1370887 - Assertion failure: begin + len <= length(), at js/src/jsscript.cpp:1691 with columnNumber property

Status: RESOLVED DUPLICATE of bug 1366927

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

The following testcase crashes on mozilla-central revision 130efc657df7 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-stdcxx-compat --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe min.js):

assertEq(evaluate(`var f = of =>oomTest & (this) & 49734321 ^ class f { constructor() { } } ; f()`, {
    columnNumber: 1729
}), 1741);


Backtrace:

 received signal SIGSEGV, Segmentation fault.
0x0000000000a22e18 in js::ScriptSource::chars (this=this@entry=0x7ffff43493e0, cx=cx@entry=0x7ffff6952000, holder=..., begin=68, len=len@entry=1758) at js/src/jsscript.cpp:1691
#0  0x0000000000a22e18 in js::ScriptSource::chars (this=this@entry=0x7ffff43493e0, cx=cx@entry=0x7ffff6952000, holder=..., begin=68, len=len@entry=1758) at js/src/jsscript.cpp:1691
#1  0x0000000000a2317a in js::ScriptSource::PinnedChars::PinnedChars (len=1758, begin=<optimized out>, holder=..., source=0x7ffff43493e0, cx=0x7ffff6952000, this=0x7fffffffb830) at js/src/jsscript.cpp:1653
#2  js::ScriptSource::substring (this=0x7ffff43493e0, cx=0x7ffff6952000, start=<optimized out>, stop=<optimized out>) at js/src/jsscript.cpp:1774
#3  0x00000000009b0fb5 in js::FunctionToString (cx=cx@entry=0x7ffff6952000, fun=..., prettyPrint=prettyPrint@entry=true) at js/src/jsfun.cpp:1080
#4  0x00000000009b1280 in fun_toStringHelper (cx=cx@entry=0x7ffff6952000, obj=..., obj@entry=..., indent=0) at js/src/jsfun.cpp:1132
#5  0x00000000009d147b in js::fun_toString (cx=0x7ffff6952000, argc=<optimized out>, vp=<optimized out>) at js/src/jsfun.cpp:1164
#6  0x000000000053ec9f in js::CallJSNative (cx=cx@entry=0x7ffff6952000, native=0x9d1360 <js::fun_toString(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:293
#7  0x0000000000533a43 in js::InternalCallOrConstruct (cx=cx@entry=0x7ffff6952000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:470
#8  0x0000000000533e58 in InternalCall (cx=cx@entry=0x7ffff6952000, args=...) at js/src/vm/Interpreter.cpp:515
#9  0x0000000000533f8d in js::Call (cx=cx@entry=0x7ffff6952000, fval=..., fval@entry=..., thisv=..., thisv@entry=..., args=..., rval=..., rval@entry=...) at js/src/vm/Interpreter.cpp:534
#10 0x00000000009e9553 in js::Call (cx=cx@entry=0x7ffff6952000, fval=..., fval@entry=..., thisObj=<optimized out>, rval=rval@entry=...) at js/src/vm/Interpreter.h:94
#11 0x00000000009ab585 in MaybeCallMethod (cx=cx@entry=0x7ffff6952000, obj=obj@entry=..., id=..., id@entry=..., vp=vp@entry=...) at js/src/jsobj.cpp:3100
#12 0x00000000009ab765 in JS::OrdinaryToPrimitive (cx=cx@entry=0x7ffff6952000, obj=obj@entry=..., hint=hint@entry=JSTYPE_NUMBER, vp=..., vp@entry=...) at js/src/jsobj.cpp:3183
#13 0x00000000009abdd8 in js::ToPrimitiveSlow (cx=cx@entry=0x7ffff6952000, preferredType=preferredType@entry=JSTYPE_NUMBER, vp=..., vp@entry=...) at js/src/jsobj.cpp:3230
#14 0x00000000009b707a in js::ToPrimitive (vp=..., preferredType=JSTYPE_NUMBER, cx=0x7ffff6952000) at js/src/jsobj.h:1083
#15 js::ToNumberSlow (cx=0x7ffff6952000, v_=..., out=out@entry=0x7fffffffc010) at js/src/jsnum.cpp:1610
#16 0x00000000009b7bb6 in js::ToInt32Slow (cx=<optimized out>, v=..., out=0x7fffffffc4c0) at js/src/jsnum.cpp:1744
#17 0x000000000052aeba in Interpret (cx=0x7ffff6952000, state=...) at js/src/vm/Interpreter.cpp:2348
[...]
#41 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:8511
rax	0x0	0
rbx	0x44	68
rcx	0x7ffff6c28a2d	140737333332525
rdx	0x0	0
rsi	0x7ffff6ef7770	140737336276848
rdi	0x7ffff6ef6540	140737336272192
rbp	0x7fffffffb800	140737488336896
rsp	0x7fffffffb740	140737488336704
r8	0x7ffff6ef7770	140737336276848
r9	0x7ffff7fe4740	140737354024768
r10	0x58	88
r11	0x7ffff6b9f750	140737332770640
r12	0x7ffff43493e0	140737290474464
r13	0x722	1826
r14	0x7ffff6952000	140737330356224
r15	0x6de	1758
rip	0xa22e18 <js::ScriptSource::chars(JSContext*, js::UncompressedSourceCache::AutoHoldEntry&, unsigned long, unsigned long)+1096>
=> 0xa22e18 <js::ScriptSource::chars(JSContext*, js::UncompressedSourceCache::AutoHoldEntry&, unsigned long, unsigned long)+1096>:	movl   $0x0,0x0
   0xa22e23 <js::ScriptSource::chars(JSContext*, js::UncompressedSourceCache::AutoHoldEntry&, unsigned long, unsigned long)+1107>:	ud2

Comment 1

[Christian Holler (:decoder)]

Again NI for :shu. Some of these might be dups but they keep popping up even after other bugs are fixed. So I want to make sure we have them all on file by now :)

Comment 2

[Fuzzing Team]

JSBugMon: Bisection requested, result:
=== Treeherder Build Bisection Results by autoBisect ===

The "good" changeset has the timestamp "20151013053056" and the hash "8d9c20c241be7d7b3cfa90a3368a77db42172781".
The "bad" changeset has the timestamp "20151013054956" and the hash "d80f9d6921f8209ef01aa730be9a97ab727704d1".

Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=8d9c20c241be7d7b3cfa90a3368a77db42172781&tochange=d80f9d6921f8209ef01aa730be9a97ab727704d1

Comment 3

[Julien Cristau [:jcristau]]

(In reply to Fuzzing Team from comment #2)
> JSBugMon: Bisection requested, result:
> === Treeherder Build Bisection Results by autoBisect ===
> 
> The "good" changeset has the timestamp "20151013053056" and the hash
> "8d9c20c241be7d7b3cfa90a3368a77db42172781".
> The "bad" changeset has the timestamp "20151013054956" and the hash
> "d80f9d6921f8209ef01aa730be9a97ab727704d1".
> 
> Likely regression window:
> https://hg.mozilla.org/integration/mozilla-inbound/
> pushloghtml?fromchange=8d9c20c241be7d7b3cfa90a3368a77db42172781&tochange=d80f
> 9d6921f8209ef01aa730be9a97ab727704d1

ni :jonco per the above regression window

Comment 4

[Jon Coppeard (:jonco)]

The regression window is when the oomTest function was added.  It likely has little to do with the source of this bug.

Comment 5

[Shu-yu Guo [:shu]]

This is fixed by bug 1366927.