1427351 - Assertion failure: currentStartPosition_ == chunk(0).start(), at /data/canicula/mozilla-central/js/src/gc/Nursery.cpp:232

Status: RESOLVED DUPLICATE of bug 1415291

(Core :: JavaScript Engine, defect)

Description

[Xiaoshan Sun]

Attachment: poc16.js

User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0
Build ID: 20171129230835

Steps to reproduce:

We compile the latest js shell from the latest source code by:

hg clone https://hg.mozilla.org/mozilla-central

and  compile the spidermonkey js shell following the instructions:

cd js/src
autoconf2.13
# This name should end with "_DBG.OBJ" to make the version control system ignore it.
mkdir build_DBG.OBJ -p
cd build_DBG.OBJ
../configure --enable-debug --disable-optimize
# Use "mozmake" on Windows
make

After the compilation:

mozilla-central/js/src/build_DBG.OBJ/dist/bin/js poc16.js

poc16.js is the bug triggering script file.

and then then the js shell crashed.



Actual results:

crashed.

Assertion failure: currentStartPosition_ == chunk(0).start(), at /data/canicula/mozilla-central/js/src/gc/Nursery.cpp:232
Segmentation fault (core dumped)


The valgrind trace:

==30891== Memcheck, a memory error detector
==30891== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==30891== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
==30891== Command: /data/canicula/mozilla-central/js/src/build_DBG.OBJ/dist/bin/js crash/16.js
==30891== 
==30891== Warning: set address range perms: large range [0x19a8e6ff5000, 0x19a926ff5000) (noaccess)
==30891== Invalid read of size 8
==30891==    at 0x11CB162: js::wasm::Table::set(unsigned int, void*, js::wasm::Instance&) (WasmTable.cpp:119)
==30891==    by 0x11BAF5B: js::WasmTableObject::setImpl(JSContext*, JS::CallArgs const&) (WasmJS.cpp:1778)
==30891==    by 0x11CBCD1: bool JS::CallNonGenericMethod<&(IsTable(JS::Handle<JS::Value>)), &js::WasmTableObject::setImpl>(JSContext*, JS::CallArgs const&) (CallNonGenericMethod.h:100)
==30891==    by 0x11BB043: js::WasmTableObject::set(JSContext*, unsigned int, JS::Value*) (WasmJS.cpp:1791)
==30891==    by 0x5C99AD: js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) (jscntxtinlines.h:291)
==30891==    by 0x5A625C: js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) (Interpreter.cpp:472)
==30891==    by 0x5A6621: InternalCall(JSContext*, js::AnyInvokeArgs const&) (Interpreter.cpp:521)
==30891==    by 0x5A665F: js::CallFromStack(JSContext*, JS::CallArgs const&) (Interpreter.cpp:527)
==30891==    by 0x5B47EB: Interpret(JSContext*, js::RunState&) (Interpreter.cpp:3066)
==30891==    by 0x5A5DEE: js::RunScript(JSContext*, js::RunState&) (Interpreter.cpp:422)
==30891==    by 0x5A7468: js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::AbstractFramePtr, JS::Value*) (Interpreter.cpp:705)
==30891==    by 0x5A7751: js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) (Interpreter.cpp:738)
==30891==  Address 0xe5e5e5e5e5e5e5ed is not stack'd, malloc'd or (recently) free'd
==30891== 
==30891== 
==30891== Process terminating with default action of signal 11 (SIGSEGV)
==30891==  General Protection Fault
==30891==    at 0x11CB162: js::wasm::Table::set(unsigned int, void*, js::wasm::Instance&) (WasmTable.cpp:119)
==30891==    by 0x11BAF5B: js::WasmTableObject::setImpl(JSContext*, JS::CallArgs const&) (WasmJS.cpp:1778)
==30891==    by 0x11CBCD1: bool JS::CallNonGenericMethod<&(IsTable(JS::Handle<JS::Value>)), &js::WasmTableObject::setImpl>(JSContext*, JS::CallArgs const&) (CallNonGenericMethod.h:100)
==30891==    by 0x11BB043: js::WasmTableObject::set(JSContext*, unsigned int, JS::Value*) (WasmJS.cpp:1791)
==30891==    by 0x5C99AD: js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) (jscntxtinlines.h:291)
==30891==    by 0x5A625C: js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) (Interpreter.cpp:472)
==30891==    by 0x5A6621: InternalCall(JSContext*, js::AnyInvokeArgs const&) (Interpreter.cpp:521)
==30891==    by 0x5A665F: js::CallFromStack(JSContext*, JS::CallArgs const&) (Interpreter.cpp:527)
==30891==    by 0x5B47EB: Interpret(JSContext*, js::RunState&) (Interpreter.cpp:3066)
==30891==    by 0x5A5DEE: js::RunScript(JSContext*, js::RunState&) (Interpreter.cpp:422)
==30891==    by 0x5A7468: js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::AbstractFramePtr, JS::Value*) (Interpreter.cpp:705)
==30891==    by 0x5A7751: js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) (Interpreter.cpp:738)
==30891== 
==30891== HEAP SUMMARY:
==30891==     in use at exit: 0 bytes in 0 blocks
==30891==   total heap usage: 0 allocs, 0 frees, 0 bytes allocated
==30891== 
==30891== All heap blocks were freed -- no leaks are possible
==30891== 
==30891== For counts of detected and suppressed errors, rerun with: -v
==30891== ERROR SUMMARY: 2 errors from 1 contexts (suppressed: 0 from 0)
Killed


The nightly build firefox does not produce the crash because it complains:  

"wasmTextToBinary is undefined"

However this poc crashed latest-js shell and valgrind reported memory corruption, we believe it is likely an issue.

Please Refer to "Trusted Operating System and System Assurance Working Group, TCA, Institute of Software, Chinese Academy of Sciences" in the acknowledgement if applicable.



Expected results:

Should not crash.

Please Refer to "Trusted Operating System and System Assurance Working Group, TCA, Institute of Software, Chinese Academy of Sciences" in the acknowledgement if applicable.

Comment 1

[Luke Wagner [:luke]]

Judging from the crash stack and testing poc16.js in a fresh build of the shell, this is a duplicate of bug 1415291 and was fixed by
  https://hg.mozilla.org/mozilla-central/rev/622c05a8e7a1
so tentatively resolving as a duplicate.  (The buildid from comment 0 is right before the fix landed.)  Thank you so much for the detailed report Xiaoshan; feel free to reopen if I'm mistaken.