Closed
Bug 1462288
Opened 6 years ago
Closed 6 years ago
Crash [@ Interpret] or Crash [@ js::gc::ChunkBitmap::isMarkedAny] or Assertion failure: slotInRange(slot), at vm/NativeObject.h:966 with async function and for-await
Categories
(Core :: JavaScript Engine, defect, P1)
Tracking
()
VERIFIED
FIXED
mozilla62
People
(Reporter: decoder, Unassigned)
References
Details
(5 keywords, Whiteboard: [#jsapi:crashes-retriage] [jsbugmon:])
Crash Data
Attachments
(1 file)
3.51 KB,
text/plain
|
Details |
The following testcase crashes on mozilla-central revision 3c9d69736f4a (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --disable-debug --enable-optimize, run with --fuzzing-safe --no-threads --disable-oom-functions): async function fn() { for await (let [_, x] of [[]]) for await (const { iterCount = fn() } of [{}]) { return; } } fn() Backtrace: received signal SIGSEGV, Segmentation fault. Interpret (cx=0x7ffff5f14000, state=...) at js/src/vm/Interpreter.cpp:3418 #0 Interpret (cx=0x7ffff5f14000, state=...) at js/src/vm/Interpreter.cpp:3418 #1 0x0000000000564eaa in js::RunScript (cx=0x7ffff5f14000, state=...) at js/src/vm/Interpreter.cpp:417 #2 0x00000000005653f3 in js::InternalCallOrConstruct (cx=cx@entry=0x7ffff5f14000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:489 #3 0x0000000000565645 in InternalCall (cx=cx@entry=0x7ffff5f14000, args=...) at js/src/vm/Interpreter.cpp:516 #4 0x00000000005656b8 in js::Call (cx=cx@entry=0x7ffff5f14000, fval=..., fval@entry=..., thisv=..., args=..., rval=...) at js/src/vm/Interpreter.cpp:535 #5 0x0000000000a1d1f7 in js::CallSelfHostedFunction (cx=cx@entry=0x7ffff5f14000, name=..., thisv=thisv@entry=..., args=..., rval=rval@entry=...) at js/src/vm/SelfHosting.cpp:1852 #6 0x00000000008e40a0 in AsyncFunctionResume (cx=0x7ffff5f14000, resultPromise=..., generatorVal=..., kind=kind@entry=ResumeKind::Normal, valueOrReason=...) at js/src/vm/AsyncFunction.cpp:190 #7 0x00000000008e633a in js::AsyncFunctionAwaitedFulfilled (cx=<optimized out>, resultPromise=..., generatorVal=..., value=...) at js/src/vm/AsyncFunction.cpp:217 #8 0x00000000005c46bd in AsyncFunctionPromiseReactionJob (rval=..., reaction=..., cx=<optimized out>) at js/src/builtin/Promise.cpp:1093 #9 PromiseReactionJob (cx=<optimized out>, argc=<optimized out>, vp=0x7fffffffd608) at js/src/builtin/Promise.cpp:1198 #10 0x0000000000565231 in js::CallJSNative (args=..., native=0x5c3f10 <PromiseReactionJob(JSContext*, unsigned int, JS::Value*)>, cx=0x7ffff5f14000) at js/src/vm/JSContext-inl.h:280 #11 js::InternalCallOrConstruct (cx=cx@entry=0x7ffff5f14000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:467 #12 0x0000000000565645 in InternalCall (cx=cx@entry=0x7ffff5f14000, args=...) at js/src/vm/Interpreter.cpp:516 #13 0x00000000005656b8 in js::Call (cx=cx@entry=0x7ffff5f14000, fval=..., fval@entry=..., thisv=..., thisv@entry=..., args=..., rval=rval@entry=...) at js/src/vm/Interpreter.cpp:535 #14 0x00000000008aacc6 in JS::Call (cx=cx@entry=0x7ffff5f14000, thisv=..., fval=..., fval@entry=..., args=..., rval=..., rval@entry=...) at js/src/jsapi.cpp:2989 #15 0x000000000099a912 in JS::Call (rval=..., args=..., funObj=..., thisv=..., cx=0x7ffff5f14000) at js/src/jsapi.h:3082 #16 js::RunJobs (cx=cx@entry=0x7ffff5f14000) at js/src/vm/JSContext.cpp:1154 #17 0x000000000043dcde in Shell (envp=<optimized out>, op=0x7fffffffd980, cx=0x7ffff5f14000) at js/src/shell/js.cpp:8838 #18 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:9301 rax 0x0 0 rbx 0x7fffffffce30 140737488342576 rcx 0xfffe7ffff5e029a0 -422212634924640 rdx 0x2 2 rsi 0x0 0 rdi 0x7ffff5d7f040 140737317957696 rbp 0x7ffff5f14020 140737319616544 rsp 0x7fffffffca10 140737488341520 r8 0x3a 58 r9 0x1 1 r10 0x7fffffffc740 140737488340800 r11 0x7ffff5f14020 140737319616544 r12 0x1e64e80 31870592 r13 0xfffe000000000000 -562949953421312 r14 0x7ffff5f14000 140737319616512 r15 0x7fffffffd060 140737488343136 rip 0x55b7a3 <Interpret(JSContext*, js::RunState&)+15347> => 0x55b7a3 <Interpret(JSContext*, js::RunState&)+15347>: mov (%rax),%rdx 0x55b7a6 <Interpret(JSContext*, js::RunState&)+15350>: mov 0x490(%rsp),%rax Likely s-s due to GC crash and assertion is also scary.
Comment 2•6 years ago
|
||
JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/0b11639e4085 user: Tooru Fujisawa date: Mon Mar 27 23:20:19 2017 +0900 summary: Bug 1331092 - Part 9: Implement for-await-of. r=shu This iteration took 213.049 seconds to run.
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
Comment 3•6 years ago
|
||
slotInRange assertion sounds buffer-overflowy, guessing sec-high
Flags: needinfo?(arai.unmht)
Keywords: sec-high
Comment 4•6 years ago
|
||
"for-await-of + return" sounds like bug 1454285 is related.
Comment 5•6 years ago
|
||
bug 1454285 patch fixes this issue. I'm going to land the patch May 22
Flags: needinfo?(arai.unmht)
Updated•6 years ago
|
Priority: -- → P1
Whiteboard: [jsbugmon:update] → [jsbugmon:update][#jsapi:crashes-retriage]
Updated•6 years ago
|
Whiteboard: [jsbugmon:update][#jsapi:crashes-retriage] → [#jsapi:crashes-retriage] [jsbugmon:update,ignore]
Comment 6•6 years ago
|
||
JSBugMon: The testcase found in this bug no longer reproduces (tried revision d36cd8bdbc5c).
Bug 1454285 is fixed, double checking this.
Whiteboard: [#jsapi:crashes-retriage] [jsbugmon:update,ignore] → [#jsapi:crashes-retriage] [jsbugmon:bisectfix]
Comment 8•6 years ago
|
||
JSBugMon: Fix Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first good revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/6ca6ced5189a user: Tooru Fujisawa date: Tue May 22 18:10:28 2018 +0900 summary: Bug 1454285 - Part 1: Specify the current scope when emitting await and .generator. r=jwalden This iteration took 244.230 seconds to run.
Whiteboard: [#jsapi:crashes-retriage] [jsbugmon:bisectfix] → [#jsapi:crashes-retriage] [jsbugmon:]
Comment 9•6 years ago
|
||
I'm still seeing crashes on 61.0 Fennec and on 62.0b1. So, this may not be completely fixed. Arai, can you take another look?
Comment 10•6 years ago
|
||
Can you tell me which crash reports they are? I cannot find related ones in crash-stats (for comment #0's case).
Flags: needinfo?(arai.unmht) → needinfo?(lhenry)
Comment 11•6 years ago
|
||
I am just looking at the two crash signatures in this bug. Here's the one from 62.0b1: https://crash-stats.mozilla.com/report/index/f2a19a77-b963-4dad-b3ba-62d1b0180625
Flags: needinfo?(lhenry)
Comment 12•6 years ago
|
||
About crashes in Interpret, on versions 61+, none of them looks like comment #0's case. so I think it's better filing a new bug. some of them looks like JSFunction or JSScript objects/pointers being broken. https://crash-stats.mozilla.com/report/index/bba7f0e6-a04f-4151-a867-9d00a0180627 https://crash-stats.mozilla.com/report/index/a4c0ff26-9700-40df-8e7d-cad130180627 https://crash-stats.mozilla.com/report/index/8067b73f-df5b-40ae-8ba0-550860180626 (maybe) https://crash-stats.mozilla.com/report/index/23fbe29d-68bf-43f9-b6be-847710180627 https://crash-stats.mozilla.com/report/index/7254ef70-b3da-48ed-b8a6-5b0e20180627 https://crash-stats.mozilla.com/report/index/5ae45ea1-15fc-4697-8c7f-b90110180626 https://crash-stats.mozilla.com/report/index/f843fce6-a89f-4238-bbd6-9a00e0180626
Comment 13•6 years ago
|
||
Updated•6 years ago
|
Assignee: nobody → arai.unmht
Status: NEW → RESOLVED
Closed: 6 years ago
status-firefox-esr52:
--- → unaffected
status-firefox-esr60:
--- → fixed
Depends on: 1454285
Resolution: --- → FIXED
Target Milestone: --- → mozilla62
Updated•6 years ago
|
Status: RESOLVED → VERIFIED
status-firefox63:
--- → verified
Comment 14•6 years ago
|
||
JSBugMon: This bug has been automatically verified fixed.
Comment 15•6 years ago
|
||
(In reply to Liz Henry (:lizzard) (needinfo? me) from comment #9) > I'm still seeing crashes on 61.0 Fennec and on 62.0b1. The signatures are very generic: that one function is 2600 lines long! This bug is about a specific testcase and that has been fixed.
Blocks: 1331092
Group: javascript-core-security → core-security-release
tracking-firefox-esr60:
--- → 61+
Updated•5 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•