\ jellyfishInstance.prototype.drawShadow = function () {\ pMatrix = M4x4.makeLookAt();\ M4x4.mul(M4x4.makeLookAt(), pMatrix, pMatrix);\ };\ jellyfish[0] = new jellyfishInstance();\ for (var i = 0, j = 0; i < jellyfish.count, j < 30; ++j) {\ jellyfish[0].drawShadow();\ }\ "); function loadFile(lfVarx) { eval("(function() { " + lfVarx + " })();"); }
Group: core-security
Looks like another bad branch just after a constant pool. 0xf725d364 bvc #0 0xf725d36c vcvt.f64.f32 d0, s0 0xf725d370 mov r5, r6 0xf725d374 b #84 < constant pool > 0xf725d3d0 b #3704 ; bad branch to 0xf725e250 This is not a plausible destination: 0xf725e250 pop {r0, r1, r2, r3, r4, r5, r6, r7} 0xf725e254 b #-4292
Depends on: 972710
ARM constant pool bug, assigning to Marty.
Assignee: nobody → mrosenberg
Status: NEW → ASSIGNED
Flags: needinfo?(mrosenberg)
Group: javascript-core-security
Marty, are you looking into this?
Whiteboard: [jsbugmon:update,bisect]
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update,bisect,ignore]
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 951e3a671279).
Whiteboard: [jsbugmon:update,bisect,ignore] → [jsbugmon:bisectfix]
Whiteboard: [jsbugmon:bisectfix] → [jsbugmon:]
JSBugMon: Fix Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first good revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/174895f05c9f user: Jon Coppeard date: Wed Apr 23 13:48:35 2014 +0100 summary: Bug 988950 - Use scratch register instead of temp where possible r=jandem This iteration took 465.021 seconds to run.
Christian, to be clear, are you saying that rev/174895f05c9f seems to fix the bug? (first good revision)
Flags: needinfo?(choller)
Actually I guess comment 6 is obvious - removing NI
Flags: needinfo?(choller)
Jon, is bug 988950 a likely fix?
Flags: needinfo?(jcoppeard)
This should have been fixed in bug 996715.
(In reply to Douglas Crosher [:dougc] from comment #9) > This should have been fixed in bug 996715. Fixed by bug 996715.
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
Flags: needinfo?(mrosenberg)
Flags: needinfo?(jcoppeard)
Resolution: --- → FIXED
trying to apply this to SeaMonkey 2.26.1 (Gecko 29) resulted in patch conflicts, and due to the nature of this patchset it seems like I won't be able to take it.
status-seamonkey2.26: --- → wontfix
Status: RESOLVED → VERIFIED
status-firefox33: fixedverified
JSBugMon: This bug has been automatically verified fixed.
Group: javascript-core-security
Group: core-security
You need to log in before you can comment on or make changes to this bug.