Assertion failure: bindingIndex < count(), at jsscript.cpp or Assertion failure: !isSingleton(), at jsobjinlines.h

RESOLVED DUPLICATE of bug 1140196

Status

()

Core
JavaScript Engine
--
critical
RESOLVED DUPLICATE of bug 1140196
4 years ago
2 years ago

People

(Reporter: gkw, Unassigned)

Tracking

(Blocks: 1 bug, 4 keywords)

Trunk
x86_64
Mac OS X
assertion, regression, sec-critical, testcase
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox38 affected)

Details

(Whiteboard: [jsbugmon:update])

Attachments

(2 attachments)

(Reporter)

Description

4 years ago
for (var [{
    x: x = (function() {
        return arguments
    })
}] in 0);

asserts js debug shell on m-c changeset aa5f8d47a0ba with --fuzzing-safe --no-threads --ion-eager at Assertion failure: bindingIndex < count(), at jsscript.cpp.

Another similar testcase:

for (var [{
    w: x = (function() {})
}] = (function() {}) in 0) {}

asserts js debug shell on m-c changeset aa5f8d47a0ba with --fuzzing-safe --no-threads --ion-eager at Assertion failure: !isSingleton(), at jsobjinlines.h.

Debug configure options:

CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --enable-optimize --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests

=== Treeherder Build Bisection Results by autoBisect ===

The "good" changeset has the timestamp "20150121013236" and the hash "26d8f946a53b".
The "bad" changeset has the timestamp "20150121021935" and the hash "8832848bf234".

Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=26d8f946a53b&tochange=8832848bf234

Jason, is bug 932080 a likely regressor?
Flags: needinfo?(jorendorff)
(Reporter)

Comment 1

4 years ago
Created attachment 8561646 [details]
stack for first assertion

(lldb) bt 5
* thread #1: tid = 0x1d31f8, 0x000000010080c3b3 js-dbg-64-dm-nsprBuild-darwin-aa5f8d47a0ba`JSScript::cookieIsAliased(js::frontend::UpvarCookie const&) [inlined] js::frontend::UpvarCookie::slot(this=<unavailable>, bindingIndex=<unavailable>) const + 104 at jsscript.cpp:308, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
  * frame #0: 0x000000010080c3b3 js-dbg-64-dm-nsprBuild-darwin-aa5f8d47a0ba`JSScript::cookieIsAliased(js::frontend::UpvarCookie const&) [inlined] js::frontend::UpvarCookie::slot(this=<unavailable>, bindingIndex=<unavailable>) const + 104 at jsscript.cpp:308
    frame #1: 0x000000010080c34b js-dbg-64-dm-nsprBuild-darwin-aa5f8d47a0ba`JSScript::cookieIsAliased(this=<unavailable>, cookie=<unavailable>) + 59 at jsscript.cpp:3685
    frame #2: 0x0000000100186190 js-dbg-64-dm-nsprBuild-darwin-aa5f8d47a0ba`js::frontend::BytecodeEmitter::isAliasedName(this=0x00007fff5fbfc4d8, pn=<unavailable>) + 624 at BytecodeEmitter.cpp:1515
    frame #3: 0x000000010018909b js-dbg-64-dm-nsprBuild-darwin-aa5f8d47a0ba`EmitVarOp(cx=0x0000000101c169b0, pn=0x0000000102044dd8, op=JSOP_GETLOCAL, bce=0x00007fff5fbfc4d8) + 235 at BytecodeEmitter.cpp:1407
    frame #4: 0x0000000100192ade js-dbg-64-dm-nsprBuild-darwin-aa5f8d47a0ba`EmitNameOp(cx=0x0000000101c169b0, bce=0x00007fff5fbfc4d8, pn=0x0000000102044dd8, callContext=false) + 174 at BytecodeEmitter.cpp:2346
(lldb)
(Reporter)

Comment 2

4 years ago
Created attachment 8561648 [details]
stack for second assertion

(lldb) bt 5
* thread #1: tid = 0x1d3bc8, 0x000000010078c034 js-dbg-64-dm-nsprBuild-darwin-aa5f8d47a0ba`JSFunction::setTypeForScriptedFunction(js::ExclusiveContext*, JS::Handle<JSFunction*>, bool) [inlined] JS::Handle<JSFunction*>::operator->(group=<unavailable>) const + 44 at jsobjinlines.h:104, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
  * frame #0: 0x000000010078c034 js-dbg-64-dm-nsprBuild-darwin-aa5f8d47a0ba`JSFunction::setTypeForScriptedFunction(js::ExclusiveContext*, JS::Handle<JSFunction*>, bool) [inlined] JS::Handle<JSFunction*>::operator->(group=<unavailable>) const + 44 at jsobjinlines.h:104
    frame #1: 0x000000010078c008 js-dbg-64-dm-nsprBuild-darwin-aa5f8d47a0ba`JSFunction::setTypeForScriptedFunction(cx=<unavailable>, singleton=<unavailable>, fun=<unavailable>) + 680 at jsinfer.cpp:3819
    frame #2: 0x000000010018b4ea js-dbg-64-dm-nsprBuild-darwin-aa5f8d47a0ba`EmitFunc(cx=0x0000000101e021d0, bce=0x00007fff5fbfdc50, pn=0x0000000103019728) + 602 at BytecodeEmitter.cpp:5382
    frame #3: 0x000000010017b3f6 js-dbg-64-dm-nsprBuild-darwin-aa5f8d47a0ba`js::frontend::EmitTree(cx=0x0000000101e021d0, bce=0x00007fff5fbfdc50, pn=0x0000000103019728) + 6310 at BytecodeEmitter.cpp:6890
    frame #4: 0x00000001001cd6d3 js-dbg-64-dm-nsprBuild-darwin-aa5f8d47a0ba`EmitDefault(cx=0x0000000101e021d0, bce=0x00007fff5fbfdc50, defaultExpr=0x0000000103019728) + 291 at BytecodeEmitter.cpp:3528
(lldb)

Updated

3 years ago
Group: core-security, javascript-core-security
Status: NEW → RESOLVED
Last Resolved: 3 years ago
Flags: needinfo?(jorendorff)
Resolution: --- → DUPLICATE
Duplicate of bug: 1140196

Updated

3 years ago
Group: core-security → core-security-release
Group: javascript-core-security, core-security-release
Keywords: sec-critical
You need to log in before you can comment on or make changes to this bug.