Closed Bug 1598456 Opened 6 years ago Closed 6 years ago

Crash [@ js::ToBooleanSlow] or Assertion failure: v.isObject(), at js/src/builtin/Boolean.cpp:155

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla72
Tracking Flags:
Tracking Status
firefox-esr68 --- unaffected
firefox70 --- unaffected
firefox71 --- unaffected
firefox72 --- fixed

People

(Reporter: gkw, Assigned: tcampbell)

References

Details

(5 keywords, Whiteboard: [jsbugmon:update])

Crash Data

Attachments

(3 files)

Detailed Crash Information
4.93 KB, text/plain
Details
Opt stack
1.39 KB, text/plain
Details
Bug 1598456 - Check for implicit uses in Ion ArgumentsAnalysis. r?jandem
47 bytes, text/x-phabricator-request
Details | Review

The following testcase crashes on mozilla-central revision 66531295716a (build with --enable-debug --disable-optimize, run with --fuzzing-safe --no-threads --ion-eager):

(function() {
    if (arguments) {}
})();

Backtrace:

#0  0x00005595b9156121 in js::ToBooleanSlow (v=...) at js/src/builtin/Boolean.cpp:155
#1  0x00005595b8f59817 in JS::ToBoolean (v=...) at /home/ubuntu/shell-cache/js-dbg-optDisabled-64-linux-x86_64-66531295716a/objdir-js/dist/include/js/Conversions.h:128
#2  0x00005595b9f1740f in js::jit::DoToBoolFallback (cx=0x7f4577b27000, frame=0x7ffc112e5148, stub=0x7f45779f0068, arg=..., ret=...) at js/src/jit/BaselineIC.cpp:1762
#3  0x00000dd3ad26f5cf in ?? ()
#4  0x00007ffc112e5188 in ?? ()
#5  0x00007ffc112e5108 in ?? ()
/snip

For detailed crash information, see attachment.

Setting s-s to be safe as weird memory addresses seem to be on the opt stack.

autobisectjs shows this is probably related to the following changeset:

The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/03783d54b398
user: Jan de Mooij
date: Wed Nov 20 17:03:29 2019 +0000
summary: Bug 1595476 part 3 - Rewrite and simplify control flow logic in Ion for bytecode -> MIR compilation. r=tcampbell

Jan, is bug 1595476 a likely regressor?

Crash Signature: [@ js::ToBooleanSlow]
Flags: needinfo?(jdemooij)

Taking a look.

We are leaking the OPTIMIZED_ARGUMENTS Value to the ToBool operator due to argumentsContentsObserved being false. We are missing a use-def link from the arguments value to the test instruction in the new CFG code.

Assignee: nobody → tcampbell
Flags: needinfo?(jdemooij)

The JSOP_EQ handling in the new CFG code has an optimization when the jump target is the same as the fallthrough. It sets the argument as implicitly used and emits similar to a goto. The bug is that the the arguments analysis patch never checked for implicit uses. This is an existing bug, but I'm not sure if we could trigger it before.

(In reply to Gary Kwong [:gkw] [:nth10sd] from comment #4)

Pernosco link:

https://pernos.co/debug/OXRh5fBBB9BZ3dMNtw-8vA/index.html

I used this to successfully track down the issue!

This was a nightly-only bug introduced in last few days so I have landed to autoland with the test case. No uplifts needed.

status-firefox70: --- → unaffected
status-firefox71: --- → unaffected
status-firefox-esr68: --- → unaffected
status-thunderbird_esr60: --- → unaffected
status-thunderbird_esr68: --- → unaffected

https://hg.mozilla.org/mozilla-central/rev/b6b7862f1da1

Group: javascript-core-security → core-security-release
Status: NEW → RESOLVED
Closed: 6 years ago
status-firefox72: affectedfixed
status-thunderbird_esr60: unaffected → ---
status-thunderbird_esr68: unaffected → ---
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla72
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: