Closed Bug 1462288 Opened 6 years ago Closed 6 years ago

Crash [@ Interpret] or Crash [@ js::gc::ChunkBitmap::isMarkedAny] or Assertion failure: slotInRange(slot), at vm/NativeObject.h:966 with async function and for-await

Categories

(Core :: JavaScript Engine, defect, P1)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla62
Tracking Flags:
Tracking Status
firefox-esr52 --- unaffected
firefox-esr60 61+ fixed
firefox61 --- fixed
firefox62 + fixed
firefox63 --- verified

People

(Reporter: decoder, Unassigned)

References

Details

(5 keywords, Whiteboard: [#jsapi:crashes-retriage] [jsbugmon:])

Crash Data

Attachments

(1 file)

summary of crash reports
3.51 KB, text/plain
Details 
The following testcase crashes on mozilla-central revision 3c9d69736f4a (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --disable-debug --enable-optimize, run with --fuzzing-safe --no-threads --disable-oom-functions):

async function fn() {
  for await (let [_, x] of [[]])
    for await (const { iterCount = fn() } of [{}]) {
      return;
    }
}
fn()


Backtrace:

received signal SIGSEGV, Segmentation fault.
Interpret (cx=0x7ffff5f14000, state=...) at js/src/vm/Interpreter.cpp:3418
#0  Interpret (cx=0x7ffff5f14000, state=...) at js/src/vm/Interpreter.cpp:3418
#1  0x0000000000564eaa in js::RunScript (cx=0x7ffff5f14000, state=...) at js/src/vm/Interpreter.cpp:417
#2  0x00000000005653f3 in js::InternalCallOrConstruct (cx=cx@entry=0x7ffff5f14000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:489
#3  0x0000000000565645 in InternalCall (cx=cx@entry=0x7ffff5f14000, args=...) at js/src/vm/Interpreter.cpp:516
#4  0x00000000005656b8 in js::Call (cx=cx@entry=0x7ffff5f14000, fval=..., fval@entry=..., thisv=..., args=..., rval=...) at js/src/vm/Interpreter.cpp:535
#5  0x0000000000a1d1f7 in js::CallSelfHostedFunction (cx=cx@entry=0x7ffff5f14000, name=..., thisv=thisv@entry=..., args=..., rval=rval@entry=...) at js/src/vm/SelfHosting.cpp:1852
#6  0x00000000008e40a0 in AsyncFunctionResume (cx=0x7ffff5f14000, resultPromise=..., generatorVal=..., kind=kind@entry=ResumeKind::Normal, valueOrReason=...) at js/src/vm/AsyncFunction.cpp:190
#7  0x00000000008e633a in js::AsyncFunctionAwaitedFulfilled (cx=<optimized out>, resultPromise=..., generatorVal=..., value=...) at js/src/vm/AsyncFunction.cpp:217
#8  0x00000000005c46bd in AsyncFunctionPromiseReactionJob (rval=..., reaction=..., cx=<optimized out>) at js/src/builtin/Promise.cpp:1093
#9  PromiseReactionJob (cx=<optimized out>, argc=<optimized out>, vp=0x7fffffffd608) at js/src/builtin/Promise.cpp:1198
#10 0x0000000000565231 in js::CallJSNative (args=..., native=0x5c3f10 <PromiseReactionJob(JSContext*, unsigned int, JS::Value*)>, cx=0x7ffff5f14000) at js/src/vm/JSContext-inl.h:280
#11 js::InternalCallOrConstruct (cx=cx@entry=0x7ffff5f14000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:467
#12 0x0000000000565645 in InternalCall (cx=cx@entry=0x7ffff5f14000, args=...) at js/src/vm/Interpreter.cpp:516
#13 0x00000000005656b8 in js::Call (cx=cx@entry=0x7ffff5f14000, fval=..., fval@entry=..., thisv=..., thisv@entry=..., args=..., rval=rval@entry=...) at js/src/vm/Interpreter.cpp:535
#14 0x00000000008aacc6 in JS::Call (cx=cx@entry=0x7ffff5f14000, thisv=..., fval=..., fval@entry=..., args=..., rval=..., rval@entry=...) at js/src/jsapi.cpp:2989
#15 0x000000000099a912 in JS::Call (rval=..., args=..., funObj=..., thisv=..., cx=0x7ffff5f14000) at js/src/jsapi.h:3082
#16 js::RunJobs (cx=cx@entry=0x7ffff5f14000) at js/src/vm/JSContext.cpp:1154
#17 0x000000000043dcde in Shell (envp=<optimized out>, op=0x7fffffffd980, cx=0x7ffff5f14000) at js/src/shell/js.cpp:8838
#18 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:9301
rax	0x0	0
rbx	0x7fffffffce30	140737488342576
rcx	0xfffe7ffff5e029a0	-422212634924640
rdx	0x2	2
rsi	0x0	0
rdi	0x7ffff5d7f040	140737317957696
rbp	0x7ffff5f14020	140737319616544
rsp	0x7fffffffca10	140737488341520
r8	0x3a	58
r9	0x1	1
r10	0x7fffffffc740	140737488340800
r11	0x7ffff5f14020	140737319616544
r12	0x1e64e80	31870592
r13	0xfffe000000000000	-562949953421312
r14	0x7ffff5f14000	140737319616512
r15	0x7fffffffd060	140737488343136
rip	0x55b7a3 <Interpret(JSContext*, js::RunState&)+15347>
=> 0x55b7a3 <Interpret(JSContext*, js::RunState&)+15347>:	mov    (%rax),%rdx
   0x55b7a6 <Interpret(JSContext*, js::RunState&)+15350>:	mov    0x490(%rsp),%rax



Likely s-s due to GC crash and assertion is also scary.
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/0b11639e4085
user:        Tooru Fujisawa
date:        Mon Mar 27 23:20:19 2017 +0900
summary:     Bug 1331092 - Part 9: Implement for-await-of. r=shu

This iteration took 213.049 seconds to run.
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
slotInRange assertion sounds buffer-overflowy, guessing sec-high
Flags: needinfo?(arai.unmht)
Keywords: sec-high
"for-await-of + return" sounds like bug 1454285 is related.
bug 1454285 patch fixes this issue.
I'm going to land the patch May 22
Flags: needinfo?(arai.unmht)
Priority: -- → P1
Whiteboard: [jsbugmon:update] → [jsbugmon:update][#jsapi:crashes-retriage]
Whiteboard: [jsbugmon:update][#jsapi:crashes-retriage] → [#jsapi:crashes-retriage] [jsbugmon:update,ignore]
JSBugMon: The testcase found in this bug no longer reproduces (tried revision d36cd8bdbc5c).
Bug 1454285 is fixed, double checking this.
Whiteboard: [#jsapi:crashes-retriage] [jsbugmon:update,ignore] → [#jsapi:crashes-retriage] [jsbugmon:bisectfix]
JSBugMon: Fix Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first good revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/6ca6ced5189a
user:        Tooru Fujisawa
date:        Tue May 22 18:10:28 2018 +0900
summary:     Bug 1454285 - Part 1: Specify the current scope when emitting await and .generator. r=jwalden

This iteration took 244.230 seconds to run.
Whiteboard: [#jsapi:crashes-retriage] [jsbugmon:bisectfix] → [#jsapi:crashes-retriage] [jsbugmon:]
I'm still seeing crashes on 61.0 Fennec and on 62.0b1. 
So, this may not be completely fixed. Arai, can you take another look?
status-firefox61: --- → affected
tracking-firefox62: --- → +
Flags: needinfo?(arai.unmht)
Can you tell me which crash reports they are?
I cannot find related ones in crash-stats (for comment #0's case).
Flags: needinfo?(arai.unmht) → needinfo?(lhenry)
I am just looking at the two crash signatures in this bug. Here's the one from 62.0b1: https://crash-stats.mozilla.com/report/index/f2a19a77-b963-4dad-b3ba-62d1b0180625
Flags: needinfo?(lhenry)
Assignee: nobody → arai.unmht
Status: NEW → RESOLVED
Closed: 6 years ago
status-firefox61: affectedfixed
status-firefox62: affectedfixed
status-firefox-esr52: --- → unaffected
status-firefox-esr60: --- → fixed
Depends on: 1454285
Resolution: --- → FIXED
Target Milestone: --- → mozilla62
Status: RESOLVED → VERIFIED
status-firefox63: --- → verified
JSBugMon: This bug has been automatically verified fixed.
(In reply to Liz Henry (:lizzard) (needinfo? me) from comment #9)
> I'm still seeing crashes on 61.0 Fennec and on 62.0b1. 

The signatures are very generic: that one function is 2600 lines long! This bug is about a specific testcase and that has been fixed.
Blocks: 1331092
Group: javascript-core-security → core-security-release
tracking-firefox-esr60: --- → 61+
Group: core-security-release
Assignee: arai.unmht → nobody
Keywords: bugmon
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: