Closed Bug 1570926 Opened 5 years ago Closed 5 years ago

Assertion failure: v.isObject(), at js/src/builtin/Boolean.cpp:167 or Crash [@ js::GetObjectClass]

Categories

(Core :: JavaScript Engine, defect, P1)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla70
Tracking Flags:
Tracking Status
firefox-esr60 --- unaffected
firefox-esr68 --- unaffected
firefox68 --- unaffected
firefox69 --- unaffected
firefox70 --- verified

People

(Reporter: decoder, Assigned: jandem)

References

(Regression)

Details

(5 keywords, Whiteboard: [jsbugmon:update,bisect])

Attachments

(1 file)

Bug 1570926 - Don't clobber the frame's return value slot in BaselineInterpreterCodeGen::emitArgumentTypeChecks. r?iain!
47 bytes, text/x-phabricator-request
Details | Review

The following testcase crashes on mozilla-central revision b0124f065629 (build with --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe --no-threads):

assertEq = function(a, b) {
    try {
        print(a);
    } catch (exc) {}
}
enableShellAllocationMetadataBuilder();
var appendToActual = function(s) {
    actual += s + ',';
}
actual = '';
expected = '2,4,8,16,32,undefined';
var f20 = function() {
    var p71 = 1;
    function g48() {
        for (var i69 = 0; i69 < 5; ++i69) {
            appendToActual(p71);
        }
    }
    return g48;
}
var g48 = f20(Array, expected);
for (var i69 = 0; i69 < 5; assertEq(f20(6)) && (this)) {
    g48();
}

Backtrace:

received signal SIGSEGV, Segmentation fault.
js::ToBooleanSlow (v=...) at js/src/builtin/Boolean.cpp:167
#0  js::ToBooleanSlow (v=...) at js/src/builtin/Boolean.cpp:167
#1  0x00005555560f081e in JS::ToBoolean (v=...) at dist/include/js/Conversions.h:128
#2  js::jit::DoToBoolFallback (cx=0x7ffff5f23000, frame=0x7fffffffc360, stub=0x7ffff5cd1700, arg=..., ret=...) at js/src/jit/BaselineIC.cpp:1962
#3  0x00003a5bbc27224f in ?? ()
#4  0x0000000000000000 in ?? ()
rax	0x555557d12200	93825033904640
rbx	0x7fffffffc350	140737488339792
rcx	0x555556c3ada8	93825016245672
rdx	0x0	0
rsi	0x7ffff6eeb770	140737336227696
rdi	0x7ffff6eea540	140737336223040
rbp	0x7fffffffc2c0	140737488339648
rsp	0x7fffffffc280	140737488339584
r8	0x7ffff6eeb770	140737336227696
r9	0x7ffff7fe6cc0	140737354034368
r10	0x0	0
r11	0x0	0
r12	0x7fffffffc320	140737488339744
r13	0x7fffffffc360	140737488339808
r14	0x7ffff5f23000	140737319677952
r15	0x7fffffffc460	140737488340064
rip	0x55555590fec9 <js::ToBooleanSlow(JS::Handle<JS::Value>)+313>
=> 0x55555590fec9 <js::ToBooleanSlow(JS::Handle<JS::Value>)+313>:	movl   $0x0,0x0
   0x55555590fed4 <js::ToBooleanSlow(JS::Handle<JS::Value>)+324>:	ud2

Marking s-s because this assert/crash pattern can indicate a type confusion in some cases.

Type: task → defect

I am looking at this.

Here's a slightly reduced testcase:

bar = function(a) {
    try {
        toString(a);
    } catch (exc) {}
}
enableShellAllocationMetadataBuilder();
var appendToActual = function(s) {
    actual += s + ',';
}
actual = '';
var f20 = function() {
    var p71 = 100000;
    function g48() {
        for (var i69 = 0; i69 < 5; ++i69) {
            appendToActual(p71);
        }
    }
    return g48;
}
var g48 = f20();
while (true) {
    bar(f20(6)) && true;
    g48();
}

autobisectjs shows this is probably related to the following changeset:

The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/3c3b12e8c597
user: Jan de Mooij
date: Tue Jul 30 15:10:22 2019 +0300
summary: Bug 1567438 part 8 - Change Ion bailouts to resume in the interpreter instead of JIT. r=tcampbell CLOSED TREE

Since Iain is looking at this, Iain, is bug 1567438 a likely regressor?

Flags: needinfo?(iireland)
Regressed by: 1567438

Yes, that is an extremely likely regressor. I'd be surprised to see anything else.

Flags: needinfo?(iireland)
Flags: needinfo?(jdemooij)

In emitArgumentTypeChecks there's usually no return value set on the frame,
except when we do a prologue bailout from Ion.

The patch changes emitArgumentTypeChecks to use the frame's scratch value slot
for both nargs and the argument index.

Test is based on the test in bug 1571167 (it's hard to write a pretty test for
this bug).

Assignee: nobody → jdemooij
Status: NEW → ASSIGNED
Flags: needinfo?(jdemooij)
Priority: -- → P1
Keywords: sec-high

https://hg.mozilla.org/mozilla-central/rev/33683a01c581

Group: javascript-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 5 years ago
status-firefox70: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla70
JSBugMon: This bug has been automatically verified fixed.
Status: RESOLVED → VERIFIED
status-firefox70: fixedverified
Group: core-security-release
Has Regression Range: --- → yes
Keywords: bugmon
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: