Assertion failure: isNumber(), at ../../dist/include/js/Value.h:1222 or Crash [@ getClass]

RESOLVED DUPLICATE of bug 1204863

Status

()

Core
JavaScript Engine
--
critical
RESOLVED DUPLICATE of bug 1204863
2 years ago
a year ago

People

(Reporter: decoder, Unassigned)

Tracking

(Blocks: 1 bug, 4 keywords)

Trunk
x86_64
Linux
assertion, crash, regression, testcase
Points:
---

Firefox Tracking Flags

(firefox44 affected)

Details

(Whiteboard: [jsbugmon:update])

(Reporter)

Description

2 years ago
The following testcase crashes on mozilla-central revision 19b4265d0d56 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe --thread-count=2 --baseline-eager --ion-extra-checks --ion-offthread-compile=off):

function *g() {}
var lfGlobal = newGlobal();
for (lfLocal in this) {
    if (!(lfLocal in lfGlobal)) {
        lfGlobal[lfLocal] = this[lfLocal];
    }
}
lfGlobal.offThreadCompileScript(`
var dbg = Debugger(g);
dbg.onExceptionUnwind = function (frame, exc) {
    return { return:"sproon" };
};
`);
lfGlobal.runOffThreadScript();
var options = [
    {maximumSignificantDigits: -Infinity}
];
options.forEach(function (options) {
  var result = (0).toLocaleString([], options);
});



Backtrace:

Program received signal SIGSEGV, Segmentation fault.
0x000000000042da8c in JS::Value::toNumber (this=<optimized out>) at ../../dist/include/js/Value.h:1222
#0  0x000000000042da8c in JS::Value::toNumber (this=<optimized out>) at ../../dist/include/js/Value.h:1222
#1  0x00000000005b6a20 in JS::Value::toNumber (this=<optimized out>) at ../../dist/include/js/Value.h:1224
#2  0x00000000005708c0 in toNumber (this=0x7fffffff9c60) at ../../dist/include/js/Value.h:1712
#3  NewUNumberFormat (cx=cx@entry=0x7ffff6907000, numberFormat=..., numberFormat@entry=...) at js/src/builtin/Intl.cpp:1386
#4  0x00000000005a6164 in js::intl_FormatNumber (cx=0x7ffff6907000, argc=<optimized out>, vp=<optimized out>) at js/src/builtin/Intl.cpp:1492
#5  0x0000000000704ec2 in js::CallJSNative (cx=0x7ffff6907000, native=0x5a5be0 <js::intl_FormatNumber(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235
#6  0x00000000006fa193 in js::Invoke (cx=cx@entry=0x7ffff6907000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:768
#7  0x00000000006faddd in js::Invoke (cx=cx@entry=0x7ffff6907000, thisv=..., fval=..., argc=argc@entry=2, argv=argv@entry=0x7fffffffa5b0, rval=..., rval@entry=...) at js/src/vm/Interpreter.cpp:823
#8  0x00000000008c7dfa in js::jit::DoCallFallback (cx=0x7ffff6907000, frame=0x7fffffffa628, stub_=<optimized out>, argc=<optimized out>, vp=0x7fffffffa5a0, res=...) at js/src/jit/BaselineIC.cpp:8900
#9  0x00007ffff7feef9f in ?? ()
#10 0x0000000001b03bd0 in vtable for js::jit::ICStubCompiler ()
#11 0x00007fffffffa558 in ?? ()
[...]
#39 0x0000000000000000 in ?? ()
rax	0x0	0
rbx	0x7fffffff9c90	140737488329872
rcx	0x7ffff6ca53cd	140737333842893
rdx	0x0	0
rsi	0x7ffff6f7a9d0	140737336814032
rdi	0x7ffff6f791c0	140737336807872
rbp	0x7fffffff9b90	140737488329616
rsp	0x7fffffff9b90	140737488329616
r8	0x7ffff7fe0780	140737354008448
r9	0x7fffffff9c70	140737488329840
r10	0x7fffffff9950	140737488329040
r11	0x7ffff6c27960	140737333328224
r12	0x7fffffff9c80	140737488329856
r13	0x7fffffff9c60	140737488329824
r14	0x7fffffff9cf0	140737488329968
r15	0x7ffff6907000	140737330049024
rip	0x42da8c <JS::Value::toNumber() const+28>
=> 0x42da8c <JS::Value::toNumber() const+28>:	movl   $0x4c6,0x0
   0x42da97 <JS::Value::toNumber() const+39>:	callq  0x495fc0 <abort()>

Marking this s-s because this changed signature multiple times during reduction. The initial testcase also crashed, this one does not crash anymore. I am also not sure if the Debugger is really required in this test, or if it's just triggering something on the Intl return value.
Program received signal SIGSEGV, Segmentation fault.
0x0000000000460982 in JS::Value::toNumber (this=0x7fffffff3790) at ../../../dist/include/js/Value.h:1222
1222	        MOZ_ASSERT(isNumber());
(gdb) up
#1  0x000000000063141d in js::ValueOperations<JS::Rooted<JS::Value> >::toNumber (this=0x7fffffff3780) at ../../dist/include/js/Value.h:1712
1712	    double toNumber() const { return value().toNumber(); }
(gdb) up
#2  0x000000000056a668 in NewUNumberFormat (cx=0x7ffff601bc00, numberFormat=(JSObject * const) 0x7ffff7e6e160 [object Object]) at /home/jwalden/moz/slots/js/src/builtin/Intl.cpp:1386
1386	        uMaximumSignificantDigits = int32_t(value.toNumber());
(gdb) lis
1381	        if (!GetProperty(cx, internals, internals, cx->names().maximumSignificantDigits,
1382	                         &value))
1383	        {
1384	            return nullptr;
1385	        }
1386	        uMaximumSignificantDigits = int32_t(value.toNumber());
1387	    } else {
1388	        if (!GetProperty(cx, internals, internals, cx->names().minimumIntegerDigits,
1389	                         &value))
1390	        {

This is a spiritual duplicate of bug 1204863.  The Debugger API shouldn't be able to massage the exception (I think) that's thrown when parsing the options object, into a successful return value.
Status: NEW → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 1204863

Updated

2 years ago
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
Group: javascript-core-security
You need to log in before you can comment on or make changes to this bug.