Closed
Bug 1125658
Opened 10 years ago
Closed 10 years ago
Crash [@ JSScript::formalIsAliased] or [@ js::frontend::BytecodeEmitter::isAliasedName] or Assertion failure: argSlot < bindings.numArgs(), at jsscript.cpp
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1140196
Tracking | Status | |
---|---|---|
firefox38 | --- | affected |
People
(Reporter: gkw, Unassigned)
References
Details
(5 keywords, Whiteboard: [jsbugmon:update])
Crash Data
Attachments
(2 files)
for (var [x = (function([]) {})] in 0) {}
asserts js debug shell on m-c changeset 7148aa99ad67 with --fuzzing-safe --no-threads --ion-eager at Assertion failure: argSlot < bindings.numArgs(), at jsscript.cpp
Debug configure options:
CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --enable-optimize --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests
=== Tinderbox Build Bisection Results by autoBisect ===
The "good" changeset has the timestamp "20150121013236" and the hash "26d8f946a53b".
The "bad" changeset has the timestamp "20150121021935" and the hash "8832848bf234".
Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=26d8f946a53b&tochange=8832848bf234
Jason, is bug 932080 a likely regressor? The patch in bug 1090096 comment 7 does not seem to fix this issue.
Flags: needinfo?(jorendorff)
Reporter | ||
Comment 1•10 years ago
|
||
(lldb) bt 5
* thread #1: tid = 0x11346, 0x000000010064ec67 js-dbg-opt-64-dm-nsprBuild-darwin-7148aa99ad67`JSScript::formalIsAliased(this=<unavailable>, argSlot=<unavailable>) + 119 at jsscript.cpp:3681, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
* frame #0: 0x000000010064ec67 js-dbg-opt-64-dm-nsprBuild-darwin-7148aa99ad67`JSScript::formalIsAliased(this=<unavailable>, argSlot=<unavailable>) + 119 at jsscript.cpp:3681
frame #1: 0x0000000100177ed6 js-dbg-opt-64-dm-nsprBuild-darwin-7148aa99ad67`js::frontend::BytecodeEmitter::isAliasedName(this=<unavailable>, pn=<unavailable>) + 966 at BytecodeEmitter.cpp:1511
frame #2: 0x000000010017af1b js-dbg-opt-64-dm-nsprBuild-darwin-7148aa99ad67`EmitVarOp(cx=0x0000000101e01cf0, pn=0x00000001040159d8, op=JSOP_GETARG, bce=0x00007fff5fbfcf18) + 235 at BytecodeEmitter.cpp:1407
frame #3: 0x00000001001853fe js-dbg-opt-64-dm-nsprBuild-darwin-7148aa99ad67`EmitNameOp(cx=0x0000000101e01cf0, bce=0x00007fff5fbfcf18, pn=0x00000001040159d8, callContext=false) + 174 at BytecodeEmitter.cpp:2349
frame #4: 0x000000010016bd66 js-dbg-opt-64-dm-nsprBuild-darwin-7148aa99ad67`js::frontend::EmitTree(cx=<unavailable>, bce=<unavailable>, pn=<unavailable>) + 5110 at BytecodeEmitter.cpp:7293
(lldb)
Comment 2•10 years ago
|
||
`var [x = (function ([]) {})] = 0;` works
while `for (var [x = (function([]) {})] in 0) {}` crashes
So I suspect that it does come from the cloneParseTree dance.
As the default is not related to the bindings in the target, maybe we can avoid the clone for that subtree (without doing a double free down the road)?
Reporter | ||
Comment 3•10 years ago
|
||
(lldb) bt 5
* thread #1: tid = 0x2fbb8, 0x00000001003d2cea js-dbgDisabled-opt-64-dm-nsprBuild-darwin-1daa622bbe42`JSScript::formalIsAliased(unsigned int) [inlined] js::Bindings::bindingArray() const + 8 at jsscript.h:183, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
* frame #0: 0x00000001003d2cea js-dbgDisabled-opt-64-dm-nsprBuild-darwin-1daa622bbe42`JSScript::formalIsAliased(unsigned int) [inlined] js::Bindings::bindingArray() const + 8 at jsscript.h:183
frame #1: 0x00000001003d2ce2 js-dbgDisabled-opt-64-dm-nsprBuild-darwin-1daa622bbe42`JSScript::formalIsAliased(unsigned int) [inlined] js::Bindings::bindingIsAliased(bindingIndex=0) + 2 at jsscript.cpp:309
frame #2: 0x00000001003d2ce0 js-dbgDisabled-opt-64-dm-nsprBuild-darwin-1daa622bbe42`JSScript::formalIsAliased(this=0x000000010315f1f0, argSlot=0) at jsscript.cpp:3682
frame #3: 0x00000001000ed6ad js-dbgDisabled-opt-64-dm-nsprBuild-darwin-1daa622bbe42`js::frontend::BytecodeEmitter::isAliasedName(this=<unavailable>, pn=<unavailable>) + 205 at BytecodeEmitter.cpp:1511
frame #4: 0x00000001000efd7b js-dbgDisabled-opt-64-dm-nsprBuild-darwin-1daa622bbe42`EmitVarOp(cx=0x0000000101617240, pn=0x000000010184bdd8, op=JSOP_GETARG, bce=0x00007fff5fbfd1c0) + 107 at BytecodeEmitter.cpp:1407
(lldb)
Reporter | ||
Updated•10 years ago
|
Crash Signature: [@ JSScript::formalIsAliased]
[@ js::frontend::BytecodeEmitter::isAliasedName]
Keywords: crash
Summary: Assertion failure: argSlot < bindings.numArgs(), at jsscript.cpp → Crash [@ JSScript::formalIsAliased] or [@ js::frontend::BytecodeEmitter::isAliasedName] or Assertion failure: argSlot < bindings.numArgs(), at jsscript.cpp
Reporter | ||
Comment 4•10 years ago
|
||
Opt configure options:
CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --disable-debug --enable-optimize --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests
Updated•10 years ago
|
Group: core-security, javascript-core-security
Status: NEW → RESOLVED
Closed: 10 years ago
Flags: needinfo?(jorendorff)
Resolution: --- → DUPLICATE
Updated•9 years ago
|
Group: core-security → core-security-release
Updated•8 years ago
|
Group: core-security-release
Keywords: sec-critical
Updated•8 years ago
|
Group: javascript-core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•