Assertion failure: aState0 || aState1, at ../../dist/include/mozilla/XorShift128PlusRNG.h:88 with setSavedStacksRNGState

RESOLVED FIXED in Firefox 45



JavaScript Engine
2 years ago
2 years ago


(Reporter: decoder, Assigned: jimb)


(Blocks: 1 bug, {assertion, regression, testcase})

assertion, regression, testcase
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(firefox45 fixed)


(Whiteboard: [fuzzblocker] [jsbugmon:update])


(1 attachment)



2 years ago
The following testcase crashes on mozilla-central revision bc74dbdea094 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe --no-threads):

try {
} catch (x) {}


Program received signal SIGSEGV, Segmentation fault.
0x00000000007d4a6a in setState (aState1=0, aState0=<optimized out>, this=<optimized out>) at ../../dist/include/mozilla/XorShift128PlusRNG.h:88
#0  0x00000000007d4a6a in setState (aState1=0, aState0=<optimized out>, this=<optimized out>) at ../../dist/include/mozilla/XorShift128PlusRNG.h:88
#1  setRandomState (aState1=0, aState0=<optimized out>, this=<optimized out>) at ../../dist/include/mozilla/FastBernoulliTrial.h:225
#2  setRNGState (state1=0, state0=<optimized out>, this=<optimized out>) at js/src/vm/SavedStacks.h:173
#3  SetSavedStacksRNGState (cx=0x7ffff6907400, argc=<optimized out>, vp=<optimized out>) at js/src/builtin/TestingFunctions.cpp:898
#4  0x00000000009ee9c2 in js::CallJSNative (cx=0x7ffff6907400, native=0x7d4900 <SetSavedStacksRNGState(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235
#5  0x00000000009eb5b7 in js::Invoke (cx=cx@entry=0x7ffff6907400, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:394
#6  0x00000000009dd973 in Interpret (cx=cx@entry=0x7ffff6907400, state=...) at js/src/vm/Interpreter.cpp:2686
#7  0x00000000009eb357 in js::RunScript (cx=cx@entry=0x7ffff6907400, state=...) at js/src/vm/Interpreter.cpp:341
#8  0x00000000009ed6bc in js::ExecuteKernel (cx=cx@entry=0x7ffff6907400, script=..., script@entry=..., scopeChainArg=..., thisv=..., newTargetValue=..., type=type@entry=js::EXECUTE_GLOBAL, evalInFrame=..., evalInFrame@entry=..., result=result@entry=0x0) at js/src/vm/Interpreter.cpp:603
#9  0x00000000009edaec in js::Execute (cx=cx@entry=0x7ffff6907400, script=script@entry=..., scopeChainArg=..., rval=rval@entry=0x0) at js/src/vm/Interpreter.cpp:640
#10 0x000000000084749e in ExecuteScript (cx=cx@entry=0x7ffff6907400, scope=scope@entry=..., script=script@entry=..., rval=rval@entry=0x0) at js/src/jsapi.cpp:4390
#11 0x0000000000847633 in JS_ExecuteScript (cx=cx@entry=0x7ffff6907400, scriptArg=scriptArg@entry=...) at js/src/jsapi.cpp:4423
#12 0x000000000042922b in RunFile (compileOnly=false, file=0x7ffff52e6800, filename=0x7fffffffe04b "min.js", cx=0x7ffff6907400) at js/src/shell/js.cpp:515
#13 Process (cx=cx@entry=0x7ffff6907400, filename=0x7fffffffe04b "min.js", forceTTY=forceTTY@entry=false, kind=kind@entry=FileScript) at js/src/shell/js.cpp:728
#14 0x0000000000486556 in ProcessArgs (op=0x7fffffffdaf0, cx=0x7ffff6907400) at js/src/shell/js.cpp:6170
#15 Shell (envp=<optimized out>, op=0x7fffffffdaf0, cx=0x7ffff6907400) at js/src/shell/js.cpp:6482
#16 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:6843
rax	0x0	0
rbx	0x1	1
rcx	0x7ffff6ca53b0	140737333842864
rdx	0x0	0
rsi	0x7ffff6f7a9d0	140737336814032
rdi	0x7ffff6f791c0	140737336807872
rbp	0x7fffffffcc50	140737488342096
rsp	0x7fffffffcbe0	140737488341984
r8	0x7ffff7fe0780	140737354008448
r9	0x6c697a6f6d2f6564	7811909647642617188
r10	0x7fffffffc9a0	140737488341408
r11	0x7ffff6c27960	140737333328224
r12	0x7ffff6907400	140737330050048
r13	0x0	0
r14	0x0	0
r15	0x0	0
rip	0x7d4a6a <SetSavedStacksRNGState(JSContext*, unsigned int, JS::Value*)+362>
=> 0x7d4a6a <SetSavedStacksRNGState(JSContext*, unsigned int, JS::Value*)+362>:	movl   $0x58,0x0
   0x7d4a75 <SetSavedStacksRNGState(JSContext*, unsigned int, JS::Value*)+373>:	callq  0x4a9ba0 <abort()>

Fuzzblocker, this occurs quite frequently.
Flags: needinfo?(jimb)

Comment 1

2 years ago
I can reproduce; the fix is straightforward.
Assignee: nobody → jimb
Flags: needinfo?(jimb)

Comment 2

2 years ago
Created attachment 8689156 [details] [diff] [review]
Ensure we only ever seed the js::SavedStacks PRNG state with valid states.
Attachment #8689156 - Flags: review?(nfitzgerald)
Comment on attachment 8689156 [details] [diff] [review]
Ensure we only ever seed the js::SavedStacks PRNG state with valid states.

Review of attachment 8689156 [details] [diff] [review]:

Attachment #8689156 - Flags: review?(nfitzgerald) → review+


2 years ago
Flags: in-testsuite+
OS: Linux → All
Hardware: x86_64 → All
Target Milestone: --- → mozilla45


2 years ago
Whiteboard: [jsbugmon:update,bisect][fuzzblocker] → [fuzzblocker] [jsbugmon:update]

Comment 6

2 years ago
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
user:        Jim Blandy
date:        Thu Sep 17 16:29:39 2015 -0700
summary:     Bug 1206596: Change js::SavedStacks to use mozilla::FastBernoulliTrial. r=fitzgen

This iteration took 275.955 seconds to run.
Patch backed out, never relanded, please see comment 5.
Flags: needinfo?(jimb)

Comment 8

2 years ago
Fixed failing test, re-landed.
Flags: needinfo?(jimb)


2 years ago
Whiteboard: [fuzzblocker] [jsbugmon:update] → [fuzzblocker] [jsbugmon:update,ignore]

Comment 9

2 years ago
JSBugMon: The testcase found in this bug no longer reproduces (tried revision e02b17a2b5b8).

Comment 10

2 years ago
Last Resolved: 2 years ago
status-firefox45: affected → fixed
Resolution: --- → FIXED
Whiteboard: [fuzzblocker] [jsbugmon:update,ignore] → [fuzzblocker] [jsbugmon:update]
You need to log in before you can comment on or make changes to this bug.