Closed Bug 1535901 Opened 5 years ago Closed 5 years ago

Crash [@ js::gc::Cell::storeBuffer] or Assertion failure: (asBits_ >> 47) <= JSVAL_TAG_OBJECT, at dist/include/js/Value.h:622

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1534810
Tracking Flags:
Tracking Status
firefox67 --- fix-optional

People

(Reporter: gkw, Unassigned)

References

(Blocks 1 open bug)

Details

(6 keywords, Whiteboard: [jsbugmon:])

Crash Data

Attachments

(1 file)

Detailed Crash Information
13.58 KB, text/plain
Details

The following testcase crashes on mozilla-central revision 2a96d8f9339f (build with --enable-more-deterministic --enable-simulator=arm64, run with --fuzzing-safe --no-threads --ion-eager --ion-regalloc=testbed):

function f() {
    return (8 * true) | 0
}
y = [0];
(function() {
    var x = [];
    for (j = 0; j < 9; ++j) {
        for (k = 0; k < 1; ++k) {
            x.push(f(y[k]));
        }
    }
    n();
})()

Backtrace:

#0 js::gc::Cell::storeBuffer (this=<optimized out>) at js/src/gc/Cell.h:271
#1 js::NativeObject::elementsRangeWriteBarrierPost (this=<optimized out>, start=<optimized out>, count=<optimized out>) at js/src/vm/NativeObject-inl.h:119
#2 js::NativeObject::copyDenseElements (this=0x1d69e7c005a8, dstStart=<optimized out>, src=<optimized out>, count=<optimized out>) at js/src/vm/NativeObject-inl.h:151
#3 0x00005646b7cc2494 in js::NativeObject::setOrExtendDenseElements (this=0x1d69e7c005a8, cx=0x7fd4dae16000, start=6, vp=0x7fd4dad7fd80, count=1, updateTypes=js::ShouldUpdateTypes::DontUpdate) at js/src/vm/NativeObject-inl.h:436
#4 0x00005646b8226ed4 in js::jit::ArrayPushDense (cx=0x7fd4dae16000, arr=..., v=..., length=0x7fd4dad7fd58) at js/src/jit/VMFunctions.cpp:454
#5 0x00005646b82becee in vixl::Simulator::VisitCallRedirection (this=0x7fd4dae37800, instr=0x7fd4dae286e8) at js/src/jit/arm64/vixl/MozSimulator-vixl.cpp:583
/snip

For detailed crash information, see attachment.

This asserts js debug shell at Assertion failure: (asBits_ >> 47) <= JSVAL_TAG_OBJECT, at dist/include/js/Value.h:622 but seems to differ from bug 1532405 that it does not require GVN to be off.

autobisectjs shows this is probably related to the following changeset:

The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/afb2e1e1665f
user: Sean Stangl
date: Thu Mar 07 03:57:23 2019 +0000
summary: Bug 1528869 - Enable IonMonkey in the ARM64 shell, but keep it disabled in the browser. r=nbp

Likely related to IonMonkey on ARM64, so setting needinfo? from :sstangl and :nbp.

Flags: needinfo?(sstangl)
Flags: needinfo?(nicolas.b.pierron)

Also locking s-s because bug 1532405 with the same assertion is s-s.

Group: javascript-core-security
Whiteboard: [jsbugmon:update] → [jsbugmon:]
JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.
Keywords: sec-high

After testing, I confirm this was a duplicate of Bug 1534810.

Status: NEW → RESOLVED
Closed: 5 years ago
Flags: needinfo?(sstangl)
Flags: needinfo?(nicolas.b.pierron)
Resolution: --- → DUPLICATE
Group: javascript-core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: