Assertion failure: (data_ & TagMask) == Tag, at vm/JSScript.h:1263
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
Tracking | Status | |
---|---|---|
firefox-esr78 | --- | unaffected |
firefox83 | --- | unaffected |
firefox84 | --- | unaffected |
firefox85 | --- | verified |
People
(Reporter: decoder, Assigned: jandem)
References
(Regression)
Details
(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:update,bisected,confirmed])
Attachments
(3 files)
The following testcase crashes on mozilla-central revision 20201118-9d797387f57c (debug build, run with --fuzzing-safe --cpu-count=2 --ion-offthread-compile=off):
function y() {}
function x() {}
Reflect.construct(x, [y.toSource.toSource],
Object.defineProperty(function(){}.bind(), "prototype", {
get() {
relazifyFunctions()
}
}));
Backtrace:
received signal SIGSEGV, Segmentation fault.
0x0000555557961cd9 in js::jit::MaybeEnterJit(JSContext*, js::RunState&) ()
#0 0x0000555557961cd9 in js::jit::MaybeEnterJit(JSContext*, js::RunState&) ()
#1 0x0000555556b8f19e in Interpret(JSContext*, js::RunState&) ()
#2 0x0000555556b85b68 in js::RunScript(JSContext*, js::RunState&) ()
#3 0x0000555556b9c513 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSObject*>, JS::Handle<JS::Value>, js::AbstractFramePtr, JS::MutableHandle<JS::Value>) ()
#4 0x0000555556b9cc2d in js::Execute(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSObject*>, JS::MutableHandle<JS::Value>) ()
#5 0x0000555556d4e615 in ExecuteScript(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSScript*>, JS::MutableHandle<JS::Value>) ()
#6 0x0000555556d4e7f2 in JS_ExecuteScript(JSContext*, JS::Handle<JSScript*>) ()
#7 0x0000555556a68ef7 in RunFile(JSContext*, char const*, _IO_FILE*, CompileUtf8, bool) ()
#8 0x0000555556a685d9 in Process(JSContext*, char const*, bool, FileKind) ()
#9 0x0000555556a0a86f in Shell(JSContext*, js::cli::OptionParser*, char**) ()
#10 0x0000555556a02e1c in main ()
rax 0x55555574cd92 93824994299282
rbx 0x7ffff6024000 140737320730624
rcx 0x555557fe0ea8 93825036848808
rdx 0x0 0
rsi 0x7ffff7105770 140737338431344
rdi 0x7ffff7104540 140737338426688
rbp 0x7fffffffbb60 140737488337760
rsp 0x7fffffffb820 140737488336928
r8 0x7ffff7105770 140737338431344
r9 0x7ffff7f998c0 140737353717952
r10 0x58 88
r11 0x7ffff6dac7a0 140737334921120
r12 0x2 2
r13 0x1e893109a0b0 33574582067376
r14 0x3ce3bbede670 66948808173168
r15 0x7fffffffc000 140737488338944
rip 0x555557961cd9 <js::jit::MaybeEnterJit(JSContext*, js::RunState&)+2601>
=> 0x555557961cd9 <_ZN2js3jit13MaybeEnterJitEP9JSContextRNS_8RunStateE+2601>: movl $0x4ef,0x0
0x555557961ce4 <_ZN2js3jit13MaybeEnterJitEP9JSContextRNS_8RunStateE+2612>: callq 0x555556a923a6 <abort>
Not sure about the implications of this but the assertion doesn't look good, so marking s-s until triaged.
Reporter | ||
Comment 1•4 years ago
|
||
Comment 2•4 years ago
|
||
Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20201119214432-b703fa5c3d16.
The bug appears to have been introduced in the following build range:
Start: 17ecebdc6d8b5b4b8fb4e20392f6380928207a14 (20201116134131)
End: cb856cdf7a0c46c463dac3fbf57c81d55afff66e (20201116140333)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=17ecebdc6d8b5b4b8fb4e20392f6380928207a14&tochange=cb856cdf7a0c46c463dac3fbf57c81d55afff66e
Assignee | ||
Comment 3•4 years ago
|
||
Looking into this..
Assignee | ||
Comment 4•4 years ago
|
||
This is limited to the relazifyFunctions testing function. Normally we don't allow relazifying in active compartments, but relazifyFunctions
lifts that restriction for testing, triggering the bug here.
Assignee | ||
Comment 5•4 years ago
|
||
Assignee | ||
Comment 6•4 years ago
|
||
TI code used to delazify as part of this-creation and removing that code exposed this.
It's only an issue when the testing function is used and only affects the C++
interpreter.
Drive-by change: remove some dead code in CacheIR.cpp
Depends on D97744
Pushed by jdemooij@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/827e5e9015f9 part 1 - Use stronger assertion in JSFunction::nonLazyScript. r=tcampbell https://hg.mozilla.org/integration/autoland/rev/bb1d6e149c11 part 2 - Guard against this-creation relazifying the callee. r=tcampbell
Comment 8•3 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/827e5e9015f9
https://hg.mozilla.org/mozilla-central/rev/bb1d6e149c11
Updated•3 years ago
|
Updated•3 years ago
|
Comment 9•3 years ago
|
||
Bugmon Analysis:
Verified bug as fixed on rev mozilla-central 20201130215246-d9b010547747.
Removing bugmon keyword as no further action possible.
Please review the bug and re-add the keyword for further analysis.
Updated•3 years ago
|
Description
•