Closed Bug 1602390 Opened 4 years ago Closed 4 years ago

Assertion failure: numValueSlots >= frame->script()->nfixed(), at js/src/jit/JitFrames.cpp:299

Categories

(Core :: JavaScript Engine: JIT, defect, P2)

x86_64
Linux
defect

Tracking

()

RESOLVED FIXED
mozilla73
Tracking Status
firefox-esr68 --- unaffected
firefox71 --- unaffected
firefox72 --- unaffected
firefox73 --- fixed

People

(Reporter: decoder, Assigned: jandem)

References

(Regression)

Details

(4 keywords, Whiteboard: [jsbugmon:update,bisect])

Attachments

(1 file)

The following testcase crashes on mozilla-central revision 053b0bb00fed (build with --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --without-intl-api --enable-debug --enable-optimize, run with --fuzzing-safe --ion-osr=off --ion-offthread-compile=off):

function canIoncompile() {
  while (true) {
    var r = canIoncompile();
  }
}
if (canIoncompile() != true)
  function p() {}

Backtrace:

received signal SIGSEGV, Segmentation fault.
#0  js::jit::BaselineTryNoteFilter::operator() (this=<optimized out>, note=0x7ffff5f5e664) at js/src/jit/JitFrames.cpp:299
#1  0x00005555566cbeb8 in js::TryNoteIter<js::jit::BaselineTryNoteFilter>::settle (this=0x7fffffdfdab0) at js/src/vm/Interpreter.h:427
#2  0x00005555566bf543 in js::jit::TryNoteIterBaseline::TryNoteIterBaseline (this=0x7ffff5f24030, cx=<optimized out>, frame=..., pc=0x7ffff5f5e621 "m\001") at js/src/jit/JitFrames.cpp:310
#3  js::jit::ProcessTryNotesBaseline (cx=<optimized out>, frame=..., ei=..., rfe=<optimized out>, pc=<optimized out>) at js/src/jit/JitFrames.cpp:345
#4  js::jit::HandleExceptionBaseline (cx=<optimized out>, frame=..., prevFrame=<optimized out>, rfe=<optimized out>) at js/src/jit/JitFrames.cpp:515
#5  js::jit::HandleException (rfe=<optimized out>) at js/src/jit/JitFrames.cpp:685
#6  0x00003fc8af6ef336 in ?? ()
[...]
#21 0x0000000000000000 in ?? ()
rax	0x555556f26b10	93825019308816
rbx	0x7fffffdfdbf8	140737486248952
rcx	0x5555574b8d00	93825025150208
rdx	0x0	0
rsi	0x7ffff6eeb770	140737336227696
rdi	0x7ffff6eea540	140737336223040
rbp	0x7fffffdfd550	140737486247248
rsp	0x7fffffdfd530	140737486247216
r8	0x7ffff6eeb770	140737336227696
r9	0x7ffff7fe6cc0	140737354034368
r10	0x58	88
r11	0x7ffff6b927a0	140737332717472
r12	0x7fffffdfdba8	140737486248872
r13	0x7ffff5f24000	140737319682048
r14	0x7ffff5f5e664	140737319921252
r15	0x0	0
rip	0x5555566cc07c <js::jit::BaselineTryNoteFilter::operator()(JSTryNote const*)+348>
=> 0x5555566cc07c <js::jit::BaselineTryNoteFilter::operator()(JSTryNote const*)+348>:	movl   $0x12b,0x0
   0x5555566cc087 <js::jit::BaselineTryNoteFilter::operator()(JSTryNote const*)+359>:	callq  0x5555559345f0 <abort()>

So far it looks like this only reproduces with --ion-osr=off, marking s-s anyways until we confirmed that this cannot happen with OSR turned on (which is the default).

Flags: needinfo?(jdemooij)
Assignee: nobody → jdemooij
Status: NEW → ASSIGNED
Flags: needinfo?(jdemooij)
Regressed by: 1598548
Has Regression Range: --- → yes

Scripts can now start with a JSOP_LOOPHEAD and the JSTRY_LOOP note for that confused BaselineTryNoteFilter when we throw an exception in the prologue. This is harmless because it ignores JSTRY_LOOP notes anyway.

Group: javascript-core-security

Since bug 1598548 scripts can start with a JSOP_LOOPHEAD, for while-loops.
(do-while loops always start with a JSOP_NOP for the debugger.)

Priority: -- → P2
Attachment #9114550 - Attachment description: Bug 1602390 - Fix a loop try-note edge case in BaselineTryNoteFilter. r?tcampbell! → Bug 1602390 - Ensure scripts do not start with a JSOP_LOOPHEAD. r?tcampbell!
Status: ASSIGNED → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla73
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: