Closed Bug 1678442 Opened 4 years ago Closed 3 years ago

Assertion failure: (data_ & TagMask) == Tag, at vm/JSScript.h:1263

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
85 Branch
Tracking Flags:
Tracking Status
firefox-esr78 --- unaffected
firefox83 --- unaffected
firefox84 --- unaffected
firefox85 --- verified

People

(Reporter: decoder, Assigned: jandem)

References

(Regression)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:update,bisected,confirmed])

Attachments

(3 files)

Testcase
177 bytes, text/plain
Details
Bug 1678442 part 1 - Use stronger assertion in JSFunction::nonLazyScript. r?tcampbell!
47 bytes, text/x-phabricator-request
Details | Review
Bug 1678442 part 2 - Guard against this-creation relazifying the callee. r?tcampbell!
47 bytes, text/x-phabricator-request
Details | Review

The following testcase crashes on mozilla-central revision 20201118-9d797387f57c (debug build, run with --fuzzing-safe --cpu-count=2 --ion-offthread-compile=off):

function y() {}
function x() {}
Reflect.construct(x, [y.toSource.toSource],
 Object.defineProperty(function(){}.bind(), "prototype", {
  get() {
    relazifyFunctions()
  }
}));

Backtrace:

received signal SIGSEGV, Segmentation fault.
0x0000555557961cd9 in js::jit::MaybeEnterJit(JSContext*, js::RunState&) ()
#0  0x0000555557961cd9 in js::jit::MaybeEnterJit(JSContext*, js::RunState&) ()
#1  0x0000555556b8f19e in Interpret(JSContext*, js::RunState&) ()
#2  0x0000555556b85b68 in js::RunScript(JSContext*, js::RunState&) ()
#3  0x0000555556b9c513 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSObject*>, JS::Handle<JS::Value>, js::AbstractFramePtr, JS::MutableHandle<JS::Value>) ()
#4  0x0000555556b9cc2d in js::Execute(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSObject*>, JS::MutableHandle<JS::Value>) ()
#5  0x0000555556d4e615 in ExecuteScript(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSScript*>, JS::MutableHandle<JS::Value>) ()
#6  0x0000555556d4e7f2 in JS_ExecuteScript(JSContext*, JS::Handle<JSScript*>) ()
#7  0x0000555556a68ef7 in RunFile(JSContext*, char const*, _IO_FILE*, CompileUtf8, bool) ()
#8  0x0000555556a685d9 in Process(JSContext*, char const*, bool, FileKind) ()
#9  0x0000555556a0a86f in Shell(JSContext*, js::cli::OptionParser*, char**) ()
#10 0x0000555556a02e1c in main ()
rax	0x55555574cd92	93824994299282
rbx	0x7ffff6024000	140737320730624
rcx	0x555557fe0ea8	93825036848808
rdx	0x0	0
rsi	0x7ffff7105770	140737338431344
rdi	0x7ffff7104540	140737338426688
rbp	0x7fffffffbb60	140737488337760
rsp	0x7fffffffb820	140737488336928
r8	0x7ffff7105770	140737338431344
r9	0x7ffff7f998c0	140737353717952
r10	0x58	88
r11	0x7ffff6dac7a0	140737334921120
r12	0x2	2
r13	0x1e893109a0b0	33574582067376
r14	0x3ce3bbede670	66948808173168
r15	0x7fffffffc000	140737488338944
rip	0x555557961cd9 <js::jit::MaybeEnterJit(JSContext*, js::RunState&)+2601>
=> 0x555557961cd9 <_ZN2js3jit13MaybeEnterJitEP9JSContextRNS_8RunStateE+2601>:	movl   $0x4ef,0x0
   0x555557961ce4 <_ZN2js3jit13MaybeEnterJitEP9JSContextRNS_8RunStateE+2612>:	callq  0x555556a923a6 <abort>

Not sure about the implications of this but the assertion doesn't look good, so marking s-s until triaged.

Attached file Testcase 

    
    

    
  
Bugmon Analysis:

Verified bug as reproducible on mozilla-central 20201119214432-b703fa5c3d16.

The bug appears to have been introduced in the following build range:




Start: 17ecebdc6d8b5b4b8fb4e20392f6380928207a14 (20201116134131)

End: cb856cdf7a0c46c463dac3fbf57c81d55afff66e (20201116140333)

Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=17ecebdc6d8b5b4b8fb4e20392f6380928207a14&tochange=cb856cdf7a0c46c463dac3fbf57c81d55afff66e




Whiteboard: [bugmon:update,bisect] → [bugmon:update,bisected,confirmed]

    
    

    
  
Looking into this..


Assignee: nobody → jdemooij
Status: NEW → ASSIGNED

    
    

    
  
This is limited to the relazifyFunctions testing function. Normally we don't allow relazifying in active compartments, but relazifyFunctions lifts that restriction for testing, triggering the bug here.


Group: javascript-core-security

    
    

    
  


  
TI code used to delazify as part of this-creation and removing that code exposed this.

It's only an issue when the testing function is used and only affects the C++

interpreter.


Drive-by change: remove some dead code in CacheIR.cpp


Depends on D97744



    
    

    
  
Pushed by jdemooij@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/827e5e9015f9
part 1 - Use stronger assertion in JSFunction::nonLazyScript. r=tcampbell
https://hg.mozilla.org/integration/autoland/rev/bb1d6e149c11
part 2 - Guard against this-creation relazifying the callee. r=tcampbell

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/827e5e9015f9

https://hg.mozilla.org/mozilla-central/rev/bb1d6e149c11


Status: ASSIGNED → RESOLVED
Closed: 3 years ago

          status-firefox85:
          affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 85 Branch

          status-firefox83:
          --- → unaffected

          status-firefox84:
          --- → wontfix

          status-firefox-esr78:
          --- → unaffected
Flags: in-testsuite+
Regressed by: 1673553

    
  
Has Regression Range: --- → yes

    
    

    
  
Bugmon Analysis:

Verified bug as fixed on rev mozilla-central 20201130215246-d9b010547747.

Removing bugmon keyword as no further action possible.

Please review the bug and re-add the keyword for further analysis.


Status: RESOLVED → VERIFIED

          status-firefox85:
          fixedverified
Keywords: bugmon

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: