Closed Bug 1357280 Opened 8 years ago Closed 8 years ago

Assertion failure: self->template is<U>(), at js/src/jsobj.h:612

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Version:
55 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1356822

People

(Reporter: warptencq, Unassigned)

Details

Attachments

(2 files)

w49-reduced.js
199.25 KB, text/javascript
Details
w19-reduced.js
199.06 KB, text/javascript
Details
Attached file w49-reduced.js
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36 Steps to reproduce: run jsfunfuzz for javascript engine use jsshell-mac.zip latest https://archive.mozilla.org/pub/firefox/tinderbox-builds/mozilla-central-macosx64-debug/ ./js w49-reduced.js Actual results: lots of crash with segv
Attached file w19-reduced.js
Jason, can you confirm this?
Also a reduction would be useful, if possible.
Group: core-security → javascript-core-security
Could be a duplicate of bug 1356822. Can you still reproduce with latest m-c? Do you have a stack trace?
i run with this. Number: /tmp/tmpgcmm44loop4/w49 Command: build/dist/js --fuzzing-safe --ion-aa=flow-sensitive --ion-pgo=on --ion-sincos=on --no-incremental-gc --gc-zeal=16 --no-asmjs --baseline-eager --ion-offthread-compile=off --ion-extra-checks -e maxRunTime=12000 -f /tmp/tmpgcmm44loop4/jsfunfuzz.js Targeting SpiderMonkey / Gecko (trunk). fuzzSeed: 67005902 Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 js 0x000000010eb96562 0x10e97a000 + 2213218 1 js 0x000000010eb96120 0x10e97a000 + 2212128 2 js 0x000000010eca5563 0x10e97a000 + 3323235 3 ??? 0x00002001e23d32e8 0 + 35192462717672 4 js 0x000000010ec2954c 0x10e97a000 + 2815308 5 js 0x000000010ea897bb 0x10e97a000 + 1111995 6 js 0x000000010ea9a473 0x10e97a000 + 1180787 7 js 0x000000010ea9ab7d 0x10e97a000 + 1182589 8 js 0x000000010f01e0dc 0x10e97a000 + 6963420 9 js 0x000000010f001490 0x10e97a000 + 6845584 10 js 0x000000010f01271d 0x10e97a000 + 6915869 11 js 0x000000010f01415c 0x10e97a000 + 6922588 12 js 0x000000010ea9a7c1 0x10e97a000 + 1181633 13 js 0x000000010ea9a4b9 0x10e97a000 + 1180857 14 js 0x000000010eb6d2fe 0x10e97a000 + 2044670 15 ??? 0x00002001e23d3f6e 0 + 35192462720878 16 ??? 0x00000001108ec288 0 + 4572758664 17 ??? 0x00002001e23c8e3b 0 + 35192462675515 18 js 0x000000010eb7b1d3 0x10e97a000 + 2101715 19 js 0x000000010eb7ae03 0x10e97a000 + 2100739 20 js 0x000000010ea897fa 0x10e97a000 + 1112058 21 js 0x000000010ea9a473 0x10e97a000 + 1180787 22 js 0x000000010eb6d2fe 0x10e97a000 + 2044670 23 ??? 0x00002001e23d3f6e 0 + 35192462720878 24 ??? 0x0000000110cbb1a8 0 + 4576752040 25 ??? 0x00002001e23c8e3b 0 + 35192462675515 26 js 0x000000010eb7b1d3 0x10e97a000 + 2101715 27 js 0x000000010eb7ae03 0x10e97a000 + 2100739 28 js 0x000000010ea897fa 0x10e97a000 + 1112058 29 js 0x000000010ea9a473 0x10e97a000 + 1180787 30 js 0x000000010ea9ab7d 0x10e97a000 + 1182589 31 js 0x000000010f01e0dc 0x10e97a000 + 6963420 32 js 0x000000010f001490 0x10e97a000 + 6845584 33 js 0x000000010f01271d 0x10e97a000 + 6915869 34 js 0x000000010f01415c 0x10e97a000 + 6922588 35 js 0x000000010ea9a7c1 0x10e97a000 + 1181633 36 js 0x000000010ea9a4b9 0x10e97a000 + 1180857 37 js 0x000000010eb6d2fe 0x10e97a000 + 2044670 38 ??? 0x00002001e23d3f6e 0 + 35192462720878 39 ??? 0x00000001108d7300 0 + 4572672768 40 ??? 0x00002001e23c8e3b 0 + 35192462675515 41 js 0x000000010eb7b1d3 0x10e97a000 + 2101715 42 js 0x000000010eb7ae03 0x10e97a000 + 2100739 43 js 0x000000010ea897fa 0x10e97a000 + 1112058 44 js 0x000000010ea9bb42 0x10e97a000 + 1186626 45 js 0x000000010ea9be30 0x10e97a000 + 1187376 46 js 0x000000010eef1c50 0x10e97a000 + 5733456 47 js 0x000000010eef1fc9 0x10e97a000 + 5734345 48 js 0x000000010e993201 0x10e97a000 + 102913 49 ??? 0x00002001e23d7b6f 0 + 35192462736239 50 ??? 0x00000001108ff250 0 + 4572836432 51 ??? 0x00002001e23c8e3b 0 + 35192462675515 52 js 0x000000010eb7b1d3 0x10e97a000 + 2101715 53 js 0x000000010eb7ae03 0x10e97a000 + 2100739 54 js 0x000000010ea897fa 0x10e97a000 + 1112058 55 js 0x000000010ea9a473 0x10e97a000 + 1180787 56 js 0x000000010eb6d2fe 0x10e97a000 + 2044670 57 ??? 0x00002001e23d3f6e 0 + 35192462720878 58 ??? 0x0000000110c28d10 0 + 4576152848 59 ??? 0x00002001e23c8e3b 0 + 35192462675515 60 js 0x000000010eb7b1d3 0x10e97a000 + 2101715 61 js 0x000000010eb7ae03 0x10e97a000 + 2100739 62 js 0x000000010ea897fa 0x10e97a000 + 1112058 63 js 0x000000010ea9a473 0x10e97a000 + 1180787 64 js 0x000000010eb6d2fe 0x10e97a000 + 2044670 65 ??? 0x00002001e23d3f6e 0 + 35192462720878 66 ??? 0x0000000110d66950 0 + 4577454416 67 ??? 0x00002001e23c8e3b 0 + 35192462675515 68 js 0x000000010eb7b1d3 0x10e97a000 + 2101715 69 js 0x000000010eb7ae03 0x10e97a000 + 2100739 70 js 0x000000010ea897fa 0x10e97a000 + 1112058 71 js 0x000000010ea9bb42 0x10e97a000 + 1186626 72 js 0x000000010ea9be30 0x10e97a000 + 1187376 73 js 0x000000010eef130d 0x10e97a000 + 5731085 74 js 0x000000010eef1432 0x10e97a000 + 5731378 75 js 0x000000010e9afeed 0x10e97a000 + 220909 76 js 0x000000010e981674 0x10e97a000 + 30324 77 js 0x000000010e97b694 start + 52 Thread 1:: JS Helper 0 libsystem_kernel.dylib 0x00007fffb9f96c86 __psynch_cvwait + 10 1 libsystem_pthread.dylib 0x00007fffba08096a _pthread_cond_wait + 712 2 libmozglue.dylib 0x0000000110331620 mozilla::detail::ConditionVariableImpl::wait_for(mozilla::detail::MutexImpl&, mozilla::BaseTimeDuration<mozilla::TimeDurationValueCalculator> const&) + 64 3 js 0x000000010f125a90 0x10e97a000 + 8043152 4 js 0x000000010f12254d 0x10e97a000 + 8029517 5 js 0x000000010f13ccaf 0x10e97a000 + 8137903 6 libsystem_pthread.dylib 0x00007fffba07faab _pthread_body + 180 7 libsystem_pthread.dylib 0x00007fffba07f9f7 _pthread_start + 286 8 libsystem_pthread.dylib 0x00007fffba07f1fd thread_start + 13 Thread 2:: JS Helper 0 libsystem_kernel.dylib 0x00007fffb9f96c86 __psynch_cvwait + 10 1 libsystem_pthread.dylib 0x00007fffba08096a _pthread_cond_wait + 712 2 libmozglue.dylib 0x0000000110331620 mozilla::detail::ConditionVariableImpl::wait_for(mozilla::detail::MutexImpl&, mozilla::BaseTimeDuration<mozilla::TimeDurationValueCalculator> const&) + 64 3 js 0x000000010f125a90 0x10e97a000 + 8043152 4 js 0x000000010f12254d 0x10e97a000 + 8029517 5 js 0x000000010f13ccaf 0x10e97a000 + 8137903 6 libsystem_pthread.dylib 0x00007fffba07faab _pthread_body + 180 7 libsystem_pthread.dylib 0x00007fffba07f9f7 _pthread_start + 286 8 libsystem_pthread.dylib 0x00007fffba07f1fd thread_start + 13 Thread 3:: JS Helper 0 libsystem_kernel.dylib 0x00007fffb9f96c86 __psynch_cvwait + 10 1 libsystem_pthread.dylib 0x00007fffba08096a _pthread_cond_wait + 712 2 libmozglue.dylib 0x0000000110331620 mozilla::detail::ConditionVariableImpl::wait_for(mozilla::detail::MutexImpl&, mozilla::BaseTimeDuration<mozilla::TimeDurationValueCalculator> const&) + 64 3 js 0x000000010f125a90 0x10e97a000 + 8043152 4 js 0x000000010f12254d 0x10e97a000 + 8029517 5 js 0x000000010f13ccaf 0x10e97a000 + 8137903 6 libsystem_pthread.dylib 0x00007fffba07faab _pthread_body + 180 7 libsystem_pthread.dylib 0x00007fffba07f9f7 _pthread_start + 286 8 libsystem_pthread.dylib 0x00007fffba07f1fd thread_start + 13 Thread 4:: JS Helper 0 libsystem_kernel.dylib 0x00007fffb9f96c86 __psynch_cvwait + 10 1 libsystem_pthread.dylib 0x00007fffba08096a _pthread_cond_wait + 712 2 libmozglue.dylib 0x0000000110331620 mozilla::detail::ConditionVariableImpl::wait_for(mozilla::detail::MutexImpl&, mozilla::BaseTimeDuration<mozilla::TimeDurationValueCalculator> const&) + 64 3 js 0x000000010f125a90 0x10e97a000 + 8043152 4 js 0x000000010f12254d 0x10e97a000 + 8029517 5 js 0x000000010f13ccaf 0x10e97a000 + 8137903 6 libsystem_pthread.dylib 0x00007fffba07faab _pthread_body + 180 7 libsystem_pthread.dylib 0x00007fffba07f9f7 _pthread_start + 286 8 libsystem_pthread.dylib 0x00007fffba07f1fd thread_start + 13 Thread 5:: JS Helper 0 libsystem_kernel.dylib 0x00007fffb9f96c86 __psynch_cvwait + 10 1 libsystem_pthread.dylib 0x00007fffba08096a _pthread_cond_wait + 712 2 libmozglue.dylib 0x0000000110331620 mozilla::detail::ConditionVariableImpl::wait_for(mozilla::detail::MutexImpl&, mozilla::BaseTimeDuration<mozilla::TimeDurationValueCalculator> const&) + 64 3 js 0x000000010f125a90 0x10e97a000 + 8043152 4 js 0x000000010f12254d 0x10e97a000 + 8029517 5 js 0x000000010f13ccaf 0x10e97a000 + 8137903 6 libsystem_pthread.dylib 0x00007fffba07faab _pthread_body + 180 7 libsystem_pthread.dylib 0x00007fffba07f9f7 _pthread_start + 286 8 libsystem_pthread.dylib 0x00007fffba07f1fd thread_start + 13 Thread 6:: JS Helper 0 libsystem_kernel.dylib 0x00007fffb9f96c86 __psynch_cvwait + 10 1 libsystem_pthread.dylib 0x00007fffba08096a _pthread_cond_wait + 712 2 libmozglue.dylib 0x0000000110331620 mozilla::detail::ConditionVariableImpl::wait_for(mozilla::detail::MutexImpl&, mozilla::BaseTimeDuration<mozilla::TimeDurationValueCalculator> const&) + 64 3 js 0x000000010f125a90 0x10e97a000 + 8043152 4 js 0x000000010f12254d 0x10e97a000 + 8029517 5 js 0x000000010f13ccaf 0x10e97a000 + 8137903 6 libsystem_pthread.dylib 0x00007fffba07faab _pthread_body + 180 7 libsystem_pthread.dylib 0x00007fffba07f9f7 _pthread_start + 286 8 libsystem_pthread.dylib 0x00007fffba07f1fd thread_start + 13 Thread 7:: JS Helper 0 libsystem_kernel.dylib 0x00007fffb9f96c86 __psynch_cvwait + 10 1 libsystem_pthread.dylib 0x00007fffba08096a _pthread_cond_wait + 712 2 libmozglue.dylib 0x0000000110331620 mozilla::detail::ConditionVariableImpl::wait_for(mozilla::detail::MutexImpl&, mozilla::BaseTimeDuration<mozilla::TimeDurationValueCalculator> const&) + 64 3 js 0x000000010f125a90 0x10e97a000 + 8043152 4 js 0x000000010f12254d 0x10e97a000 + 8029517 5 js 0x000000010f13ccaf 0x10e97a000 + 8137903 6 libsystem_pthread.dylib 0x00007fffba07faab _pthread_body + 180 7 libsystem_pthread.dylib 0x00007fffba07f9f7 _pthread_start + 286 8 libsystem_pthread.dylib 0x00007fffba07f1fd thread_start + 13 Thread 8:: JS Helper 0 libsystem_kernel.dylib 0x00007fffb9f96c86 __psynch_cvwait + 10 1 libsystem_pthread.dylib 0x00007fffba08096a _pthread_cond_wait + 712 2 libmozglue.dylib 0x0000000110331620 mozilla::detail::ConditionVariableImpl::wait_for(mozilla::detail::MutexImpl&, mozilla::BaseTimeDuration<mozilla::TimeDurationValueCalculator> const&) + 64 3 js 0x000000010f125a90 0x10e97a000 + 8043152 4 js 0x000000010f12254d 0x10e97a000 + 8029517 5 js 0x000000010f13ccaf 0x10e97a000 + 8137903 6 libsystem_pthread.dylib 0x00007fffba07faab _pthread_body + 180 7 libsystem_pthread.dylib 0x00007fffba07f9f7 _pthread_start + 286 8 libsystem_pthread.dylib 0x00007fffba07f1fd thread_start + 13 Thread 9:: JS Helper 0 libsystem_kernel.dylib 0x00007fffb9f96c86 __psynch_cvwait + 10 1 libsystem_pthread.dylib 0x00007fffba08096a _pthread_cond_wait + 712 2 libmozglue.dylib 0x0000000110331620 mozilla::detail::ConditionVariableImpl::wait_for(mozilla::detail::MutexImpl&, mozilla::BaseTimeDuration<mozilla::TimeDurationValueCalculator> const&) + 64 3 js 0x000000010f125a90 0x10e97a000 + 8043152 4 js 0x000000010f12254d 0x10e97a000 + 8029517 5 js 0x000000010f13ccaf 0x10e97a000 + 8137903 6 libsystem_pthread.dylib 0x00007fffba07faab _pthread_body + 180 7 libsystem_pthread.dylib 0x00007fffba07f9f7 _pthread_start + 286 8 libsystem_pthread.dylib 0x00007fffba07f1fd thread_start + 13 Thread 10:: JS Helper 0 libsystem_kernel.dylib 0x00007fffb9f96c86 __psynch_cvwait + 10 1 libsystem_pthread.dylib 0x00007fffba08096a _pthread_cond_wait + 712 2 libmozglue.dylib 0x0000000110331620 mozilla::detail::ConditionVariableImpl::wait_for(mozilla::detail::MutexImpl&, mozilla::BaseTimeDuration<mozilla::TimeDurationValueCalculator> const&) + 64 3 js 0x000000010f125a90 0x10e97a000 + 8043152 4 js 0x000000010f12254d 0x10e97a000 + 8029517 5 js 0x000000010f13ccaf 0x10e97a000 + 8137903 6 libsystem_pthread.dylib 0x00007fffba07faab _pthread_body + 180 7 libsystem_pthread.dylib 0x00007fffba07f9f7 _pthread_start + 286 8 libsystem_pthread.dylib 0x00007fffba07f1fd thread_start + 13 Thread 11:: JS Helper 0 libsystem_kernel.dylib 0x00007fffb9f96c86 __psynch_cvwait + 10 1 libsystem_pthread.dylib 0x00007fffba08096a _pthread_cond_wait + 712 2 libmozglue.dylib 0x0000000110331620 mozilla::detail::ConditionVariableImpl::wait_for(mozilla::detail::MutexImpl&, mozilla::BaseTimeDuration<mozilla::TimeDurationValueCalculator> const&) + 64 3 js 0x000000010f125a90 0x10e97a000 + 8043152 4 js 0x000000010f12254d 0x10e97a000 + 8029517 5 js 0x000000010f13ccaf 0x10e97a000 + 8137903 6 libsystem_pthread.dylib 0x00007fffba07faab _pthread_body + 180 7 libsystem_pthread.dylib 0x00007fffba07f9f7 _pthread_start + 286 8 libsystem_pthread.dylib 0x00007fffba07f1fd thread_start + 13 Thread 12:: JS Helper 0 libsystem_kernel.dylib 0x00007fffb9f96c86 __psynch_cvwait + 10 1 libsystem_pthread.dylib 0x00007fffba08096a _pthread_cond_wait + 712 2 libmozglue.dylib 0x0000000110331620 mozilla::detail::ConditionVariableImpl::wait_for(mozilla::detail::MutexImpl&, mozilla::BaseTimeDuration<mozilla::TimeDurationValueCalculator> const&) + 64 3 js 0x000000010f125a90 0x10e97a000 + 8043152 4 js 0x000000010f12254d 0x10e97a000 + 8029517 5 js 0x000000010f13ccaf 0x10e97a000 + 8137903 6 libsystem_pthread.dylib 0x00007fffba07faab _pthread_body + 180 7 libsystem_pthread.dylib 0x00007fffba07f9f7 _pthread_start + 286 8 libsystem_pthread.dylib 0x00007fffba07f1fd thread_start + 13 Thread 13: 0 libsystem_kernel.dylib 0x00007fffb9f8f38a mach_msg_trap + 10 1 libsystem_kernel.dylib 0x00007fffb9f8e7d7 mach_msg + 55 2 js 0x000000010f386850 0x10e97a000 + 10537040 3 js 0x000000010e9a627f 0x10e97a000 + 180863 4 libsystem_pthread.dylib 0x00007fffba07faab _pthread_body + 180 5 libsystem_pthread.dylib 0x00007fffba07f9f7 _pthread_start + 286 6 libsystem_pthread.dylib 0x00007fffba07f1fd thread_start + 13 Thread 0 crashed with X86 Thread State (64-bit): rax: 0x0000000000000000 rbx: 0x00007fff51280328 rcx: 0x0000010000000203 rdx: 0x0000000000012068 rdi: 0x00007fffc2c94048 rsi: 0x0000000000079f00 rbp: 0x00007fff51280040 rsp: 0x00007fff51280000 r8: 0x0000000000000040 r9: 0x00007fffc2c94040 r10: 0xffffffffffffffff r11: 0x0000000000012068 r12: 0x0000000110ec5800 r13: 0x00007fff512800b8 r14: 0x00007fff512800b8 r15: 0x00007fff51280060 rip: 0x000000010eb96562 rfl: 0x0000000000010202 cr2: 0x0000000000000000 Logical CPU: 2 Error Code: 0x00000006 Trap Number: 14
(In reply to Jan de Mooij [:jandem] from comment #4) > Could be a duplicate of bug 1356822. Can you still reproduce with latest > m-c? Do you have a stack trace? it different from that.funny. latest m-c? i assume script downloadlatest automatically. a link/url will be perfect~
I was able to reproduce this using build 20170417141916 but it appears it's been remediated in nightly.
Setting needinfo? on myself to see if the testcase is fixed.
Flags: needinfo?(gary)
autoBisect shows this is probably related to the following changeset: The first good revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/0dbf6b922416 user: Jan de Mooij date: Tue Apr 18 14:58:55 2017 +0200 summary: Bug 1356822 - Fix IonBuilder::jsop_bindname to pass the global lexical to the IC in the BINDGNAME case. r=evilpie I ran autoBisect and can confirm that bug 1356822 has indeed fixed this. Shall we mark this as a dupe?
Flags: needinfo?(gary) → needinfo?(jdemooij)
Status: UNCONFIRMED → RESOLVED
Closed: 8 years ago
Resolution: --- → DUPLICATE
Flags: needinfo?(jdemooij)
Group: javascript-core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: