Closed
Bug 1500254
Opened 6 years ago
Closed 6 years ago
Assertion failure: tag <= CalleeToken_Script, at js/src/jit/JitFrames.h:34
Categories
(Core :: JavaScript Engine, defect, P1)
Tracking
()
VERIFIED
FIXED
mozilla64
| Tracking | Status | |
|---|---|---|
| firefox-esr60 | --- | unaffected |
| firefox63 | --- | unaffected |
| firefox64 | --- | fixed |
| firefox65 | --- | fixed |
| firefox66 | --- | verified |
People
(Reporter: decoder, Assigned: djvj)
References
Details
(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:])
The following testcase crashes on mozilla-central revision 8f709fd4aa46 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe --ion-offthread-compile=off --ion-eager --ion-offthread-compile=off):
const m = (1 << 28) - 1;
const f = m - 2;
let a = [];
for (let i = f - 16; i < f + 16; i++)
a[i] = i;
Backtrace:
received signal SIGSEGV, Segmentation fault.
0x0000555555bcd7bc in js::jit::GetCalleeTokenTag (token=<optimized out>) at js/src/jit/JitFrames.h:34
#0 0x0000555555bcd7bc in js::jit::GetCalleeTokenTag (token=<optimized out>) at js/src/jit/JitFrames.h:34
#1 js::jit::ScriptFromCalleeToken (token=<optimized out>) at js/src/jit/JitFrames.h:81
#2 0x0000555555bdbdb2 in js::jit::JSJitFrameIter::script (this=<optimized out>) at js/src/jit/JSJitFrameIter.cpp:126
#3 0x0000555555b9d5c5 in InvalidateActivation (activations=..., invalidateAll=invalidateAll@entry=false, fop=0x7ffff5f1a040) at js/src/jit/Ion.cpp:2795
#4 0x0000555555b9dcaa in js::jit::Invalidate (types=..., fop=fop@entry=0x7ffff5f1a040, invalid=..., resetUses=resetUses@entry=true, cancelOffThread=cancelOffThread@entry=true) at js/src/jit/Ion.cpp:2981
#5 0x000055555610ab8e in js::TypeZone::processPendingRecompiles (this=0x7ffff4902550, fop=0x7ffff5f1a040, recompiles=...) at js/src/vm/TypeInference.cpp:2832
#6 0x0000555555ad460f in js::AutoEnterAnalysis::~AutoEnterAnalysis (this=0x7fffffffc580, __in_chrg=<optimized out>) at js/src/vm/TypeInference-inl.h:486
#7 0x0000555556129b23 in js::ObjectGroup::markUnknown (this=0x7ffff4d88b80, sweep=..., cx=cx@entry=0x7ffff5f18000) at js/src/vm/TypeInference.cpp:3251
#8 0x0000555555948a28 in js::MarkObjectGroupUnknownProperties (obj=<optimized out>, cx=0x7ffff5f18000) at js/src/vm/TypeInference-inl.h:649
#9 js::TypeScript::MonitorAssign (id=..., obj=..., cx=0x7ffff5f18000) at js/src/vm/TypeInference-inl.h:829
#10 SetObjectElementOperation (cx=0x7ffff5f18000, obj=..., id=id@entry=..., value=value@entry=..., receiver=..., receiver@entry=..., strict=strict@entry=false, script=0x0, pc=0x0) at js/src/vm/Interpreter.cpp:1853
#11 0x000055555594bb35 in js::SetObjectElement (cx=<optimized out>, obj=obj@entry=..., index=..., index@entry=..., value=..., value@entry=..., strict=<optimized out>) at js/src/vm/Interpreter.cpp:5150
#12 0x0000555555c2972e in js::jit::IonSetPropertyIC::update (cx=<optimized out>, outerScript=..., ic=0x7ffff49353f0, obj=..., idVal=..., rhs=...) at js/src/jit/IonIC.cpp:301
#13 0x00001634b2102095 in ?? ()
#14 0x0000000000000000 in ?? ()
rax 0x0 0
rbx 0x7fffffffc290 140737488339600
rcx 0x7ffff6c1c2dd 140737333281501
rdx 0x0 0
rsi 0x7ffff6eeb770 140737336227696
rdi 0x7ffff6eea540 140737336223040
rbp 0x7fffffffc200 140737488339456
rsp 0x7fffffffc200 140737488339456
r8 0x7ffff6eeb770 140737336227696
r9 0x7ffff7fe6cc0 140737354034368
r10 0x58 88
r11 0x7ffff6b927a0 140737332717472
r12 0x2 2
r13 0x555556986780 93825013409664
r14 0x7fffffffc298 140737488339608
r15 0x5555568c5fbc 93825012621244
rip 0x555555bcd7bc <js::jit::ScriptFromCalleeToken(js::jit::CalleeToken)+76>
=> 0x555555bcd7bc <js::jit::ScriptFromCalleeToken(js::jit::CalleeToken)+76>: movl $0x0,0x0
0x555555bcd7c7 <js::jit::ScriptFromCalleeToken(js::jit::CalleeToken)+87>: ud2
|
Reporter | |
Comment 1•6 years ago
|
||
This is an automated crash issue comment:
Summary: Crash [@ JSFunction::nonLazyScript]
Build version: mozilla-central revision 8f709fd4aa46
Build flags: --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --enable-debug --enable-optimize
Runtime options: --fuzzing-safe --ion-offthread-compile=off --ion-offthread-compile=off test.js
Testcase:
var N = 1 << 16;
var array = Array();
for (var i = 0; i != N / 0; ++i) array[i] = i;
Backtrace:
received signal SIGSEGV, Segmentation fault.
JSFunction::nonLazyScript (this=0x10040594) at js/src/vm/JSFunction.h:598
#0 JSFunction::nonLazyScript (this=0x10040594) at js/src/vm/JSFunction.h:598
#1 0x0000555555bdbdb2 in js::jit::JSJitFrameIter::script (this=<optimized out>) at js/src/jit/JSJitFrameIter.cpp:126
#2 0x0000555555bdbe32 in js::jit::JSJitFrameIter::checkInvalidation (this=this@entry=0x7fffffdfe0d8, ionScriptOut=ionScriptOut@entry=0x7fffffdfd9b8) at js/src/jit/JSJitFrameIter.cpp:58
#3 0x0000555555bdc344 in js::jit::JSJitFrameIter::ionScript (this=0x7fffffdfe0d8) at js/src/jit/JSJitFrameIter.cpp:256
#4 0x0000555555bdc5a1 in js::jit::JSJitFrameIter::safepoint (this=0x7fffffdfe0d8) at js/src/jit/JSJitFrameIter.cpp:275
#5 0x0000555555bdc64a in js::jit::JSJitFrameIter::machineState (this=this@entry=0x7fffffdfe0d8) at js/src/jit/JSJitFrameIter.cpp:210
#6 0x0000555555c41174 in js::jit::InlineFrameIterator::resetOn (this=this@entry=0x7fffffdfe130, iter=0x7fffffdfe0d8) at js/src/jit/JitFrames.cpp:2161
#7 0x00005555560d4c34 in js::FrameIter::nextJitFrame (this=0x7fffffdfe080) at js/src/vm/Stack.cpp:879
#8 0x00005555560d7233 in js::FrameIter::settleOnActivation (this=0x7fffffdfe080) at js/src/vm/Stack.cpp:776
#9 0x00005555560db72b in js::FrameIter::FrameIter (this=0x7fffffdfe080, cx=0x7ffff5f18000, debuggerEvalOption=<optimized out>, principals=<optimized out>) at js/src/vm/Stack.cpp:845
#10 0x0000555555fc6ec7 in js::NonBuiltinFrameIter::NonBuiltinFrameIter (principals=<optimized out>, cx=0x7ffff5f18000, this=0x7fffffdfe080) at js/src/vm/Stack.h:2290
#11 PopulateReportBlame (cx=cx@entry=0x7ffff5f18000, report=report@entry=0x7fffffdfe510) at js/src/vm/JSContext.cpp:286
#12 0x0000555555fd0c79 in js::ReportErrorNumberVA (cx=cx@entry=0x7ffff5f18000, flags=<optimized out>, flags@entry=0, callback=callback@entry=0x555555fc5b70 <js::GetErrorMessage(void*, unsigned int)>, userRef=userRef@entry=0x0, errorNumber=errorNumber@entry=120, argumentsType=argumentsType@entry=js::ArgumentsAreASCII, ap=0x7fffffdfe5f0) at js/src/vm/JSContext.cpp:882
#13 0x0000555555e24d48 in JS_ReportErrorNumberASCIIVA (cx=0x7ffff5f18000, errorCallback=0x555555fc5b70 <js::GetErrorMessage(void*, unsigned int)>, userRef=0x0, errorNumber=120, ap=ap@entry=0x7fffffdfe5f0) at js/src/jsapi.cpp:5738
#14 0x0000555555e24df8 in JS_ReportErrorNumberASCII (cx=cx@entry=0x7ffff5f18000, errorCallback=errorCallback@entry=0x555555fc5b70 <js::GetErrorMessage(void*, unsigned int)>, userRef=userRef@entry=0x0, errorNumber=errorNumber@entry=120) at js/src/jsapi.cpp:5727
#15 0x0000555555fc9306 in js::ReportOverRecursed (maybecx=0x7ffff5f18000, errorNumber=120) at js/src/vm/JSContext.cpp:360
#16 0x00005555558809a0 in js::CheckRecursionLimit (cx=0x7ffff5f18000) at js/src/jsfriendapi.h:1090
#17 0x000055555600ed5b in js::CallJSAddPropertyOp (v=..., id=..., obj=..., op=0x555555984a50 <array_addProperty(JSContext*, JS::HandleObject, JS::HandleId, JS::HandleValue)>, cx=0x7ffff5f18000) at js/src/vm/JSContext-inl.h:276
#18 CallAddPropertyHook (cx=0x7ffff5f18000, obj=..., id=..., value=...) at js/src/vm/NativeObject.cpp:1219
#19 0x000055555603a097 in AddOrChangeProperty<(IsAddOrChange)0> (cx=0x7ffff5f18000, obj=..., id=..., desc=...) at js/src/vm/NativeObject.cpp:1536
#20 0x000055555603e0b1 in js::AddOrUpdateSparseElementHelper (cx=<optimized out>, obj=..., int_id=<optimized out>, v=..., strict=<optimized out>) at js/src/vm/NativeObject.cpp:2134
#21 0x0000259fd97c16a1 in ?? ()
#22 0x0000000000000000 in ?? ()
rax 0x0 0
rbx 0x7fffffdfe0d8 140737486250200
rcx 0x18 24
rdx 0x2 2
rsi 0x7fffffdfd9b8 140737486248376
rdi 0x10040594 268699028
rbp 0x7fffffdfd980 140737486248320
rsp 0x7fffffdfd970 140737486248304
r8 0x30 48
r9 0x1 1
r10 0x0 0
r11 0x0 0
r12 0x7fffffdfd9b8 140737486248376
r13 0x7fffffdfdcc0 140737486249152
r14 0x7fffffdfe0d0 140737486250192
r15 0x7fffffdfdfb8 140737486249912
rip 0x555555823721 <JSFunction::nonLazyScript() const+1>
=> 0x555555823721 <JSFunction::nonLazyScript() const+1>: testb $0x1,0x22(%rdi)
0x555555823725 <JSFunction::nonLazyScript() const+5>: mov %rsp,%rbp
|
|
Reporter | |
Comment 2•6 years ago
|
||
Marking as fuzzblocker due to the amount of different signatures.
Flags: needinfo?(tcampbell)
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update,bisect][fuzzblocker]
|
||
Comment 3•6 years ago
|
||
|
||
Updated•6 years ago
|
Priority: -- → P1
|
|
||
Updated•6 years ago
|
Assignee: nobody → kvijayan
|
|
||
Comment 4•6 years ago
|
||
According to :decoder, this is no longer a fuzzblocker after backout.
Leaving open and assigned to :djvj since the testcase is useful when we retry the landing.
Whiteboard: [jsbugmon:update,bisect][fuzzblocker] → [jsbugmon:update,bisect]
|
||
Updated•6 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:]
|
||
Updated•6 years ago
|
status-firefox65:
--- → ?
|
Assignee | |
Comment 5•6 years ago
|
||
This has been fixed and landed as part of bug 1494537.
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
|
||
Updated•6 years ago
|
status-firefox63:
--- → unaffected
status-firefox65:
? → ---
status-firefox-esr60:
--- → unaffected
Target Milestone: --- → mozilla64
|
||
Updated•6 years ago
|
Group: javascript-core-security → core-security-release
|
||
Updated•6 years ago
|
Status: RESOLVED → VERIFIED
status-firefox66:
--- → verified
|
|
||
Comment 6•6 years ago
|
||
JSBugMon: This bug has been automatically verified fixed.
|
||
Updated•6 years ago
|
status-firefox65:
--- → ?
|
||
Updated•6 years ago
|
|
|
||
Updated•6 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•