1348903 - Assertion failure: uintptr_t(&obj) > 0x1000 || uintptr_t(&obj) == 0x48, at dist/include/js/Value.h:364 with SharedArrayBuffer and OOM

Status: RESOLVED DUPLICATE of bug 1352681

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

The following testcase crashes on mozilla-central revision e1576dd8bd9d (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-stdcxx-compat --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe --ion-offthread-compile=off --baseline-eager):

loadFile(`
function assertThrowsInstanceOf(f) {
    try {
        f()
    } catch (exc) {}
}
b = new SharedArrayBuffer;
assertThrowsInstanceOf();
sab1 = b;
blob = serialize(sab1, []);
deserialize(blob);
`);
function loadFile(lfVarx) {
    try {
        oomTest(Function(lfVarx))
    } catch (lfVare) {}
}



Backtrace:

 received signal SIGSEGV, Segmentation fault.
0x0000000000464e70 in JS::Value::setObject (this=this@entry=0x7fffffffb380, obj=...) at dist/include/js/Value.h:364
#0  0x0000000000464e70 in JS::Value::setObject (this=this@entry=0x7fffffffb380, obj=...) at dist/include/js/Value.h:364
#1  0x0000000000bf8f40 in js::MutableWrappedPtrOperations<JS::Value, JS::MutableHandle<JS::Value> >::setObject (obj=..., this=<synthetic pointer>) at dist/include/js/Value.h:1368
#2  JSStructuredCloneReader::readSharedArrayBuffer (this=this@entry=0x7fffffffb0f0, nbytes=nbytes@entry=8, vp=...) at js/src/vm/StructuredClone.cpp:1904
#3  0x0000000000c00b67 in JSStructuredCloneReader::startRead (this=this@entry=0x7fffffffb0f0, vp=...) at js/src/vm/StructuredClone.cpp:2085
#4  0x0000000000c01be7 in JSStructuredCloneReader::read (this=this@entry=0x7fffffffb0f0, vp=vp@entry=...) at js/src/vm/StructuredClone.cpp:2377
#5  0x0000000000c04bcb in ReadStructuredClone (cx=cx@entry=0x7ffff6948000, data=..., scope=scope@entry=JS::StructuredCloneScope::SameProcessSameThread, vp=..., vp@entry=..., cb=cb@entry=0x0, cbClosure=cbClosure@entry=0x0) at js/src/vm/StructuredClone.cpp:556
#6  0x0000000000c04d5e in JS_ReadStructuredClone (cx=cx@entry=0x7ffff6948000, buf=..., version=version@entry=8, scope=scope@entry=JS::StructuredCloneScope::SameProcessSameThread, vp=vp@entry=..., optionalCallbacks=optionalCallbacks@entry=0x0, closure=0x0) at js/src/vm/StructuredClone.cpp:2491
#7  0x00000000008734de in Deserialize (cx=0x7ffff6948000, argc=<optimized out>, vp=<optimized out>) at js/src/builtin/TestingFunctions.cpp:2534
#8  0x00003538a7e074ff in ?? ()
#9  0x0000000000000000 in ?? ()
rax	0x0	0
rbx	0x7fffffffb0f0	140737488335088
rcx	0x7ffff6c28a2d	140737333332525
rdx	0x0	0
rsi	0x7ffff6ef7770	140737336276848
rdi	0x7ffff6ef6540	140737336272192
rbp	0x7fffffffae90	140737488334480
rsp	0x7fffffffae90	140737488334480
r8	0x7ffff6ef7770	140737336276848
r9	0x7ffff7fe4740	140737354024768
r10	0x58	88
r11	0x7ffff6b9f750	140737332770640
r12	0x1	1
r13	0x7ffff7e33fe8	140737352253416
r14	0x7fffffffb380	140737488335744
r15	0x0	0
rip	0x464e70 <JS::Value::setObject(JSObject&)+80>
=> 0x464e70 <JS::Value::setObject(JSObject&)+80>:	movl   $0x0,0x0
   0x464e7b <JS::Value::setObject(JSObject&)+91>:	ud2

Comment 1

[Fuzzing Team]

JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.

Comment 2

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

StructuredClone stuff, Waldo advises to needinfo? :sfink as a start.

Comment 3

[Lars T Hansen [:lth]]

Unable to repro with the indicated revision and identical config/run parameters on my system: AMD FX4100, Ubuntu 17.04, gcc 6.3.  (Admittedly m-i not m-c but the rev matches.)

Christian, what type of system and compiler did you see this on?

Comment 4

[Lars T Hansen [:lth]]

Ah, but I can repro without any run parameters to the shell, when not running under gdb, joy...