Assertion failure: i < argc_, at ../../dist/include/js/CallArgs.h:295

RESOLVED FIXED in mozilla38

Status

()

Core
JavaScript Engine
--
critical
RESOLVED FIXED
3 years ago
3 years ago

People

(Reporter: decoder, Assigned: bbouvier)

Tracking

(Blocks: 1 bug, {assertion, regression, testcase})

Trunk
mozilla38
x86
Linux
assertion, regression, testcase
Points:
---

Firefox Tracking Flags

(firefox38 affected)

Details

(Whiteboard: [fuzzblocker] [jsbugmon:update])

Attachments

(1 attachment)

(Reporter)

Description

3 years ago
The following testcase crashes on mozilla-central revision c1c6840d9255 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --target=i686-pc-linux-gnu --enable-debug, run with --fuzzing-safe --thread-count=2 min.js):

var float64x2 = SIMD.float64x2;
float64x2();



Backtrace:

Program received signal SIGSEGV, Segmentation fault.
0x080d12ed in operator[] (this=<optimized out>, i=<optimized out>) at ../../dist/include/js/CallArgs.h:295
295	        MOZ_ASSERT(i < argc_);
#0  0x080d12ed in operator[] (this=<optimized out>, i=<optimized out>) at ../../dist/include/js/CallArgs.h:295
#1  JS::detail::CallArgsBase<(JS::detail::UsedRval)0>::operator[] (i=0, this=<optimized out>) at ../../dist/include/js/CallArgs.h:294
#2  0x0812bc87 in js::SimdTypeDescr::call (cx=0x964c420, argc=0, vp=0x969ff30) at js/src/builtin/SIMD.cpp:387
#3  0x08705f1a in js::CallJSNative (cx=0x964c420, native=0x812b870 <js::SimdTypeDescr::call(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:226
#4  0x086f3ea8 in js::Invoke (cx=0x964c420, args=..., construct=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:491
#5  0x086e602a in Interpret (cx=0x964c420, state=...) at js/src/vm/Interpreter.cpp:2561
#6  0x086f3472 in js::RunScript (cx=0x964c420, state=...) at js/src/vm/Interpreter.cpp:448
#7  0x086fcc84 in ExecuteKernel (result=0x0, evalInFrame=..., thisv=..., scopeChainArg=..., script=0xf6148128, cx=0x964c420, type=<optimized out>) at js/src/vm/Interpreter.cpp:657
#8  js::Execute (cx=0x964c420, script=0xf6148128, scopeChainArg=(JSObject &) @0xf6144040 [object global] delegate, rval=0x0) at js/src/vm/Interpreter.cpp:694
#9  0x085613b9 in ExecuteScript (cx=0x964c420, obj=(JSObject * const) 0xf6144040 [object global] delegate, scriptArg=0xf6148128, rval=0x0) at js/src/jsapi.cpp:4352
#10 0x0805bc99 in RunFile (compileOnly=false, file=0x96e9d20, filename=0xffffdbda "min.js", obj=..., cx=0x964c420) at js/src/shell/js.cpp:451
#11 Process (cx=0x964c420, obj_=<optimized out>, filename=0xffffdbda "min.js", forceTTY=false) at js/src/shell/js.cpp:584
#12 0x08069a87 in ProcessArgs (op=0xffffd828, obj_=<optimized out>, cx=0x964c420) at js/src/shell/js.cpp:5496
#13 Shell (op=0xffffd828, cx=0x964c420, envp=<optimized out>) at js/src/shell/js.cpp:5735
#14 main (argc=0, argv=0x0, envp=0x0) at js/src/shell/js.cpp:6075
eax	0x0	0
ebx	0x9606ff4	157315060
ecx	0xf7e618ac	-135915348
edx	0x0	0
esi	0x964c42c	157598764
edi	0x964c420	157598752
ebp	0xffffcb98	4294953880
esp	0xffffcb80	4294953856
eip	0x80d12ed <JS::detail::CallArgsBase<(JS::detail::UsedRval)0>::operator[](unsigned int) const+61>
=> 0x80d12ed <JS::detail::CallArgsBase<(JS::detail::UsedRval)0>::operator[](unsigned int) const+61>:	movl   $0x127,0x0
   0x80d12f7 <JS::detail::CallArgsBase<(JS::detail::UsedRval)0>::operator[](unsigned int) const+71>:	call   0x804a960 <abort@plt>


Another fuzzblocker.
(Reporter)

Updated

3 years ago
Whiteboard: [jsbugmon:update,bisect][fuzzblocker] → [fuzzblocker] [jsbugmon:update]
(Reporter)

Comment 1

3 years ago
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/7ce5ad5a7539
user:        ProgramFOX
date:        Fri Jan 16 17:17:37 2015 +0100
summary:     Bug 1031203 - Implemented float64x2. r=bbouvier

This iteration took 1.095 seconds to run.
(Reporter)

Updated

3 years ago
status-firefox37: affected → ---
status-firefox38: --- → affected
(Reporter)

Comment 2

3 years ago
Needinfo from bbouvier. This is also crashing in various ways, we need a fix for this :)
Flags: needinfo?(benj)
(Assignee)

Comment 3

3 years ago
Created attachment 8552553 [details] [diff] [review]
Fix typo in SIMD.float64x2 ctor and add test cases

Sorry for the long response time.  This is a pretty simple typo in the ctor
code, that I should have caught during review, sorry about that.  This adds
numerous test cases for the float64x2 constructor, which were not added (the
float64x2 patch was made by a mentoree and took time to do, so some tests were
forgotten during the rebasing.  It happens.  Once again, I should have caught
it during review).
Attachment #8552553 - Flags: review?(till)
(Assignee)

Updated

3 years ago
Assignee: nobody → benj
Status: NEW → ASSIGNED
(Assignee)

Updated

3 years ago
Flags: needinfo?(benj)
Comment on attachment 8552553 [details] [diff] [review]
Fix typo in SIMD.float64x2 ctor and add test cases

Review of attachment 8552553 [details] [diff] [review]:
-----------------------------------------------------------------

Yup
Attachment #8552553 - Flags: review?(till) → review+
(Assignee)

Comment 5

3 years ago
Try:
https://treeherder.mozilla.org/#/jobs?repo=try&revision=bf5fe398b188
https://tbpl.mozilla.org/?tree=Try&rev=bf5fe398b188
(Assignee)

Comment 6

3 years ago
Thanks for the quick review, btw
https://hg.mozilla.org/integration/mozilla-inbound/rev/d9f7dc56babf
https://hg.mozilla.org/mozilla-central/rev/d9f7dc56babf
Status: ASSIGNED → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla38
You need to log in before you can comment on or make changes to this bug.