Closed
Bug 1412654
Opened 7 years ago
Closed 7 years ago
Assertion failure: toStringEnd >= bufEnd, at js/src/jsscript.cpp:2706 with clone
Categories
(Core :: JavaScript Engine, defect, P1)
Tracking
()
RESOLVED
FIXED
mozilla58
Tracking | Status | |
---|---|---|
firefox-esr52 | --- | unaffected |
firefox56 | --- | wontfix |
firefox57 | --- | wontfix |
firefox58 | --- | fixed |
People
(Reporter: decoder, Assigned: jandem)
References
Details
(Keywords: assertion, bugmon, testcase, Whiteboard: [jsbugmon:update])
Attachments
(1 file)
1.88 KB,
patch
|
evilpie
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision c16bc8097c10 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-stdcxx-compat --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe --ion-offthread-compile=off min.js): var gv = newGlobal(); gv.f = (class get {}); gv.eval('f = clone(f);'); Backtrace: received signal SIGSEGV, Segmentation fault. 0x0000000000a619c8 in JSScript::Create (cx=cx@entry=0x7ffff6955000, options=..., sourceObject=..., sourceObject@entry=..., bufStart=27837, bufEnd=27843, toStringStart=30, toStringEnd=42) at js/src/jsscript.cpp:2706 #0 0x0000000000a619c8 in JSScript::Create (cx=cx@entry=0x7ffff6955000, options=..., sourceObject=..., sourceObject@entry=..., bufStart=27837, bufEnd=27843, toStringStart=30, toStringEnd=42) at js/src/jsscript.cpp:2706 #1 0x0000000000a61bd5 in CreateEmptyScriptForClone (cx=0x7ffff6955000, src=src@entry=...) at js/src/jsscript.cpp:3726 #2 0x0000000000a640b3 in js::CloneScriptIntoFunction (cx=0x7ffff6955000, enclosingScope=..., enclosingScope@entry=..., fun=..., fun@entry=..., src=src@entry=...) at js/src/jsscript.cpp:3758 #3 0x00000000009f54c7 in js::CloneFunctionAndScript (cx=0x7ffff6955000, fun=..., fun@entry=..., enclosingEnv=..., newScope=..., newScope@entry=..., allocKind=<optimized out>, proto=..., proto@entry=...) at js/src/jsfun.cpp:2265 #4 0x0000000000992c18 in CloneFunctionObject (cx=cx@entry=0x7ffff6955000, funobj=..., env=..., scope=scope@entry=...) at js/src/jsapi.cpp:3752 #5 0x0000000000992ec8 in JS::CloneFunctionObject (cx=0x7ffff6955000, funobj=..., funobj@entry=..., envChain=...) at js/src/jsapi.cpp:3778 #6 0x0000000000472f88 in Clone (cx=0x7ffff6955000, argc=<optimized out>, vp=<optimized out>) at js/src/shell/js.cpp:3138 #7 0x0000000000560411 in js::CallJSNative (cx=0x7ffff6955000, native=0x472c40 <Clone(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:291 [...] #38 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:8928 rax 0x0 0 rbx 0x6cbd 27837 rcx 0x7ffff6c28a2d 140737333332525 rdx 0x0 0 rsi 0x7ffff6ef7770 140737336276848 rdi 0x7ffff6ef6540 140737336272192 rbp 0x7fffffffbbc0 140737488337856 rsp 0x7fffffffbb50 140737488337744 r8 0x7ffff6ef7770 140737336276848 r9 0x7ffff7fe4740 140737354024768 r10 0x58 88 r11 0x7ffff6b9f750 140737332770640 r12 0x1e 30 r13 0x6cc3 27843 r14 0x7fffffffbbf0 140737488337904 r15 0x7fffffffbf10 140737488338704 rip 0xa619c8 <JSScript::Create(JSContext*, JS::ReadOnlyCompileOptions const&, JS::Handle<JSObject*>, unsigned int, unsigned int, unsigned int, unsigned int)+616> => 0xa619c8 <JSScript::Create(JSContext*, JS::ReadOnlyCompileOptions const&, JS::Handle<JSObject*>, unsigned int, unsigned int, unsigned int, unsigned int)+616>: movl $0x0,0x0 0xa619d3 <JSScript::Create(JSContext*, JS::ReadOnlyCompileOptions const&, JS::Handle<JSObject*>, unsigned int, unsigned int, unsigned int, unsigned int)+627>: ud2
Updated•7 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
Comment 1•7 years ago
|
||
JSBugMon: Bisection requested, result: Due to skipped revisions, the first bad revision could be any of: changeset: https://hg.mozilla.org/mozilla-central/rev/751cc121aa3f user: Shu-yu Guo date: Mon Apr 17 19:51:34 2017 -0700 summary: Bug 1216630 - Print class source when calling toString on the constructor. (r=Yoric) changeset: https://hg.mozilla.org/mozilla-central/rev/8f3e4478d23a user: Shu-yu Guo date: Mon Apr 17 19:51:35 2017 -0700 summary: Bug 1216630 - Rename preludeStart and postludeEnd to toStringStart and toStringEnd and misc fixes. (r=Yoric) This iteration took 247.499 seconds to run.
Updated•7 years ago
|
Priority: -- → P1
Assignee | ||
Comment 3•7 years ago
|
||
The bug here is that JSScript::setDefaultClassConstructorSpan sets toStringStart/toStrindEnd, but sourceStart/sourceEnd still refer to (I assume) the offsets in the self-hosted source code. Hence this assertion failure when we try to clone() the self-hosted constructor. There are other issues though - cloning functions with extended slots across compartments will initialize these slots to |undefined|. That also seems like a recipe for failure and something I'd like to get rid of. I'll try locking down CloneFunctionObject more - in bug 1405766 we blocked native functions and we should probably block everything else that's not a normal function.
Assignee | ||
Comment 4•7 years ago
|
||
Here's a patch to reject all extended functions and functions with kind() != NormalFunction in CloneFunctionObject. I added a MOZ_CRASH() to this if-statement, and it didn't hit on any browser test. We have this (potentially cross-compartment) function cloning API just for XBL and I think it makes sense to only handle the few cases we need for that.
Assignee: nobody → jdemooij
Status: NEW → ASSIGNED
Flags: needinfo?(jdemooij)
Attachment #8923976 -
Flags: review?(evilpies)
Comment 5•7 years ago
|
||
Comment on attachment 8923976 [details] [diff] [review] Patch Review of attachment 8923976 [details] [diff] [review]: ----------------------------------------------------------------- Agreed
Attachment #8923976 -
Flags: review?(evilpies) → review+
Pushed by jandemooij@gmail.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/55642641fbd4 Only allow cloning normal functions in CloneFunctionObject. r=evilpie
Comment 7•7 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/55642641fbd4
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla58
Updated•7 years ago
|
status-firefox56:
--- → wontfix
status-firefox57:
--- → wontfix
status-firefox-esr52:
--- → unaffected
You need to log in
before you can comment on or make changes to this bug.
Description
•