Closed Bug 1500254 Opened Last year Closed Last year

Assertion failure: tag <= CalleeToken_Script, at js/src/jit/JitFrames.h:34

Categories

(Core :: JavaScript Engine, defect, P1, critical)

x86_64
Linux
defect

Tracking

()

VERIFIED FIXED
mozilla64
Tracking Status
firefox-esr60 --- unaffected
firefox63 --- unaffected
firefox64 --- fixed
firefox65 --- fixed
firefox66 --- verified

People

(Reporter: decoder, Assigned: djvj)

References

(Blocks 1 open bug)

Details

(4 keywords, Whiteboard: [jsbugmon:])

The following testcase crashes on mozilla-central revision 8f709fd4aa46 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe --ion-offthread-compile=off --ion-eager --ion-offthread-compile=off):

const m = (1 << 28) - 1;
const f = m - 2;
let a = [];
for (let i = f - 16; i < f + 16; i++)
  a[i] = i;


Backtrace:

received signal SIGSEGV, Segmentation fault.
0x0000555555bcd7bc in js::jit::GetCalleeTokenTag (token=<optimized out>) at js/src/jit/JitFrames.h:34
#0  0x0000555555bcd7bc in js::jit::GetCalleeTokenTag (token=<optimized out>) at js/src/jit/JitFrames.h:34
#1  js::jit::ScriptFromCalleeToken (token=<optimized out>) at js/src/jit/JitFrames.h:81
#2  0x0000555555bdbdb2 in js::jit::JSJitFrameIter::script (this=<optimized out>) at js/src/jit/JSJitFrameIter.cpp:126
#3  0x0000555555b9d5c5 in InvalidateActivation (activations=..., invalidateAll=invalidateAll@entry=false, fop=0x7ffff5f1a040) at js/src/jit/Ion.cpp:2795
#4  0x0000555555b9dcaa in js::jit::Invalidate (types=..., fop=fop@entry=0x7ffff5f1a040, invalid=..., resetUses=resetUses@entry=true, cancelOffThread=cancelOffThread@entry=true) at js/src/jit/Ion.cpp:2981
#5  0x000055555610ab8e in js::TypeZone::processPendingRecompiles (this=0x7ffff4902550, fop=0x7ffff5f1a040, recompiles=...) at js/src/vm/TypeInference.cpp:2832
#6  0x0000555555ad460f in js::AutoEnterAnalysis::~AutoEnterAnalysis (this=0x7fffffffc580, __in_chrg=<optimized out>) at js/src/vm/TypeInference-inl.h:486
#7  0x0000555556129b23 in js::ObjectGroup::markUnknown (this=0x7ffff4d88b80, sweep=..., cx=cx@entry=0x7ffff5f18000) at js/src/vm/TypeInference.cpp:3251
#8  0x0000555555948a28 in js::MarkObjectGroupUnknownProperties (obj=<optimized out>, cx=0x7ffff5f18000) at js/src/vm/TypeInference-inl.h:649
#9  js::TypeScript::MonitorAssign (id=..., obj=..., cx=0x7ffff5f18000) at js/src/vm/TypeInference-inl.h:829
#10 SetObjectElementOperation (cx=0x7ffff5f18000, obj=..., id=id@entry=..., value=value@entry=..., receiver=..., receiver@entry=..., strict=strict@entry=false, script=0x0, pc=0x0) at js/src/vm/Interpreter.cpp:1853
#11 0x000055555594bb35 in js::SetObjectElement (cx=<optimized out>, obj=obj@entry=..., index=..., index@entry=..., value=..., value@entry=..., strict=<optimized out>) at js/src/vm/Interpreter.cpp:5150
#12 0x0000555555c2972e in js::jit::IonSetPropertyIC::update (cx=<optimized out>, outerScript=..., ic=0x7ffff49353f0, obj=..., idVal=..., rhs=...) at js/src/jit/IonIC.cpp:301
#13 0x00001634b2102095 in ?? ()
#14 0x0000000000000000 in ?? ()
rax	0x0	0
rbx	0x7fffffffc290	140737488339600
rcx	0x7ffff6c1c2dd	140737333281501
rdx	0x0	0
rsi	0x7ffff6eeb770	140737336227696
rdi	0x7ffff6eea540	140737336223040
rbp	0x7fffffffc200	140737488339456
rsp	0x7fffffffc200	140737488339456
r8	0x7ffff6eeb770	140737336227696
r9	0x7ffff7fe6cc0	140737354034368
r10	0x58	88
r11	0x7ffff6b927a0	140737332717472
r12	0x2	2
r13	0x555556986780	93825013409664
r14	0x7fffffffc298	140737488339608
r15	0x5555568c5fbc	93825012621244
rip	0x555555bcd7bc <js::jit::ScriptFromCalleeToken(js::jit::CalleeToken)+76>
=> 0x555555bcd7bc <js::jit::ScriptFromCalleeToken(js::jit::CalleeToken)+76>:	movl   $0x0,0x0
   0x555555bcd7c7 <js::jit::ScriptFromCalleeToken(js::jit::CalleeToken)+87>:	ud2
This is an automated crash issue comment:

Summary: Crash [@ JSFunction::nonLazyScript]
Build version: mozilla-central revision 8f709fd4aa46
Build flags: --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --enable-debug --enable-optimize
Runtime options: --fuzzing-safe --ion-offthread-compile=off --ion-offthread-compile=off test.js

Testcase:

var N = 1 << 16;
var array = Array();
for (var i = 0; i != N / 0; ++i) array[i] = i;

Backtrace:

received signal SIGSEGV, Segmentation fault.
JSFunction::nonLazyScript (this=0x10040594) at js/src/vm/JSFunction.h:598
#0  JSFunction::nonLazyScript (this=0x10040594) at js/src/vm/JSFunction.h:598
#1  0x0000555555bdbdb2 in js::jit::JSJitFrameIter::script (this=<optimized out>) at js/src/jit/JSJitFrameIter.cpp:126
#2  0x0000555555bdbe32 in js::jit::JSJitFrameIter::checkInvalidation (this=this@entry=0x7fffffdfe0d8, ionScriptOut=ionScriptOut@entry=0x7fffffdfd9b8) at js/src/jit/JSJitFrameIter.cpp:58
#3  0x0000555555bdc344 in js::jit::JSJitFrameIter::ionScript (this=0x7fffffdfe0d8) at js/src/jit/JSJitFrameIter.cpp:256
#4  0x0000555555bdc5a1 in js::jit::JSJitFrameIter::safepoint (this=0x7fffffdfe0d8) at js/src/jit/JSJitFrameIter.cpp:275
#5  0x0000555555bdc64a in js::jit::JSJitFrameIter::machineState (this=this@entry=0x7fffffdfe0d8) at js/src/jit/JSJitFrameIter.cpp:210
#6  0x0000555555c41174 in js::jit::InlineFrameIterator::resetOn (this=this@entry=0x7fffffdfe130, iter=0x7fffffdfe0d8) at js/src/jit/JitFrames.cpp:2161
#7  0x00005555560d4c34 in js::FrameIter::nextJitFrame (this=0x7fffffdfe080) at js/src/vm/Stack.cpp:879
#8  0x00005555560d7233 in js::FrameIter::settleOnActivation (this=0x7fffffdfe080) at js/src/vm/Stack.cpp:776
#9  0x00005555560db72b in js::FrameIter::FrameIter (this=0x7fffffdfe080, cx=0x7ffff5f18000, debuggerEvalOption=<optimized out>, principals=<optimized out>) at js/src/vm/Stack.cpp:845
#10 0x0000555555fc6ec7 in js::NonBuiltinFrameIter::NonBuiltinFrameIter (principals=<optimized out>, cx=0x7ffff5f18000, this=0x7fffffdfe080) at js/src/vm/Stack.h:2290
#11 PopulateReportBlame (cx=cx@entry=0x7ffff5f18000, report=report@entry=0x7fffffdfe510) at js/src/vm/JSContext.cpp:286
#12 0x0000555555fd0c79 in js::ReportErrorNumberVA (cx=cx@entry=0x7ffff5f18000, flags=<optimized out>, flags@entry=0, callback=callback@entry=0x555555fc5b70 <js::GetErrorMessage(void*, unsigned int)>, userRef=userRef@entry=0x0, errorNumber=errorNumber@entry=120, argumentsType=argumentsType@entry=js::ArgumentsAreASCII, ap=0x7fffffdfe5f0) at js/src/vm/JSContext.cpp:882
#13 0x0000555555e24d48 in JS_ReportErrorNumberASCIIVA (cx=0x7ffff5f18000, errorCallback=0x555555fc5b70 <js::GetErrorMessage(void*, unsigned int)>, userRef=0x0, errorNumber=120, ap=ap@entry=0x7fffffdfe5f0) at js/src/jsapi.cpp:5738
#14 0x0000555555e24df8 in JS_ReportErrorNumberASCII (cx=cx@entry=0x7ffff5f18000, errorCallback=errorCallback@entry=0x555555fc5b70 <js::GetErrorMessage(void*, unsigned int)>, userRef=userRef@entry=0x0, errorNumber=errorNumber@entry=120) at js/src/jsapi.cpp:5727
#15 0x0000555555fc9306 in js::ReportOverRecursed (maybecx=0x7ffff5f18000, errorNumber=120) at js/src/vm/JSContext.cpp:360
#16 0x00005555558809a0 in js::CheckRecursionLimit (cx=0x7ffff5f18000) at js/src/jsfriendapi.h:1090
#17 0x000055555600ed5b in js::CallJSAddPropertyOp (v=..., id=..., obj=..., op=0x555555984a50 <array_addProperty(JSContext*, JS::HandleObject, JS::HandleId, JS::HandleValue)>, cx=0x7ffff5f18000) at js/src/vm/JSContext-inl.h:276
#18 CallAddPropertyHook (cx=0x7ffff5f18000, obj=..., id=..., value=...) at js/src/vm/NativeObject.cpp:1219
#19 0x000055555603a097 in AddOrChangeProperty<(IsAddOrChange)0> (cx=0x7ffff5f18000, obj=..., id=..., desc=...) at js/src/vm/NativeObject.cpp:1536
#20 0x000055555603e0b1 in js::AddOrUpdateSparseElementHelper (cx=<optimized out>, obj=..., int_id=<optimized out>, v=..., strict=<optimized out>) at js/src/vm/NativeObject.cpp:2134
#21 0x0000259fd97c16a1 in ?? ()
#22 0x0000000000000000 in ?? ()
rax	0x0	0
rbx	0x7fffffdfe0d8	140737486250200
rcx	0x18	24
rdx	0x2	2
rsi	0x7fffffdfd9b8	140737486248376
rdi	0x10040594	268699028
rbp	0x7fffffdfd980	140737486248320
rsp	0x7fffffdfd970	140737486248304
r8	0x30	48
r9	0x1	1
r10	0x0	0
r11	0x0	0
r12	0x7fffffdfd9b8	140737486248376
r13	0x7fffffdfdcc0	140737486249152
r14	0x7fffffdfe0d0	140737486250192
r15	0x7fffffdfdfb8	140737486249912
rip	0x555555823721 <JSFunction::nonLazyScript() const+1>
=> 0x555555823721 <JSFunction::nonLazyScript() const+1>:	testb  $0x1,0x22(%rdi)
   0x555555823725 <JSFunction::nonLazyScript() const+5>:	mov    %rsp,%rbp
Marking as fuzzblocker due to the amount of different signatures.
Flags: needinfo?(tcampbell)
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update,bisect][fuzzblocker]
Blocks: 1494537
Flags: needinfo?(tcampbell)
Priority: -- → P1
Assignee: nobody → kvijayan
According to :decoder, this is no longer a fuzzblocker after backout.

Leaving open and assigned to :djvj since the testcase is useful when we retry the landing.
Whiteboard: [jsbugmon:update,bisect][fuzzblocker] → [jsbugmon:update,bisect]
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:]
This has been fixed and landed as part of bug 1494537.
Status: NEW → RESOLVED
Closed: Last year
Resolution: --- → FIXED
Group: javascript-core-security → core-security-release
Status: RESOLVED → VERIFIED
JSBugMon: This bug has been automatically verified fixed.
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.