Closed Bug 1598456 Opened 11 months ago Closed 11 months ago

Crash [@ js::ToBooleanSlow] or Assertion failure: v.isObject(), at js/src/builtin/Boolean.cpp:155

Categories

(Core :: JavaScript Engine, defect)

x86_64
Linux
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla72
Tracking Status
firefox-esr68 --- unaffected
firefox70 --- unaffected
firefox71 --- unaffected
firefox72 --- fixed

People

(Reporter: gkw, Assigned: tcampbell)

References

Details

(5 keywords, Whiteboard: [jsbugmon:update])

Crash Data

Attachments

(3 files)

The following testcase crashes on mozilla-central revision 66531295716a (build with --enable-debug --disable-optimize, run with --fuzzing-safe --no-threads --ion-eager):

(function() {
    if (arguments) {}
})();

Backtrace:

#0  0x00005595b9156121 in js::ToBooleanSlow (v=...) at js/src/builtin/Boolean.cpp:155
#1  0x00005595b8f59817 in JS::ToBoolean (v=...) at /home/ubuntu/shell-cache/js-dbg-optDisabled-64-linux-x86_64-66531295716a/objdir-js/dist/include/js/Conversions.h:128
#2  0x00005595b9f1740f in js::jit::DoToBoolFallback (cx=0x7f4577b27000, frame=0x7ffc112e5148, stub=0x7f45779f0068, arg=..., ret=...) at js/src/jit/BaselineIC.cpp:1762
#3  0x00000dd3ad26f5cf in ?? ()
#4  0x00007ffc112e5188 in ?? ()
#5  0x00007ffc112e5108 in ?? ()
/snip

For detailed crash information, see attachment.

Setting s-s to be safe as weird memory addresses seem to be on the opt stack.

autobisectjs shows this is probably related to the following changeset:

The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/03783d54b398
user: Jan de Mooij
date: Wed Nov 20 17:03:29 2019 +0000
summary: Bug 1595476 part 3 - Rewrite and simplify control flow logic in Ion for bytecode -> MIR compilation. r=tcampbell

Jan, is bug 1595476 a likely regressor?

Crash Signature: [@ js::ToBooleanSlow]
Flags: needinfo?(jdemooij)

Taking a look.

We are leaking the OPTIMIZED_ARGUMENTS Value to the ToBool operator due to argumentsContentsObserved being false. We are missing a use-def link from the arguments value to the test instruction in the new CFG code.

Assignee: nobody → tcampbell
Flags: needinfo?(jdemooij)

The JSOP_EQ handling in the new CFG code has an optimization when the jump target is the same as the fallthrough. It sets the argument as implicitly used and emits similar to a goto. The bug is that the the arguments analysis patch never checked for implicit uses. This is an existing bug, but I'm not sure if we could trigger it before.

(In reply to Gary Kwong [:gkw] [:nth10sd] from comment #4)

Pernosco link:

https://pernos.co/debug/OXRh5fBBB9BZ3dMNtw-8vA/index.html

I used this to successfully track down the issue!

This was a nightly-only bug introduced in last few days so I have landed to autoland with the test case. No uplifts needed.

Group: javascript-core-security → core-security-release
Status: NEW → RESOLVED
Closed: 11 months ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla72
Duplicate of this bug: 1598973
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.