If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

Crash [@ js::IsSelfHostedFunctionWithName]

RESOLVED FIXED in Firefox 52

Status

()

Core
JavaScript Engine
--
critical
RESOLVED FIXED
11 months ago
10 months ago

People

(Reporter: decoder, Assigned: arai)

Tracking

(Blocks: 1 bug, 4 keywords)

Trunk
mozilla53
x86_64
Linux
crash, jsbugmon, regression, testcase
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox-esr45 unaffected, firefox50 unaffected, firefox51 unaffected, firefox52 fixed, firefox53 fixed)

Details

(Whiteboard: [jsbugmon:update], crash signature)

Attachments

(2 attachments)

(Reporter)

Description

11 months ago
The following testcase crashes on mozilla-central revision 8103c612b79c (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug --enable-optimize, run with --fuzzing-safe):

(function(global) {
    var dump = global.dump;
    global.dump = dump;
})(this);
var gTestcases = new Array();
function TestCase(n, d, e, a) {
    ({}).constructor.defineProperty(gTestcases, gTc++, {
        value: this,
    });
    TestCase.prototype.dump = function() {
        dump('\njstest: ' + this.path + ' ' + 'reason: ' + toPrinted(this.reason) + '\n');
    }
}
function toPrinted(value) {
    value = String(value);
    value = value.replace(/\\n/g, 'NL')
}
    for (gTc = 0; gTc < gTestcases.length; gTc++) {}
function jsTestDriverEnd() {
    for (var i = 0; i < gTestcases.length; i++) {
        gTestcases[i].dump();
    }
}
var SECTION = "11.4.7";
new TestCase(SECTION, "-('')", -0, -(""));
5 * (this) + delete RegExp.prototype.flags + (0.0).toLocaleString() + (this);
jsTestDriverEnd();



Backtrace:

 received signal SIGSEGV, Segmentation fault.
js::IsSelfHostedFunctionWithName (fun=0x0, name=0x7ffff06245b0) at js/src/vm/SelfHosting.cpp:3095
#0  js::IsSelfHostedFunctionWithName (fun=0x0, name=0x7ffff06245b0) at js/src/vm/SelfHosting.cpp:3095
#1  0x0000000000f858fe in js::RegExpPrototypeOptimizableRaw (cx=cx@entry=0x7ffff695f000, proto=0x7ffff068a100, result=result@entry=0x7fffffffb56f "") at js/src/builtin/RegExp.cpp:1611
#2  0x0000000000f85beb in js::RegExpPrototypeOptimizable (cx=cx@entry=0x7ffff695f000, argc=<optimized out>, vp=<optimized out>) at js/src/builtin/RegExp.cpp:1583
#3  0x0000000000b71899 in js::CallJSNative (cx=cx@entry=0x7ffff695f000, native=0xf85ba0 <js::RegExpPrototypeOptimizable(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:239
#4  0x0000000000b62c4b in js::InternalCallOrConstruct (cx=0x7ffff695f000, args=..., construct=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:457
#5  0x0000000000b5598e in js::CallFromStack (args=..., cx=<optimized out>) at js/src/vm/Interpreter.cpp:508
#6  Interpret (cx=0x7ffff695f000, state=...) at js/src/vm/Interpreter.cpp:2919
#7  0x0000000000b629c5 in js::RunScript (cx=cx@entry=0x7ffff695f000, state=...) at js/src/vm/Interpreter.cpp:403
#8  0x0000000000b62d59 in js::InternalCallOrConstruct (cx=0x7ffff695f000, args=..., construct=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:475
#9  0x0000000000b5598e in js::CallFromStack (args=..., cx=<optimized out>) at js/src/vm/Interpreter.cpp:508
#10 Interpret (cx=0x7ffff695f000, state=...) at js/src/vm/Interpreter.cpp:2919
#11 0x0000000000b629c5 in js::RunScript (cx=cx@entry=0x7ffff695f000, state=...) at js/src/vm/Interpreter.cpp:403
#12 0x0000000000b62d59 in js::InternalCallOrConstruct (cx=0x7ffff695f000, args=..., construct=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:475
#13 0x0000000000b5598e in js::CallFromStack (args=..., cx=<optimized out>) at js/src/vm/Interpreter.cpp:508
#14 Interpret (cx=0x7ffff695f000, state=...) at js/src/vm/Interpreter.cpp:2919
#15 0x0000000000b629c5 in js::RunScript (cx=cx@entry=0x7ffff695f000, state=...) at js/src/vm/Interpreter.cpp:403
#16 0x0000000000b62d59 in js::InternalCallOrConstruct (cx=0x7ffff695f000, args=..., construct=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:475
#17 0x0000000000b5598e in js::CallFromStack (args=..., cx=<optimized out>) at js/src/vm/Interpreter.cpp:508
#18 Interpret (cx=0x7ffff695f000, state=...) at js/src/vm/Interpreter.cpp:2919
#19 0x0000000000b629c5 in js::RunScript (cx=0x7ffff695f000, state=...) at js/src/vm/Interpreter.cpp:403
#20 0x0000000000b6aa99 in js::ExecuteKernel (cx=0x7ffff695f000, script=..., script@entry=..., envChainArg=..., newTargetValue=..., evalInFrame=..., evalInFrame@entry=..., result=result@entry=0x0) at js/src/vm/Interpreter.cpp:684
#21 0x0000000000b6ae78 in js::Execute (cx=cx@entry=0x7ffff695f000, script=script@entry=..., envChainArg=..., rval=rval@entry=0x0) at js/src/vm/Interpreter.cpp:717
#22 0x000000000090915b in ExecuteScript (cx=0x7ffff695f000, scope=scope@entry=..., script=script@entry=..., rval=rval@entry=0x0) at js/src/jsapi.cpp:4391
#23 0x0000000000917ab0 in JS_ExecuteScript (cx=0x7ffff695f000, scriptArg=scriptArg@entry=...) at js/src/jsapi.cpp:4424
#24 0x000000000042c2de in RunFile (compileOnly=<optimized out>, file=0x7ffff6952c00, filename=<optimized out>, cx=0x7ffff695f000) at js/src/shell/js.cpp:652
#25 Process (cx=<optimized out>, filename=<optimized out>, forceTTY=forceTTY@entry=false, kind=kind@entry=FileScript) at js/src/shell/js.cpp:1076
#26 0x0000000000438069 in ProcessArgs (op=0x7fffffffdaa0, cx=0x7ffff695f000) at js/src/shell/js.cpp:7202
#27 Shell (envp=<optimized out>, op=0x7fffffffdaa0, cx=0x7ffff695f000) at js/src/shell/js.cpp:7564
#28 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:7944
rax	0x7ffff6995000	140737330630656
rbx	0x7ffff068a100	140737226776832
rcx	0x7ffff695f000	140737330409472
rdx	0x7ffff06842b0	140737226752688
rsi	0x7ffff06245b0	140737226360240
rdi	0x0	0
rbp	0x7fffffffb550	140737488336208
rsp	0x7fffffffb4b8	140737488336056
r8	0x7ffff02354e0	140737222235360
r9	0x1b	27
r10	0x7ffff06d88a8	140737227098280
r11	0x7ffff06d8881	140737227098241
r12	0x7fffffffb500	140737488336128
r13	0x7ffff695f000	140737330409472
r14	0x7fffffffb56f	140737488336239
r15	0x7ffff692c000	140737330200576
rip	0xbbe9c0 <js::IsSelfHostedFunctionWithName(JSFunction*, JSAtom*)>
=> 0xbbe9c0 <js::IsSelfHostedFunctionWithName(JSFunction*, JSAtom*)>:	movzwl 0x22(%rdi),%edx
   0xbbe9c4 <js::IsSelfHostedFunctionWithName(JSFunction*, JSAtom*)+4>:	xor    %eax,%eax

Updated

10 months ago
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]

Comment 1

10 months ago
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/2d56da58f489
user:        Tooru Fujisawa
date:        Tue Oct 25 19:09:13 2016 +0900
summary:     Bug 1263340 - Part 5: Check RegExp.prototype.flags getter in RegExpPrototypeOptimizable. r=till

This iteration took 239.772 seconds to run.
Arai-san, is bug 1263340 a likely regressor?
Blocks: 1263340
Flags: needinfo?(arai.unmht)
(Assignee)

Comment 3

10 months ago
Thanks, yes
I'll fix it today
(Assignee)

Comment 4

10 months ago
Created attachment 8817580 [details] [diff] [review]
Check the result of GetGetterPure
(Assignee)

Updated

10 months ago
Assignee: nobody → arai.unmht
Status: NEW → ASSIGNED
(Assignee)

Comment 5

10 months ago
Comment on attachment 8817580 [details] [diff] [review]
Check the result of GetGetterPure

The issue is that GetGetterPure may return true with out-patameter null.
Added the check.

Result<> may improve the situation, but I'll leave it to other bug.
Flags: needinfo?(arai.unmht)
Attachment #8817580 - Flags: review?(hv1989)
Comment on attachment 8817580 [details] [diff] [review]
Check the result of GetGetterPure

Review of attachment 8817580 [details] [diff] [review]:
-----------------------------------------------------------------

lgtm

::: js/src/builtin/RegExp.cpp
@@ +1610,5 @@
>  
> +    if (!flagsGetter) {
> +        *result = false;
> +        return true;
> +    }

Another solution would be to support nullptr in IsSelfHostedFunctionWithName and return false for that?
Attachment #8817580 - Flags: review?(hv1989) → review+
(Assignee)

Comment 7

10 months ago
https://hg.mozilla.org/integration/mozilla-inbound/rev/c9d3669dc5133a29944acb1353101c7bf905e914
Bug 1322319 - Check the result of GetGetterPure. r=h4writer
we should use GetOwnGetterPure (add it if not exist) to check flags getter, instead of GetGetterPure.
Flags: needinfo?(arai.unmht)

Comment 9

10 months ago
bugherder
https://hg.mozilla.org/mozilla-central/rev/c9d3669dc513
Status: ASSIGNED → RESOLVED
Last Resolved: 10 months ago
status-firefox53: affected → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla53
(Assignee)

Updated

10 months ago
Flags: needinfo?(arai.unmht)
See Also: → bug 1323108
(Assignee)

Updated

10 months ago
status-firefox50: --- → unaffected
status-firefox51: --- → unaffected
status-firefox52: --- → affected
status-firefox-esr45: --- → unaffected
(Assignee)

Comment 10

10 months ago
Created attachment 8820507 [details] [diff] [review]
(mozilla-aurora) Check the result of GetGetterPure. r=h4writer

Approval Request Comment
> [Feature/Bug causing the regression]
bug 1263340

> [User impact if declined]
crash by executing JavaScript

> [Is this code covered by automated tests?]
Yes

> [Has the fix been verified in Nightly?]
Yes

> [Needs manual test from QE? If yes, steps to reproduce]
No

> [List of other uplifts needed for the feature/fix]
Bug 1323108 needs to be uplifted *after* this.

> [Is the change risky?]
No

> [Why is the change risky/not risky?]
It adds null check

> [String changes made/needed]
None
Attachment #8820507 - Flags: review+
Attachment #8820507 - Flags: approval-mozilla-aurora?
Comment on attachment 8820507 [details] [diff] [review]
(mozilla-aurora) Check the result of GetGetterPure. r=h4writer

add null check to fix js crash in aurora52
Attachment #8820507 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+

Comment 12

10 months ago
bugherderuplift
https://hg.mozilla.org/releases/mozilla-aurora/rev/a87a36e49ccc
status-firefox52: affected → fixed
You need to log in before you can comment on or make changes to this bug.