Closed Bug 1114566 Opened 10 years ago Closed 10 years ago

Assertion failure: hasScript(), at js/src/jsfun.h:315

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla37
Tracking Flags:
Tracking Status
firefox37 --- affected

People

(Reporter: decoder, Assigned: nbp)

References

Details

(Keywords: assertion, regression, testcase, Whiteboard: [fuzzblocker] [jsbugmon:update])

Attachments

(1 file)

matchCallee: Check if both functions have a script before comparing them.
1.61 KB, patch
shu
: review+
Details | Diff | Splinter Review
The following testcase crashes on mozilla-central revision b915a50bc6be (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --enable-debug, run with --fuzzing-safe --thread-count=2): (new Function("return (function o() {}).caller;"))(); Backtrace: Program received signal SIGSEGV, Segmentation fault. 0x000000000059337e in JSFunction::nonLazyScript (this=<optimized out>) at js/src/jsfun.h:315 315 MOZ_ASSERT(hasScript()); #0 0x000000000059337e in JSFunction::nonLazyScript (this=<optimized out>) at js/src/jsfun.h:315 #1 0x0000000000597a9e in JSFunction::nonLazyScript (this=<optimized out>) at js/src/jsfun.h:315 #2 0x0000000000ac55c5 in js::FrameIter::matchCallee (this=0x7fffffffb710, cx=0x1a144d0, fun=...) at js/src/vm/Stack.cpp:1127 #3 0x000000000090b2ca in AdvanceToActiveCallLinear (cx=0x1a144d0, iter=..., fun=...) at js/src/jsfun.cpp:99 #4 0x000000000092bb0f in CallerGetterImpl (cx=0x1a144d0, args=...) at js/src/jsfun.cpp:255 #5 0x000000000092be32 in CallNonGenericMethod<IsFunction, CallerGetterImpl> (args=..., cx=0x1a144d0) at ../../dist/include/js/CallNonGenericMethod.h:100 #6 CallerGetter (cx=0x1a144d0, argc=0, vp=0x7fffffffc3a8) at js/src/jsfun.cpp:307 #7 0x0000000000a8eb75 in js::CallJSNative (cx=0x1a144d0, native=0x92bd70 <CallerGetter(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:231 #8 0x0000000000a703c7 in js::Invoke (cx=0x1a144d0, args=..., construct=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:482 #9 0x0000000000a74bbd in js::Invoke (cx=0x1a144d0, thisv=..., fval=..., argc=<optimized out>, argv=0x0, rval=...) at js/src/vm/Interpreter.cpp:538 #10 0x0000000000ab05cf in InvokeGetterOrSetter (rval=..., argv=0x0, argc=0, fval=..., obj=0x7ffff5700060, cx=0x1a144d0) at js/src/vm/Interpreter.cpp:611 #11 js::Shape::get (this=<optimized out>, cx=0x1a144d0, receiver=..., obj=<optimized out>, pobj=<optimized out>, vp=...) at js/src/vm/Shape-inl.h:44 #12 0x0000000000a74e88 in NativeGetInline<(js::AllowGC)1> (cx=0x1a144d0, obj=..., receiver=..., pobj=..., shape=..., vp=...) at js/src/vm/NativeObject.cpp:1687 #13 0x0000000000a752e1 in GetPropertyHelperInline<(js::AllowGC)1> (cx=0x1a144d0, obj=..., receiver=..., id=..., vp=...) at js/src/vm/NativeObject.cpp:1866 #14 0x0000000000475c11 in JSObject::getGeneric (cx=0x1a144d0, obj=..., receiver=..., id=..., vp=...) at js/src/vm/NativeObject.h:1407 #15 0x0000000000a621d8 in GetPropertyOperation (vp=..., lval=..., pc=<optimized out>, script=..., fp=0x7fffffffcc00, cx=0x1a144d0) at js/src/vm/Interpreter.cpp:251 #16 Interpret (cx=0x1a144d0, state=...) at js/src/vm/Interpreter.cpp:2357 [...] rax 0x0 0 rbx 0x1a144d0 27346128 rcx 0x7ffff6cb792d 140737333917997 rdx 0x0 0 rsi 0x7ffff6f8baa0 140737336883872 rdi 0x7ffff6f8a180 140737336877440 rbp 0x7fffffffb5f0 140737488336368 rsp 0x7fffffffb5f0 140737488336368 r8 0x7ffff7fe8740 140737354041152 r9 0x72746e65632d616c 8247338199356891500 r10 0x7fffffffb380 140737488335744 r11 0x7ffff6c3fc90 140737333427344 r12 0x7fffffffb710 140737488336656 r13 0x7fffffffb630 140737488336432 r14 0x0 0 r15 0x7fffffffb6d0 140737488336592 rip 0x59337e <JSFunction::nonLazyScript() const+28> => 0x59337e <JSFunction::nonLazyScript() const+28>: movl $0x7b,0x0 0x593389 <JSFunction::nonLazyScript() const+39>: callq 0x4049c0 <abort@plt> Marking as fuzzblocker because this crash is quite frequent.
Blocks: 1073033
Flags: needinfo?(nicolas.b.pierron)
Assignee: nobody → nicolas.b.pierron
Status: NEW → ASSIGNED
Comment on attachment 8540277 [details] [diff] [review] matchCallee: Check if both functions have a script before comparing them. Review of attachment 8540277 [details] [diff] [review]: ----------------------------------------------------------------- ::: js/src/vm/Stack.cpp @@ +1125,5 @@ > // different, then they cannot be equal. > bool useSameScript = CloneFunctionObjectUseSameScript(fun->compartment(), currentCallee); > + if (useSameScript && > + ( currentCallee->hasScript() != fun->hasScript() || > + currentCallee->nonLazyScript() != fun->nonLazyScript())) Nit: extra space after ( on 2nd line.
Attachment #8540277 - Flags: review?(shu) → review+
https://hg.mozilla.org/mozilla-central/rev/59a4ac2cd8d1
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla37
Whiteboard: [jsbugmon:update,bisect][fuzzblocker] → [fuzzblocker] [jsbugmon:update]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: