Closed Bug 1462288 Opened 7 years ago Closed 7 years ago

Crash [@ Interpret] or Crash [@ js::gc::ChunkBitmap::isMarkedAny] or Assertion failure: slotInRange(slot), at vm/NativeObject.h:966 with async function and for-await

Categories

(Core :: JavaScript Engine, defect, P1)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla62
Tracking Flags:
Tracking Status
firefox-esr52 --- unaffected
firefox-esr60 61+ fixed
firefox61 --- fixed
firefox62 + fixed
firefox63 --- verified

People

(Reporter: decoder, Unassigned)

References

Details

(5 keywords, Whiteboard: [#jsapi:crashes-retriage] [jsbugmon:])

Crash Data

Attachments

(1 file)

summary of crash reports
3.51 KB, text/plain
Details
The following testcase crashes on mozilla-central revision 3c9d69736f4a (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --disable-debug --enable-optimize, run with --fuzzing-safe --no-threads --disable-oom-functions): async function fn() { for await (let [_, x] of [[]]) for await (const { iterCount = fn() } of [{}]) { return; } } fn() Backtrace: received signal SIGSEGV, Segmentation fault. Interpret (cx=0x7ffff5f14000, state=...) at js/src/vm/Interpreter.cpp:3418 #0 Interpret (cx=0x7ffff5f14000, state=...) at js/src/vm/Interpreter.cpp:3418 #1 0x0000000000564eaa in js::RunScript (cx=0x7ffff5f14000, state=...) at js/src/vm/Interpreter.cpp:417 #2 0x00000000005653f3 in js::InternalCallOrConstruct (cx=cx@entry=0x7ffff5f14000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:489 #3 0x0000000000565645 in InternalCall (cx=cx@entry=0x7ffff5f14000, args=...) at js/src/vm/Interpreter.cpp:516 #4 0x00000000005656b8 in js::Call (cx=cx@entry=0x7ffff5f14000, fval=..., fval@entry=..., thisv=..., args=..., rval=...) at js/src/vm/Interpreter.cpp:535 #5 0x0000000000a1d1f7 in js::CallSelfHostedFunction (cx=cx@entry=0x7ffff5f14000, name=..., thisv=thisv@entry=..., args=..., rval=rval@entry=...) at js/src/vm/SelfHosting.cpp:1852 #6 0x00000000008e40a0 in AsyncFunctionResume (cx=0x7ffff5f14000, resultPromise=..., generatorVal=..., kind=kind@entry=ResumeKind::Normal, valueOrReason=...) at js/src/vm/AsyncFunction.cpp:190 #7 0x00000000008e633a in js::AsyncFunctionAwaitedFulfilled (cx=<optimized out>, resultPromise=..., generatorVal=..., value=...) at js/src/vm/AsyncFunction.cpp:217 #8 0x00000000005c46bd in AsyncFunctionPromiseReactionJob (rval=..., reaction=..., cx=<optimized out>) at js/src/builtin/Promise.cpp:1093 #9 PromiseReactionJob (cx=<optimized out>, argc=<optimized out>, vp=0x7fffffffd608) at js/src/builtin/Promise.cpp:1198 #10 0x0000000000565231 in js::CallJSNative (args=..., native=0x5c3f10 <PromiseReactionJob(JSContext*, unsigned int, JS::Value*)>, cx=0x7ffff5f14000) at js/src/vm/JSContext-inl.h:280 #11 js::InternalCallOrConstruct (cx=cx@entry=0x7ffff5f14000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:467 #12 0x0000000000565645 in InternalCall (cx=cx@entry=0x7ffff5f14000, args=...) at js/src/vm/Interpreter.cpp:516 #13 0x00000000005656b8 in js::Call (cx=cx@entry=0x7ffff5f14000, fval=..., fval@entry=..., thisv=..., thisv@entry=..., args=..., rval=rval@entry=...) at js/src/vm/Interpreter.cpp:535 #14 0x00000000008aacc6 in JS::Call (cx=cx@entry=0x7ffff5f14000, thisv=..., fval=..., fval@entry=..., args=..., rval=..., rval@entry=...) at js/src/jsapi.cpp:2989 #15 0x000000000099a912 in JS::Call (rval=..., args=..., funObj=..., thisv=..., cx=0x7ffff5f14000) at js/src/jsapi.h:3082 #16 js::RunJobs (cx=cx@entry=0x7ffff5f14000) at js/src/vm/JSContext.cpp:1154 #17 0x000000000043dcde in Shell (envp=<optimized out>, op=0x7fffffffd980, cx=0x7ffff5f14000) at js/src/shell/js.cpp:8838 #18 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:9301 rax 0x0 0 rbx 0x7fffffffce30 140737488342576 rcx 0xfffe7ffff5e029a0 -422212634924640 rdx 0x2 2 rsi 0x0 0 rdi 0x7ffff5d7f040 140737317957696 rbp 0x7ffff5f14020 140737319616544 rsp 0x7fffffffca10 140737488341520 r8 0x3a 58 r9 0x1 1 r10 0x7fffffffc740 140737488340800 r11 0x7ffff5f14020 140737319616544 r12 0x1e64e80 31870592 r13 0xfffe000000000000 -562949953421312 r14 0x7ffff5f14000 140737319616512 r15 0x7fffffffd060 140737488343136 rip 0x55b7a3 <Interpret(JSContext*, js::RunState&)+15347> => 0x55b7a3 <Interpret(JSContext*, js::RunState&)+15347>: mov (%rax),%rdx 0x55b7a6 <Interpret(JSContext*, js::RunState&)+15350>: mov 0x490(%rsp),%rax Likely s-s due to GC crash and assertion is also scary.
JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/0b11639e4085 user: Tooru Fujisawa date: Mon Mar 27 23:20:19 2017 +0900 summary: Bug 1331092 - Part 9: Implement for-await-of. r=shu This iteration took 213.049 seconds to run.
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
slotInRange assertion sounds buffer-overflowy, guessing sec-high
Flags: needinfo?(arai.unmht)
Keywords: sec-high
"for-await-of + return" sounds like bug 1454285 is related.
bug 1454285 patch fixes this issue. I'm going to land the patch May 22
Flags: needinfo?(arai.unmht)
Priority: -- → P1
Whiteboard: [jsbugmon:update] → [jsbugmon:update][#jsapi:crashes-retriage]
Whiteboard: [jsbugmon:update][#jsapi:crashes-retriage] → [#jsapi:crashes-retriage] [jsbugmon:update,ignore]
JSBugMon: The testcase found in this bug no longer reproduces (tried revision d36cd8bdbc5c).
Bug 1454285 is fixed, double checking this.
Whiteboard: [#jsapi:crashes-retriage] [jsbugmon:update,ignore] → [#jsapi:crashes-retriage] [jsbugmon:bisectfix]
JSBugMon: Fix Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first good revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/6ca6ced5189a user: Tooru Fujisawa date: Tue May 22 18:10:28 2018 +0900 summary: Bug 1454285 - Part 1: Specify the current scope when emitting await and .generator. r=jwalden This iteration took 244.230 seconds to run.
Whiteboard: [#jsapi:crashes-retriage] [jsbugmon:bisectfix] → [#jsapi:crashes-retriage] [jsbugmon:]
I'm still seeing crashes on 61.0 Fennec and on 62.0b1. So, this may not be completely fixed. Arai, can you take another look?
status-firefox61: --- → affected
tracking-firefox62: --- → +
Flags: needinfo?(arai.unmht)
Can you tell me which crash reports they are? I cannot find related ones in crash-stats (for comment #0's case).
Flags: needinfo?(arai.unmht) → needinfo?(lhenry)
I am just looking at the two crash signatures in this bug. Here's the one from 62.0b1: https://crash-stats.mozilla.com/report/index/f2a19a77-b963-4dad-b3ba-62d1b0180625
Flags: needinfo?(lhenry)
Assignee: nobody → arai.unmht
Status: NEW → RESOLVED
Closed: 7 years ago
status-firefox61: affectedfixed
status-firefox62: affectedfixed
status-firefox-esr52: --- → unaffected
status-firefox-esr60: --- → fixed
Depends on: 1454285
Resolution: --- → FIXED
Target Milestone: --- → mozilla62
Status: RESOLVED → VERIFIED
status-firefox63: --- → verified
JSBugMon: This bug has been automatically verified fixed.
(In reply to Liz Henry (:lizzard) (needinfo? me) from comment #9) > I'm still seeing crashes on 61.0 Fennec and on 62.0b1. The signatures are very generic: that one function is 2600 lines long! This bug is about a specific testcase and that has been fixed.
Blocks: 1331092
Group: javascript-core-security → core-security-release
tracking-firefox-esr60: --- → 61+
Group: core-security-release
Assignee: arai.unmht → nobody
Keywords: bugmon
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: