Closed
Bug 1258189
Opened 9 years ago
Closed 9 years ago
Crash due to Assertion failure: isLive(), at js/src/build1/dist/include/js/HashTable.h:774
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1249107
People
(Reporter: spandan.veggalam, Assigned: fitzgen)
Details
User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:44.0) Gecko/20100101 Firefox/44.0
Build ID: 20160209234513
Steps to reproduce:
function f(x) {
return x + x;
}
function dumpPaths(results) {
results = results.map(paths => {
return paths.map(path => {
setJitCompilerOption("ion.warmup.trigger", 30);
function f(a, b) {
do {
if (a == 0) return;
a--;
} while (true || this ? o.a-- : true);
}
f(200000, shortestPaths(this, [this], 200000));
});
});
}
paths = shortestPaths(this, [f], 200000)
dumpPaths(paths);
Actual results:
Assertion failure: isLive(), at js/src/build1/dist/include/js/HashTable.h:774
Segmentation fault (core dumped)
Updated•9 years ago
|
Group: core-security → javascript-core-security
Comment 2•9 years ago
|
||
This uses a shell-only ubinode function so maybe it isn't security sensitive (bug 1249107 also involves this same method). Could you look at this please, Nick?
Flags: needinfo?(nfitzgerald)
Assignee | ||
Comment 3•9 years ago
|
||
Will look into it.
Assignee: nobody → nfitzgerald
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Flags: needinfo?(nfitzgerald)
Assignee | ||
Comment 4•9 years ago
|
||
I do not get any assertion failures or crashes. Any flags required?
I just get a message about "o" being undefined within the condition of the do/while loop.
Flags: needinfo?(spandan.veggalam)
Reporter | ||
Comment 5•9 years ago
|
||
There a was line missing in the code I have submitted. Adding a statement "var o={}" will reproduce the crash
Flags: needinfo?(spandan.veggalam)
Assignee | ||
Comment 6•9 years ago
|
||
Spandan, I added `var o = {};` to the top of the script, and it still does not fail assertions nor crash.
Can you share the full test case here as well as the flags you built the shell with and flags/environment variables you set when running the test? Thanks!
Flags: needinfo?(spandan.veggalam)
Reporter | ||
Comment 7•9 years ago
|
||
Build options : --enable-debug --enable-optimize --enable-posix-nspr-emulation --enable-valgrind
Flags: needinfo?(spandan.veggalam)
Comment 8•9 years ago
|
||
I haven't seen this issue at all, so it's not a duplicate to any of the LangFuzz bugs.
I would assume the assertion is very sensitive to build options and maybe memory usage, so using the test with the exact build options/platform/os is probably crucial for reproduction.
Flags: needinfo?(choller)
Reporter | ||
Comment 9•9 years ago
|
||
I have pulled out the latest code base, and couldn't reproduce the code.
My last checkout was in late march first week. It might have got fixed some where in between during development process.
Generally, I refresh my code once in 15days. May be I should reduce this time frame to a week or less. Could anyone please suggest what would be idle time frame?
Assignee | ||
Comment 10•9 years ago
|
||
(In reply to Spandan Veggalam from comment #9)
> I have pulled out the latest code base, and couldn't reproduce the code.
> My last checkout was in late march first week. It might have got fixed some
> where in between during development process.
> Generally, I refresh my code once in 15days. May be I should reduce this
> time frame to a week or less. Could anyone please suggest what would be idle
> time frame?
There have been a few fuzzbugs fixed related to shortestPaths, but I can't remember if any had this same crash signature.
In general, I think it makes sense to see if the bug reproduces on the latest m-c when/before filing, but I defer to :decoder and :gkw.
Comment 11•9 years ago
|
||
We'll close this in a week if nobody can reproduce it.
Assignee | ||
Comment 12•9 years ago
|
||
Upon re-reading this report and bug 1249107, I am pretty confident this is a dupe of that one.
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Resolution: --- → DUPLICATE
Updated•6 years ago
|
Group: javascript-core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•