1524943 - Crash [@ js::IsPackedArray] or Assertion failure: args[0].isObject(), at vm/SelfHosting.cpp:783

Status: VERIFIED FIXED

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

The following testcase crashes on mozilla-central revision 1b713c9f40d5 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --disable-debug --enable-optimize, run with --fuzzing-safe --cpu-count=2 --ion-offthread-compile=off):

function toU8(array) {
  return Uint8Array.from(array);
}
Object.prototype[Symbol.iterator] = Array.prototype[Symbol.iterator];
var arrObj = [];
toU8(arrObj.length);

Backtrace:

received signal SIGSEGV, Segmentation fault.
js::IsPackedArray (obj=0x6800000000000) at js/src/vm/NativeObject-inl.h:935
#0  js::IsPackedArray (obj=0x6800000000000) at js/src/vm/NativeObject-inl.h:935
#1  intrinsic_IsPackedArray (cx=0x7ffff5f16000, argc=1, vp=0x7ffff5afc288) at js/src/vm/SelfHosting.cpp:784
#2  0x0000555555899fdd in CallJSNative (args=..., native=0x555555a6fc40 <intrinsic_IsPackedArray(JSContext*, unsigned int, JS::Value*)>, cx=0x7ffff5f16000) at js/src/vm/Interpreter.cpp:441
#3  js::InternalCallOrConstruct (cx=0x7ffff5f16000, args=..., construct=<optimized out>) at js/src/vm/Interpreter.cpp:533
#4  0x000055555588e4e5 in js::CallFromStack (args=..., cx=<optimized out>) at js/src/vm/Interpreter.cpp:592
#5  Interpret (cx=0x7ffff5f16000, state=...) at js/src/vm/Interpreter.cpp:3068
#6  0x00005555558999e3 in js::RunScript (cx=0x7ffff5f16000, state=...) at js/src/vm/Interpreter.cpp:421
[...]
#15 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:11209
rax	0x5555574acb60	93825025100640
rbx	0x6800000000000	1829587348619264
rcx	0x2	2
rdx	0x7ffff5afc288	140737315324552
rsi	0x1	1
rdi	0x7ffff5f16000	140737319624704
rbp	0x7fffffffccb0	140737488342192
rsp	0x7fffffffcaa0	140737488341664
r8	0xfffdffffffffffff	-562949953421313
r9	0xfffe000000000000	-562949953421312
r10	0x7ffff5afc298	140737315324568
r11	0xfffb000000000000	-1407374883553280
r12	0x7fffffffcb10	140737488341776
r13	0x555555a6fc40	93824997588032
r14	0x7ffff5af7c00	140737315306496
r15	0x7fffffffccb0	140737488342192
rip	0x555555a6fc6a <intrinsic_IsPackedArray(JSContext*, unsigned int, JS::Value*)+42>
=> 0x555555a6fc6a <intrinsic_IsPackedArray(JSContext*, unsigned int, JS::Value*)+42>:	mov    (%rbx),%rdi
   0x555555a6fc6d <intrinsic_IsPackedArray(JSContext*, unsigned int, JS::Value*)+45>:	cmp    %rax,(%rdi)

This looks like a non-object value flowing into self-hosted code that expects an object. These types of bugs can be critical, hence s-s.

Comment 1

[Jan de Mooij [:jandem]]

André, this might be from your TypedArray work :)

Comment 2

[André Bargull [:anba]]

Yup, there's simple a missing IsObject(source) check before calling IsPackedArray(source) in TypedArrayStaticFrom.

Comment 3

[Fuzzing Team]

JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/d58a5867916b
user:        André Bargull
date:        Thu Jan 31 10:36:27 2019 -0800
summary:     Bug 1522157 - Part 1: Add fast path when TypedArray.from is called with packed arrays. r=jandem

This iteration took 542.616 seconds to run.

Comment 4

[André Bargull [:anba]]

Attachment: bug1524943.patch

I've added the IsObject call to the outer if-statement, because for bug 1491813 we'll also need to check for objects first before calling IsTypedArray.

Comment 5

[Ryan VanderMeulen [:RyanVM]]

https://hg.mozilla.org/integration/mozilla-inbound/rev/a332c4ea104a

Comment 6

[Sebastian Hengst [:aryx] (needinfo me if it's about an intermittent or backout)]

https://hg.mozilla.org/mozilla-central/rev/a332c4ea104a

Comment 7

[Fuzzing Team]

JSBugMon: This bug has been automatically verified fixed.