Closed Bug 1540798 Opened 6 months ago Closed 5 months ago

Assertion failure: uncompressedStart < uncompressedLimit (subtraction below requires a non-empty range), at js/src/vm/Compression.h:79

Categories

(Core :: JavaScript Engine, defect, P1)

x86_64
Linux
defect

Tracking

()

RESOLVED FIXED
mozilla68
Tracking Status
firefox-esr60 --- unaffected
firefox66 --- unaffected
firefox67 --- unaffected
firefox68 --- fixed

People

(Reporter: decoder, Assigned: khyperia)

References

(Blocks 2 open bugs)

Details

(Keywords: assertion, regression, testcase)

Attachments

(2 files)

The following testcase crashes on mozilla-central revision c06dfc552c64 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe --ion-offthread-compile=off --enable-experimental-fields):

See attachment.

Backtrace:

received signal SIGSEGV, Segmentation fault.
#0  js::Compressor::rangeToChunkAndOffset (lastChunkSize=<synthetic pointer>, lastChunk=<synthetic pointer>, firstChunkSize=<synthetic pointer>, firstChunkOffset=<synthetic pointer>, firstChunk=<synthetic pointer>, uncompressedLimit=50, uncompressedStart=50) at js/src/vm/Compression.h:78
#1  js::ScriptSource::units<char16_t> (this=this@entry=0x7ffff4dc9c90, cx=0x7ffff5f17000, holder=..., begin=<optimized out>, len=0) at js/src/vm/JSScript.cpp:1857
#2  0x0000555555bc58c5 in js::ScriptSource::PinnedUnits<char16_t>::PinnedUnits (this=0x7fffffffb2c0, cx=<optimized out>, source=0x7ffff4dc9c90, holder=..., begin=<optimized out>, len=<optimized out>) at js/src/vm/JSScript.cpp:1938
#3  0x0000555555b98b77 in js::ScriptSource::appendSubstring (this=<optimized out>, cx=cx@entry=0x7ffff5f17000, buf=..., start=25, stop=<optimized out>) at js/src/vm/JSScript.cpp:2026
#4  0x0000555555b9919d in JSScript::appendSourceDataForToString (this=<optimized out>, cx=cx@entry=0x7ffff5f17000, buf=...) at js/src/vm/JSScript.cpp:1681
#5  0x0000555555b3b036 in js::FunctionToString (cx=0x7ffff5f17000, fun=..., isToSource=<optimized out>) at js/src/vm/JSFunction.cpp:902
#6  0x0000555555b3b2c0 in fun_toStringHelper (cx=<optimized out>, obj=..., isToSource=<optimized out>) at js/src/vm/JSFunction.cpp:1019
#7  0x0000555555b3b5f4 in fun_toSource (cx=<optimized out>, cx@entry=0x7ffff5f17000, argc=<optimized out>, vp=<optimized out>) at js/src/vm/JSFunction.cpp:1065
#8  0x00005555558f0109 in CallJSNative (cx=0x7ffff5f17000, native=native@entry=0x555555b3b4a0 <fun_toSource(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/vm/Interpreter.cpp:442
#9  0x00005555558e2019 in js::InternalCallOrConstruct (cx=<optimized out>, cx@entry=0x7ffff5f17000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:534
#10 0x00005555558e275d in InternalCall (cx=0x7ffff5f17000, args=...) at js/src/vm/Interpreter.cpp:589
#11 0x00005555558e28d0 in js::Call (cx=<optimized out>, fval=..., fval@entry=..., thisv=..., thisv@entry=..., args=..., rval=...) at js/src/vm/Interpreter.cpp:605
#12 0x0000555555ca534a in js::Call (rval=..., thisObj=<optimized out>, fval=..., cx=<optimized out>) at js/src/vm/Interpreter.h:91
#13 js::ValueToSource (cx=<optimized out>, v=..., v@entry=...) at js/src/vm/StringType.cpp:2356
#14 0x000055555591f1a7 in array_toSource (cx=<optimized out>, cx@entry=0x7ffff5f17000, argc=<optimized out>, vp=<optimized out>) at js/src/builtin/Array.cpp:1222
#15 0x00005555558f0109 in CallJSNative (cx=0x7ffff5f17000, native=native@entry=0x55555591ed40 <array_toSource(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/vm/Interpreter.cpp:442
#16 0x00005555558e2019 in js::InternalCallOrConstruct (cx=<optimized out>, cx@entry=0x7ffff5f17000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:534
#17 0x00005555558e275d in InternalCall (cx=0x7ffff5f17000, args=...) at js/src/vm/Interpreter.cpp:589
#18 0x00005555558e28d0 in js::Call (cx=<optimized out>, fval=..., fval@entry=..., thisv=..., thisv@entry=..., args=..., rval=...) at js/src/vm/Interpreter.cpp:605
#19 0x0000555555ca534a in js::Call (rval=..., thisObj=<optimized out>, fval=..., cx=<optimized out>) at js/src/vm/Interpreter.h:91
#20 js::ValueToSource (cx=<optimized out>, v=..., v@entry=...) at js/src/vm/StringType.cpp:2356
#21 0x0000555555952c60 in js::<lambda(JS::HandleId, JS::HandleValue, PropertyKind)>::operator()(JS::HandleId, JS::HandleValue, PropertyKind) const (__closure=__closure@entry=0x7fffffffbff0, id=..., id@entry=..., val=..., kind=PropertyKind::Normal) at js/src/builtin/Object.cpp:289
#22 0x000055555595a1b5 in js::ObjectToSource (cx=<optimized out>, obj=obj@entry=...) at js/src/builtin/Object.cpp:433
#23 0x000055555595a3f9 in obj_toSource (cx=<optimized out>, cx@entry=0x7ffff5f17000, argc=<optimized out>, vp=<optimized out>) at js/src/builtin/Object.cpp:130
#24 0x00005555558f0109 in CallJSNative (cx=0x7ffff5f17000, native=native@entry=0x55555595a350 <obj_toSource(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/vm/Interpreter.cpp:442
#25 0x00005555558e2019 in js::InternalCallOrConstruct (cx=<optimized out>, cx@entry=0x7ffff5f17000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:534
#26 0x00005555558e275d in InternalCall (cx=0x7ffff5f17000, args=...) at js/src/vm/Interpreter.cpp:589
#27 0x00005555558e28d0 in js::Call (cx=<optimized out>, fval=..., fval@entry=..., thisv=..., thisv@entry=..., args=..., rval=...) at js/src/vm/Interpreter.cpp:605
#28 0x0000555555ca534a in js::Call (rval=..., thisObj=<optimized out>, fval=..., cx=<optimized out>) at js/src/vm/Interpreter.h:91
#29 js::ValueToSource (cx=<optimized out>, cx@entry=0x7ffff5f17000, v=...) at js/src/vm/StringType.cpp:2356
#30 0x0000555555c17c14 in str_uneval (cx=cx@entry=0x7ffff5f17000, argc=<optimized out>, vp=<optimized out>) at js/src/builtin/String.cpp:362
#31 0x00005555558f0109 in CallJSNative (cx=0x7ffff5f17000, native=native@entry=0x555555c17be0 <str_uneval(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/vm/Interpreter.cpp:442
#32 0x00005555558e2019 in js::InternalCallOrConstruct (cx=<optimized out>, cx@entry=0x7ffff5f17000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:534
#33 0x00005555558e275d in InternalCall (cx=0x7ffff5f17000, args=...) at js/src/vm/Interpreter.cpp:589
#34 0x00005555558d4011 in js::CallFromStack (args=..., cx=<optimized out>) at js/src/vm/Interpreter.cpp:593
#35 Interpret (cx=0x7ffff5f17000, state=...) at js/src/vm/Interpreter.cpp:3075
#36 0x00005555558e1a86 in js::RunScript (cx=0x7ffff5f17000, state=...) at js/src/vm/Interpreter.cpp:422
[...]
#45 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:11276
rax	0x555557c22240	93825032921664
rbx	0x32	50
rcx	0x555556b602f0	93825015350000
rdx	0x0	0
rsi	0x7ffff6eeb770	140737336227696
rdi	0x7ffff6eea540	140737336223040
rbp	0x7fffffffb200	140737488335360
rsp	0x7fffffffb170	140737488335216
r8	0x7ffff6eeb770	140737336227696
r9	0x7ffff7fe6cc0	140737354034368
r10	0x58	88
r11	0x7ffff6b927a0	140737332717472
r12	0x32	50
r13	0x7fffffffb2c0	140737488335552
r14	0x7ffff4dc9c90	140737301486736
r15	0x7ffff5f17000	140737319628800
rip	0x555555bc56a9 <js::ScriptSource::units<char16_t>(JSContext*, js::UncompressedSourceCache::AutoHoldEntry&, unsigned long, unsigned long)+1017>
=> 0x555555bc56a9 <js::ScriptSource::units<char16_t>(JSContext*, js::UncompressedSourceCache::AutoHoldEntry&, unsigned long, unsigned long)+1017>:	movl   $0x0,0x0
   0x555555bc56b4 <js::ScriptSource::units<char16_t>(JSContext*, js::UncompressedSourceCache::AutoHoldEntry&, unsigned long, unsigned long)+1028>:	ud2
Attached file Testcase
Priority: -- → P1

Works in master.

I'm adding a patch for this test case instead of lumping it together with the other ones that were just closed because I don't understand the testcase, and am not confident of the source.

Pushed by ahauck@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/284ef8e23db0
Add testcase for fuzzbug. r=jorendorff
Status: NEW → RESOLVED
Closed: 5 months ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla68
Assignee: nobody → khyperia
You need to log in before you can comment on or make changes to this bug.