Closed Bug 1125658 Opened 6 years ago Closed 6 years ago

Crash [@ JSScript::formalIsAliased] or [@ js::frontend::BytecodeEmitter::isAliasedName] or Assertion failure: argSlot < bindings.numArgs(), at jsscript.cpp

Categories

(Core :: JavaScript Engine, defect)

x86_64
macOS
defect
Not set
critical

Tracking

()

RESOLVED DUPLICATE of bug 1140196
Tracking Status
firefox38 --- affected

People

(Reporter: gkw, Unassigned)

References

Details

(5 keywords, Whiteboard: [jsbugmon:update])

Crash Data

Attachments

(2 files)

for (var [x = (function([]) {})] in 0) {}

asserts js debug shell on m-c changeset 7148aa99ad67 with --fuzzing-safe --no-threads --ion-eager at Assertion failure: argSlot < bindings.numArgs(), at jsscript.cpp

Debug configure options:

CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --enable-optimize --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests

=== Tinderbox Build Bisection Results by autoBisect ===

The "good" changeset has the timestamp "20150121013236" and the hash "26d8f946a53b".
The "bad" changeset has the timestamp "20150121021935" and the hash "8832848bf234".

Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=26d8f946a53b&tochange=8832848bf234

Jason, is bug 932080 a likely regressor? The patch in bug 1090096 comment 7 does not seem to fix this issue.
Flags: needinfo?(jorendorff)
Attached file stack
(lldb) bt 5
* thread #1: tid = 0x11346, 0x000000010064ec67 js-dbg-opt-64-dm-nsprBuild-darwin-7148aa99ad67`JSScript::formalIsAliased(this=<unavailable>, argSlot=<unavailable>) + 119 at jsscript.cpp:3681, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
  * frame #0: 0x000000010064ec67 js-dbg-opt-64-dm-nsprBuild-darwin-7148aa99ad67`JSScript::formalIsAliased(this=<unavailable>, argSlot=<unavailable>) + 119 at jsscript.cpp:3681
    frame #1: 0x0000000100177ed6 js-dbg-opt-64-dm-nsprBuild-darwin-7148aa99ad67`js::frontend::BytecodeEmitter::isAliasedName(this=<unavailable>, pn=<unavailable>) + 966 at BytecodeEmitter.cpp:1511
    frame #2: 0x000000010017af1b js-dbg-opt-64-dm-nsprBuild-darwin-7148aa99ad67`EmitVarOp(cx=0x0000000101e01cf0, pn=0x00000001040159d8, op=JSOP_GETARG, bce=0x00007fff5fbfcf18) + 235 at BytecodeEmitter.cpp:1407
    frame #3: 0x00000001001853fe js-dbg-opt-64-dm-nsprBuild-darwin-7148aa99ad67`EmitNameOp(cx=0x0000000101e01cf0, bce=0x00007fff5fbfcf18, pn=0x00000001040159d8, callContext=false) + 174 at BytecodeEmitter.cpp:2349
    frame #4: 0x000000010016bd66 js-dbg-opt-64-dm-nsprBuild-darwin-7148aa99ad67`js::frontend::EmitTree(cx=<unavailable>, bce=<unavailable>, pn=<unavailable>) + 5110 at BytecodeEmitter.cpp:7293
(lldb)
`var [x = (function ([]) {})] = 0;` works
while `for (var [x = (function([]) {})] in 0) {}` crashes

So I suspect that it does come from the cloneParseTree dance.

As the default is not related to the bindings in the target, maybe we can avoid the clone for that subtree (without doing a double free down the road)?
Attached file stack of opt crash
(lldb) bt 5
* thread #1: tid = 0x2fbb8, 0x00000001003d2cea js-dbgDisabled-opt-64-dm-nsprBuild-darwin-1daa622bbe42`JSScript::formalIsAliased(unsigned int) [inlined] js::Bindings::bindingArray() const + 8 at jsscript.h:183, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
  * frame #0: 0x00000001003d2cea js-dbgDisabled-opt-64-dm-nsprBuild-darwin-1daa622bbe42`JSScript::formalIsAliased(unsigned int) [inlined] js::Bindings::bindingArray() const + 8 at jsscript.h:183
    frame #1: 0x00000001003d2ce2 js-dbgDisabled-opt-64-dm-nsprBuild-darwin-1daa622bbe42`JSScript::formalIsAliased(unsigned int) [inlined] js::Bindings::bindingIsAliased(bindingIndex=0) + 2 at jsscript.cpp:309
    frame #2: 0x00000001003d2ce0 js-dbgDisabled-opt-64-dm-nsprBuild-darwin-1daa622bbe42`JSScript::formalIsAliased(this=0x000000010315f1f0, argSlot=0) at jsscript.cpp:3682
    frame #3: 0x00000001000ed6ad js-dbgDisabled-opt-64-dm-nsprBuild-darwin-1daa622bbe42`js::frontend::BytecodeEmitter::isAliasedName(this=<unavailable>, pn=<unavailable>) + 205 at BytecodeEmitter.cpp:1511
    frame #4: 0x00000001000efd7b js-dbgDisabled-opt-64-dm-nsprBuild-darwin-1daa622bbe42`EmitVarOp(cx=0x0000000101617240, pn=0x000000010184bdd8, op=JSOP_GETARG, bce=0x00007fff5fbfd1c0) + 107 at BytecodeEmitter.cpp:1407
(lldb)
Crash Signature: [@ JSScript::formalIsAliased] [@ js::frontend::BytecodeEmitter::isAliasedName]
Keywords: crash
Summary: Assertion failure: argSlot < bindings.numArgs(), at jsscript.cpp → Crash [@ JSScript::formalIsAliased] or [@ js::frontend::BytecodeEmitter::isAliasedName] or Assertion failure: argSlot < bindings.numArgs(), at jsscript.cpp
Opt configure options:

CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --disable-debug --enable-optimize --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests
Group: core-security, javascript-core-security
Status: NEW → RESOLVED
Closed: 6 years ago
Flags: needinfo?(jorendorff)
Resolution: --- → DUPLICATE
Duplicate of bug: 1140196
Group: core-security → core-security-release
Group: core-security-release
Keywords: sec-critical
Group: javascript-core-security
You need to log in before you can comment on or make changes to this bug.