Assertion failure: v.isObject(), at js/src/jit/MacroAssembler.cpp:1947

RESOLVED FIXED in Firefox 45

Status

()

Core
JavaScript Engine
--
critical
RESOLVED FIXED
3 years ago
3 years ago

People

(Reporter: decoder, Assigned: jandem)

Tracking

(Blocks: 1 bug, {assertion, regression, testcase})

Trunk
mozilla45
x86_64
Linux
assertion, regression, testcase
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox45 fixed)

Details

(Whiteboard: [jsbugmon:update])

Attachments

(1 attachment)

(Reporter)

Description

3 years ago
The following testcase crashes on mozilla-central revision bc74dbdea094 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --ion-eager --ion-offthread-compile=off):

function assertThrowsInstanceOf() {}
for (T of[Uint8ClampedArray, Int16Array, Int16Array]) {
  arr = new T;
  assertThrowsInstanceOf(arr[0] = Symbol.iterator);
}



Backtrace:

Program received signal SIGSEGV, Segmentation fault.
0x000000000073ca6f in js::jit::MacroAssembler::convertValueToInt (this=0x7fffffffc0f0, cx=<optimized out>, v=..., output=..., fail=<optimized out>, behavior=<optimized out>) at js/src/jit/MacroAssembler.cpp:1947
#0  0x000000000073ca6f in js::jit::MacroAssembler::convertValueToInt (this=0x7fffffffc0f0, cx=<optimized out>, v=..., output=..., fail=<optimized out>, behavior=<optimized out>) at js/src/jit/MacroAssembler.cpp:1947
#1  0x0000000000742131 in js::jit::MacroAssembler::convertConstantOrRegisterToInt (this=this@entry=0x7fffffffc0f0, cx=cx@entry=0x7ffff6907400, src=..., temp=..., temp@entry=..., output=..., output@entry=..., fail=fail@entry=0x7fffffffbf80, behavior=behavior@entry=js::jit::MacroAssembler::IntConversion_Truncate) at js/src/jit/MacroAssembler.cpp:1959
#2  0x000000000069c2d9 in truncateConstantOrRegisterToInt32 (fail=0x7fffffffbf80, output=..., temp=..., src=..., cx=0x7ffff6907400, this=0x7fffffffc0f0) at js/src/jit/MacroAssembler.h:1527
#3  GenerateSetTypedArrayElement (tempDouble=..., temp=..., tempUnbox=..., value=..., index=..., object=..., tarr=..., attacher=..., masm=..., cx=0x7ffff6907400, tempFloat32=...) at js/src/jit/IonCaches.cpp:4452
#4  js::jit::SetPropertyIC::tryAttachTypedArrayElement (this=this@entry=0x7ffff33554f8, cx=cx@entry=0x7ffff6907400, outerScript=..., outerScript@entry=..., ion=ion@entry=0x7ffff3355000, obj=..., obj@entry=..., idval=..., idval@entry=..., val=val@entry=..., emitted=emitted@entry=0x7fffffffcc10) at js/src/jit/IonCaches.cpp:4493
#5  0x000000000069cb97 in js::jit::SetPropertyIC::tryAttachStub (this=this@entry=0x7ffff33554f8, cx=cx@entry=0x7ffff6907400, outerScript=..., outerScript@entry=..., ion=ion@entry=0x7ffff3355000, obj=obj@entry=..., idval=..., idval@entry=..., value=value@entry=..., id=id@entry=..., emitted=emitted@entry=0x7fffffffcc10, tryNativeAddSlot=tryNativeAddSlot@entry=0x7fffffffcc20) at js/src/jit/IonCaches.cpp:3504
#6  0x000000000069cfb9 in js::jit::SetPropertyIC::update (cx=0x7ffff6907400, outerScript=..., cacheIndex=<optimized out>, obj=..., idval=..., value=...) at js/src/jit/IonCaches.cpp:3584
#7  0x00007ffff7fedf81 in ?? ()
#8  0x0000000000000000 in ?? ()
rax	0x0	0
rbx	0x7fffffffc0f0	140737488339184
rcx	0x7ffff6ca53cd	140737333842893
rdx	0x0	0
rsi	0x7ffff6f7a9d0	140737336814032
rdi	0x7ffff6f791c0	140737336807872
rbp	0x7fffffffbeb0	140737488338608
rsp	0x7fffffffbe80	140737488338560
r8	0x7ffff7fe0780	140737354008448
r9	0x6372732f736a2f6c	7165916604736876396
r10	0x7fffffffbc40	140737488337984
r11	0x7ffff6c27960	140737333328224
r12	0x0	0
r13	0x0	0
r14	0x7fffffffbf80	140737488338816
r15	0x1	1
rip	0x73ca6f <js::jit::MacroAssembler::convertValueToInt(JSContext*, JS::Value const&, js::jit::Register, js::jit::Label*, js::jit::MacroAssembler::IntConversionBehavior)+623>
=> 0x73ca6f <js::jit::MacroAssembler::convertValueToInt(JSContext*, JS::Value const&, js::jit::Register, js::jit::Label*, js::jit::MacroAssembler::IntConversionBehavior)+623>:	movl   $0x79b,0x0
   0x73ca7a <js::jit::MacroAssembler::convertValueToInt(JSContext*, JS::Value const&, js::jit::Register, js::jit::Label*, js::jit::MacroAssembler::IntConversionBehavior)+634>:	callq  0x4a9ba0 <abort()>


Marking this one s-s because the assertion was associated with security problems in the past and could indicate some type mismatch.
(Assignee)

Updated

3 years ago
Flags: needinfo?(jdemooij)
Keywords: sec-high
(Assignee)

Comment 1

3 years ago
Just a bogus assert; the code does the right thing in opt builds.
Group: javascript-core-security
Flags: needinfo?(jdemooij)
Keywords: sec-high
(Assignee)

Comment 2

3 years ago
Created attachment 8690726 [details] [diff] [review]
Patch
Assignee: nobody → jdemooij
Status: NEW → ASSIGNED
Attachment #8690726 - Flags: review?(hv1989)
Attachment #8690726 - Flags: review?(hv1989) → review+
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/b4b9dba91af5
user:        Jan de Mooij
date:        Mon Oct 26 11:10:19 2015 +0100
summary:     Bug 1214126 part 4 - Move IC stubs from SetElementIC to SetPropertyIC. r=efaust

Jan, I'm guessing bug 1214126 is a likely regressor.

That said, the patch is probably ready for landing?
Blocks: 1214126
Flags: needinfo?(jdemooij)
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
(Assignee)

Updated

3 years ago
Flags: needinfo?(jdemooij)

Comment 5

3 years ago
bugherder
https://hg.mozilla.org/mozilla-central/rev/9c371a99ca32
Status: ASSIGNED → RESOLVED
Last Resolved: 3 years ago
status-firefox45: affected → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla45
You need to log in before you can comment on or make changes to this bug.