Closed Bug 535760 Opened 15 years ago Closed 15 years ago

Assertion failed: s1->isQuad() && s2->isQuad()

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
status1.9.2 --- final-fixed

People

(Reporter: bc, Unassigned)

References

(
URL
)

Details

(Keywords: assertion, testcase, Whiteboard: fixed-in-tracemonkey)

Attachments

(3 files)

testcase.tar.bz2
(deleted), application/x-bzip2
Details
reduced test case
(deleted), application/javascript
Details
possible fix
(deleted), patch
dmandelin
: review+
Details | Diff | Splinter Review
Attached file testcase.tar.bz2 (deleted) —
1. http://www.koreaherald.co.kr/service/opencast/ On Windows 2003 Server 1.9.2 it gave: Breakpoint starting at ntdll!DbgBreakPoint+0x0000000000000000 called from mozjs!nanojit::SanityFilter::ins3+0x0000000000000145 (Hash=0x560d5f52.0x267a6b43). Windows XP gave: NanoAssert(s1->isQuad() && s2->isQuad()); +this 0x05224e10 nanojit::SanityFilter * const v LIR_qcmov nanojit::LOpcode +s0 0x05516090 {lastWord={...} dummy=0x374dcdcd } nanojit::LIns * +s1 0x0551578c {lastWord={...} dummy=0x184dcdcd } nanojit::LIns * +s2 0x0551556c {lastWord={...} dummy=0x764dcdcd } nanojit::LIns * dummy looks like it contains uninitialized memory. On Mac OS X 1.9.3 I got: http://www.koreaherald.co.kr/service/opencast/' Assertion failed: s1->isQuad() && s2->isQuad() (/work/mozilla/builds/1.9.3/mozilla/js/src/nanojit/LIR.cpp:2453) untar testcase.tar.bz2 load './www.koreaherald.co.kr/service/opencast/index.html' see also bug 520536
Flags: wanted1.9.2?
Flags: blocking1.9.2?
The first bad revision is: changeset: 30248:c76558a87dd9 user: David Mandelin <dmandelin@mozilla.com> date: Wed Jul 08 11:16:41 2009 -0700 summary: Bug 453730: trace JSOP_ARGUMENTS, r=gal
Flags: blocking1.9.2? → blocking1.9.2+
dvander: cool.
Keywords: testcase-wantedtestcase
Attached patch possible fix (deleted) — Splinter Review
The problem is that CALLELEM on an argsobj does not update all stack slots in the tracker. Dave, is this the right thing to do here? I'm not sure if this is security sensitive. LIns* usually looks like it has garbage inside because of the way it's encoded. But not updating stack slots is potentially pretty dangerous.
Attachment #418464 - Flags: review?(dmandelin)
Attachment #418464 - Flags: review?(dmandelin) → review+
http://hg.mozilla.org/mozilla-central/rev/a2213b12f253
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Group: core-security
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/bug535760.js.
Flags: in-testsuite+
Flags: wanted1.9.2?
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: