Closed Bug 1604792 Opened 5 years ago Closed 5 years ago

Assertion failure: (lazy & MatchedFlagsMask) == (nonLazy & MatchedFlagsMask), at frontend/BytecodeCompiler.cpp:977

Categories

(Core :: JavaScript Engine, defect, P1)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla73
Tracking Flags:
Tracking Status
firefox-esr68 --- unaffected
firefox71 --- unaffected
firefox72 --- unaffected
firefox73 --- fixed

People

(Reporter: decoder, Assigned: tcampbell)

References

(Regression)

Details

(4 keywords, Whiteboard: [jsbugmon:update,bisect])

Attachments

(2 files)

Bug 1604792 - Move parseGoal from Parser to SharedContext. r?mgaudet
47 bytes, text/x-phabricator-request
Details | Review
Bug 1604792 - Fix HasModuleGoal flag for JSScripts. r?mgaudet
47 bytes, text/x-phabricator-request
Details | Review

The following testcase crashes on mozilla-central revision 20191217-83fc8cf83221 (build with --enable-debug, run with --fuzzing-safe --ion-offthread-compile=off):

var lfLogBuffer = `
class TestEvalArrow extends class {} {
    constructor() {
      eval("(() => this)()");
    }
}
new TestEvalArrow();
`;
let lfMod = parseModule(lfLogBuffer);
lfMod.declarationInstantiation();
lfMod.evaluation();

Backtrace:

received signal SIGSEGV, Segmentation fault.
0x00005555561774e3 in js::frontend::CompileLazyFunction(JSContext*, JS::Handle<js::LazyScript*>, char16_t const*, unsigned long) ()
#0  0x00005555561774e3 in js::frontend::CompileLazyFunction(JSContext*, JS::Handle<js::LazyScript*>, char16_t const*, unsigned long) ()
#1  0x0000555555c1124a in JSFunction::delazifyLazilyInterpretedFunction(JSContext*, JS::Handle<JSFunction*>) ()
#2  0x00005555557b0c2e in JSFunction::getOrCreateScript(JSContext*, JS::Handle<JSFunction*>) ()
#3  0x00005555558dfe3f in Interpret(JSContext*, js::RunState&) ()
#4  0x00005555558d5711 in js::RunScript(JSContext*, js::RunState&) ()
#5  0x00005555558edd75 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::AbstractFramePtr, JS::Value*) ()
#6  0x0000555555953990 in EvalKernel(JSContext*, JS::Handle<JS::Value>, EvalType, js::AbstractFramePtr, JS::Handle<JSObject*>, unsigned char*, JS::MutableHandle<JS::Value>) ()
#7  0x0000555555954be1 in js::DirectEval(JSContext*, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) ()
#8  0x00005555558df494 in Interpret(JSContext*, js::RunState&) ()
#9  0x00005555558d5711 in js::RunScript(JSContext*, js::RunState&) ()
#10 0x00005555558edd75 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::AbstractFramePtr, JS::Value*) ()
#11 0x00005555558ee3cd in js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) ()
#12 0x00005555559948f4 in js::ModuleObject::execute(JSContext*, JS::Handle<js::ModuleObject*>, JS::MutableHandle<JS::Value>) ()
#13 0x0000555555d53d80 in intrinsic_ExecuteModule(JSContext*, unsigned int, JS::Value*) ()
#14 0x00005555558eb6e2 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) ()
[...]
#25 0x000055555576ec31 in main ()
rax	0x555556f20e89	93825019285129
rbx	0x7fffffff92f0	140737488327408
rcx	0x555557ef8838	93825035896888
rdx	0x0	0
rsi	0x7ffff6efd770	140737336301424
rdi	0x7ffff6efc540	140737336296768
rbp	0x7fffffff9fd0	140737488330704
rsp	0x7fffffff91a0	140737488327072
r8	0x7ffff6efd770	140737336301424
r9	0x7ffff7f98d00	140737353714944
r10	0x58	88
r11	0x7ffff6ba47a0	140737332791200
r12	0x7ffff4900020	140737296465952
r13	0x0	0
r14	0x7fffffff93d0	140737488327632
r15	0x7fffffffa070	140737488330864
rip	0x5555561774e3 <js::frontend::CompileLazyFunction(JSContext*, JS::Handle<js::LazyScript*>, char16_t const*, unsigned long)+3923>
=> 0x5555561774e3 <_ZN2js8frontend19CompileLazyFunctionEP9JSContextN2JS6HandleIPNS_10LazyScriptEEEPKDsm+3923>:	movl   $0x3d1,0x0
   0x5555561774ee <_ZN2js8frontend19CompileLazyFunctionEP9JSContextN2JS6HandleIPNS_10LazyScriptEEEPKDsm+3934>:	callq  0x5555557f345e <abort>

Marking s-s until investigated.

Assignee: nobody → tcampbell

Eval scripts inside modules should still be considered non-module code. Checking the scope-chain was the wrong way to determine if in module. I'll fix how the flag is computed.

(Note the assert was added a few hours later in Bug 1604064)

Regressed by: 1602222
Has Regression Range: --- → yes
See Also: → 1604064

Clearing s-s. The flag is only computed wrong after script is compiled and then it isn't check. It is still a footgun, which is why the assert was added.

Group: javascript-core-security
Priority: -- → P1

Since this flag is preserved on LazyScript, it is useful to track it on
SharedContext and initialize it consistently on lazy and non-lazy scripts.
This patch removes the plumbing of passing the ParseGoal through the parser
class hierarchy.

Fix an inconsistency where delazified functions inside evals inside modules
would think they came from a module. This trips an assert but the value is
otherwise never used (and was only added a few days ago).

Depends on D57661

Pushed by tcampbell@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/49838d2097df Move parseGoal from Parser to SharedContext. r=mgaudet https://hg.mozilla.org/integration/autoland/rev/d6f23cb5c8a1 Fix HasModuleGoal flag for JSScripts. r=mgaudet

https://hg.mozilla.org/mozilla-central/rev/49838d2097df
https://hg.mozilla.org/mozilla-central/rev/d6f23cb5c8a1

Status: NEW → RESOLVED
Closed: 5 years ago
status-firefox73: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla73
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: