Closed Bug 1037672 Opened 8 years ago Closed 8 years ago

Assertion failure: strcmp((const char*) stack_[*size_].label(), str) == 0, at vm/SPSProfiler.cpp:199 or Crash on Heap

Categories

(Core :: JavaScript Engine, defect)

x86_64
Linux
defect
Not set
critical

Tracking

()

RESOLVED DUPLICATE of bug 1026485
Tracking Status
firefox33 --- affected

People

(Reporter: decoder, Assigned: djvj)

Details

(4 keywords, Whiteboard: [jsbugmon:ignore])

Attachments

(1 file)

The following testcase asserts on mozilla-central revision e1a037c085d1 (run with --fuzzing-safe):


var summary = '';
var actual = '';
function TestCase(n, d, e, a)
  this.expect = e;
for (var optionName in options.initvalues) {}
var lfcode = new Array();
lfcode.push("");
lfcode.push("");
lfcode.push("");
lfcode.push("4");
lfcode.push("enableSPSProfiling()");
lfcode.push("");
lfcode.push("\
function reportCompare(expected, actual, description) {}\
expect = 1;\
function test(... e5)  {\
    try {\
        p = [1].some(function (y) test()) ? 4 : 0x0041\
    } catch(e) {}\
    reportCompare(expect, actual, summary)\
}\
test();\
TestCase();\
test()\
");
lfcode.push("");
while (true) {
	var file = lfcode.shift(); if (file == undefined) { break; }
        loadFile(file)
    }
function loadFile(lfVarx) {
    try {
        if (lfVarx.substr(-3) != ".js" && lfVarx.length != 1) {
            switch (lfRunTypeId) {
                default: evaluate(lfVarx, { noScriptRval : true, compileAndGo : true }); break;
            }
        } else if (!isNaN(lfVarx)) {
            lfRunTypeId = parseInt(lfVarx);
        }
    } catch (lfVare) {}
}
The test might require multiple runs to reproduce, so automated bisection won't work. Needinfo from djvj because this seems to be related to profiling.
Flags: needinfo?(kvijayan)
Keywords: crash
Whiteboard: [jsbugmon:ignore]
(In reply to Christian Holler (:decoder) from comment #1)
> The test might require multiple runs to reproduce, so automated bisection
> won't work. Needinfo from djvj because this seems to be related to profiling.

Maybe rr can help here.
Managed to replicate this.  Yet another "strange sequence of stack manipulations leading to stack mismatch".

I'm working on this in-between other bugs since it's a profiler-only issue.
Assignee: nobody → kvijayan
Flags: needinfo?(kvijayan)
Reduced testcase that still fails:

var summary = '';
var actual = '';
function TestCase(n, d, e, a)
  this.expect = e;
for (var optionName in options.initvalues) {}
var lfcode = new Array();
lfcode.push("4");
lfcode.push("enableSPSProfilingWithSlowAssertions()");
lfcode.push("\
function reportCompare(expected, actual, description) {}\
expect = 1;\
function test(... e5)  {\
    try {\
        p = [1].some(function (y) test()) ? 4 : 0x0041\
    } catch(e) {}\
    reportCompare(expect, actual, summary)\
}\
test();\
TestCase();\
test()\
");
while (true) {
    var file = lfcode.shift(); if (file == undefined) { break; }
        loadFile(file)
    }
function loadFile(lfVarx) {
    try {
        if (lfVarx.substr(-3) != ".js" && lfVarx.length != 1) {
            evaluate(lfVarx, { noScriptRval : true, compileAndGo : true });
        } else if (!isNaN(lfVarx)) {
            lfRunTypeId = parseInt(lfVarx);
        }
    } catch (lfVare) {}
}
sec-moderate because a malicious page can't trigger the profiler themselves.
Keywords: sec-moderate
This is a dup of bug 1026485 - for which the fix landed 1 day after the revision where this bug report manifests:

https://hg.mozilla.org/integration/mozilla-inbound/rev/394a87a6450f
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 1026485
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.