Closed Bug 1546228 Opened 5 years ago Closed 5 years ago

Crash [@ js::AddClearDefiniteGetterSetterForPrototypeChain] or Assertion failure: hasStaticPrototype(), at vm/JSObject.h:353

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla68
Tracking Flags:
Tracking Status
firefox-esr60 --- wontfix
firefox67 --- wontfix
firefox68 --- fixed

People

(Reporter: decoder, Assigned: jandem)

Details

(5 keywords, Whiteboard: [jsbugmon:])

Crash Data

Attachments

(1 file)

Bug 1546228 - Check for dynamic protos in AddClearDefiniteGetterSetterForPrototypeChain. r?tcampbell!
47 bytes, text/x-phabricator-request
Details | Review

The following testcase crashes on mozilla-central revision b783cd5203ea (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --disable-debug --enable-optimize, run with --fuzzing-safe --ion-offthread-compile=off --baseline-eager --ion-warmup-threshold=0):

var SimpleObject = function() {
    this.a = 1;
}
SimpleObject.prototype = this;
var o = new SimpleObject();
function test() {
    var a = o.a;
}
test();

Backtrace:

received signal SIGSEGV, Segmentation fault.
#0  js::AddClearDefiniteGetterSetterForPrototypeChain (cx=cx@entry=0x7ffff5f27000, group=group@entry=0x278e90275d00, id=..., id@entry=...) at js/src/vm/TypeInference.cpp:3287
#1  0x0000555555f4f56a in AnalyzePoppedThis (phandled=<synthetic pointer>, accessedProperties=0x7fffffffbc90, initializerList=0x7fffffffc220, baseobj=..., definitelyExecuted=<optimized out>, ins=0x7ffff5f78a68, thisValue=0x7ffff5f78760, group=0x278e90275d00, cx=0x7ffff5f27000) at js/src/jit/IonAnalysis.cpp:4414
#2  js::jit::AnalyzeNewScriptDefiniteProperties (cx=cx@entry=0x7ffff5f27000, fun=..., fun@entry=..., group=group@entry=0x278e90275d00, baseobj=..., baseobj@entry=..., initializerList=initializerList@entry=0x7fffffffc220) at js/src/jit/IonAnalysis.cpp:4680
#3  0x0000555555b7c8fe in js::TypeNewScript::maybeAnalyze (this=0x7ffff5fa0040, cx=cx@entry=0x7ffff5f27000, group=<optimized out>, regenerate=regenerate@entry=0x0, force=force@entry=true) at js/src/vm/TypeInference.cpp:3987
#4  0x0000555555f4deae in js::jit::IonCompile (cx=cx@entry=0x7ffff5f27000, script=<optimized out>, baselineFrame=baselineFrame@entry=0x0, osrPc=<optimized out>, recompile=<optimized out>, optimizationLevel=optimizationLevel@entry=js::jit::OptimizationLevel::Normal) at js/src/jit/Ion.cpp:2003
#5  0x0000555555f4e162 in js::jit::Compile (cx=cx@entry=0x7ffff5f27000, script=script@entry=..., osrFrame=osrFrame@entry=0x0, osrPc=osrPc@entry=0x0, forceRecompile=forceRecompile@entry=false) at js/src/jit/Ion.cpp:2277
#6  0x0000555555f4e20b in js::jit::CanEnterIon (cx=cx@entry=0x7ffff5f27000, state=...) at js/src/jit/Ion.cpp:2367
#7  0x0000555555f678e2 in js::jit::MaybeEnterJit (cx=cx@entry=0x7ffff5f27000, state=...) at js/src/jit/Jit.cpp:145
#8  0x000055555588b4d3 in js::RunScript (cx=0x7ffff5f27000, state=...) at js/src/vm/Interpreter.cpp:407
#9  0x000055555588bc3a in js::InternalCallOrConstruct (cx=cx@entry=0x7ffff5f27000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:562
#10 0x000055555588cd75 in InternalCall (args=..., cx=0x7ffff5f27000) at js/src/vm/Interpreter.cpp:589
#11 js::CallFromStack (cx=cx@entry=0x7ffff5f27000, args=...) at js/src/vm/Interpreter.cpp:593
#12 0x0000555555dfc181 in js::jit::DoCallFallback (cx=0x7ffff5f27000, frame=0x7fffffffcb30, stub=0x7ffff5f27000, argc=0, vp=0x7fffffffcaf0, res=...) at js/src/jit/BaselineIC.cpp:3879
#13 0x000005096bbe4888 in ?? ()
[...]
#22 0x0000000000000000 in ?? ()
rax	0x1	1
rbx	0x0	0
rcx	0x278e90279070	43493257351280
rdx	0x0	0
rsi	0x7fffffffbaf0	140737488337648
rdi	0x7fffffffbb10	140737488337680
rbp	0x7ffff5f27000	140737319694336
rsp	0x7fffffffba90	140737488337552
r8	0x0	0
r9	0x7ffff5f9e258	140737320182360
r10	0x70e	1806
r11	0x7ffff6b5e760	140737332504416
r12	0x7ffff5f9e258	140737320182360
r13	0x7fffffffbacf	140737488337615
r14	0x278e90275d00	43493257338112
r15	0x7ffff5f9e2e0	140737320182496
rip	0x555555b7bfa2 <js::AddClearDefiniteGetterSetterForPrototypeChain(JSContext*, js::ObjectGroup*, JS::Handle<JS::PropertyKey>)+130>
=> 0x555555b7bfa2 <js::AddClearDefiniteGetterSetterForPrototypeChain(JSContext*, js::ObjectGroup*, JS::Handle<JS::PropertyKey>)+130>:	mov    (%rax),%rbx
   0x555555b7bfa5 <js::AddClearDefiniteGetterSetterForPrototypeChain(JSContext*, js::ObjectGroup*, JS::Handle<JS::PropertyKey>)+133>:	mov    0x18(%rbx),%eax

I'm marking this s-s until investigated further because the assertion sounds potentially problematic.

Flags: needinfo?(jdemooij)

This likely was exposed to fuzzing when we added WindowProxy to the shell.

Not s-s because it crashes at 0x1 (TaggedProto::LazyProto).

Group: javascript-core-security
Flags: needinfo?(jdemooij)
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:bisect]
JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.
Whiteboard: [jsbugmon:bisect] → [jsbugmon:]
Pushed by jdemooij@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/020e530d49b3
Check for dynamic protos in AddClearDefiniteGetterSetterForPrototypeChain. r=tcampbell

https://hg.mozilla.org/mozilla-central/rev/020e530d49b3

Status: NEW → RESOLVED
Closed: 5 years ago
status-firefox68: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla68
Assignee: nobody → jdemooij
status-firefox67: --- → wontfix
status-firefox-esr60: --- → wontfix
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: