Closed Bug 1003694 Opened 10 years ago Closed 10 years ago

Assertion failure: snapshot_.numAllocationsRead() == numAllocations(), at jit/JitFrameIterator.h or Crash [@ js::jit::InlineFrameIteratorMaybeGC<(js::AllowGC)1>::findNextFrame]

Categories

(Core :: JavaScript Engine: JIT, defect)

x86_64
macOS
defect
Not set
critical

Tracking

()

VERIFIED FIXED
mozilla32
Tracking Status
firefox31 --- unaffected
firefox32 --- verified
firefox-esr24 --- unaffected

People

(Reporter: gkw, Assigned: nbp)

References

Details

(5 keywords, Whiteboard: [fuzzblocker] [jsbugmon:update])

Crash Data

Attachments

(4 files)

Attached file stack
(function() {
    function f(i) {
        var d = 3 + Math.abs()
        i ? 0 : f()
    }
    return f
}())()

asserts js debug shell on m-c changeset e19812f56952 with --ion-parallel-compile=off --ion-eager --ion-inlining=off at Assertion failure: snapshot_.numAllocationsRead() == numAllocations(), at jit/JitFrameIterator.h

My configure flags are:

CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-optimize --enable-debug --enable-profiling --enable-gczeal --enable-debug-symbols --disable-tests --with-ccache --enable-threadsafe <other NSPR options>
This is flooding jsfunfuzz results.
Whiteboard: [jsbugmon:update,bisect] → [fuzzblocker][jsbugmon:update,bisect]
Whiteboard: [fuzzblocker][jsbugmon:update,bisect] → [fuzzblocker] [jsbugmon:update]
JSBugMon: Bisection requested, result:
=== Tinderbox Build Bisection Results by autoBisect ===

The "good" changeset has the timestamp "20140429192012" and the hash "c0d658d3f739".
The "bad" changeset has the timestamp "20140429210107" and the hash "429d4d1f49e1".

Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=c0d658d3f739&tochange=429d4d1f49e1
I am not sure about the above regression range, but I am able to reproduce it after the landing of Bug 990106 patches, which is by the way adding this assertion.
Assignee: nobody → nicolas.b.pierron
Blocks: 990106
Status: NEW → ASSIGNED
Attachment #8415067 - Flags: review?(hv1989) → review+
Looks like a security bug to me. I'm getting various crashes [@ js::jit::InlineFrameIteratorMaybeGC<(js::AllowGC)1>::findNextFrame] with bad reads.
Group: core-security
Crash Signature: [@ js::jit::InlineFrameIteratorMaybeGC<(js::AllowGC)1>::findNextFrame]
Keywords: crash, sec-high
Summary: Assertion failure: snapshot_.numAllocationsRead() == numAllocations(), at jit/JitFrameIterator.h → Assertion failure: snapshot_.numAllocationsRead() == numAllocations(), at jit/JitFrameIterator.h or Crash [@ js::jit::InlineFrameIteratorMaybeGC<(js::AllowGC)1>::findNextFrame]
(In reply to Nicolas B. Pierron [:nbp] from comment #3)
> I am not sure about the above regression range, but I am able to reproduce
> it after the landing of Bug 990106 patches, which is by the way adding this
> assertion.

Yes, that sounds right:

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   180713:8a3e7ed0c4c1
user:        Nicolas B. Pierron
date:        Tue Apr 29 10:17:52 2014 -0700
summary:     Bug 990106 part 4 - Recover Add and DCE unused additions. r=h4writer,jandem
https://hg.mozilla.org/mozilla-central/rev/e0679448fd3b
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla32
Status: RESOLVED → VERIFIED
JSBugMon: This bug has been automatically verified fixed.
JSBugMon: This bug has been automatically verified fixed on Fx32
Group: core-security
You need to log in before you can comment on or make changes to this bug.