Assertion failure: !env->hasUncacheableProto(), at jit/CacheIR.cpp:2821 with evalcx
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox-esr78 | --- | unaffected |
| firefox84 | --- | unaffected |
| firefox85 | --- | unaffected |
| firefox86 | --- | verified |
People
(Reporter: decoder, Assigned: jandem)
References
(Regression)
Details
(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:update,bisected,confirmed][fuzzblocker])
Attachments
(3 files)
The following testcase crashes on mozilla-central revision 20210108-1c7597ab79cc (build with --enable-debug, run with --fuzzing-safe --no-threads --baseline-warmup-threshold=0):
evalcx(`
a2 = [];
Array.prototype.push.apply(a2,[0])
a2.forEach(function(){ this.__proto__ = WeakMap; });
(function(){ d = eval(''); })();
`)
Backtrace:
received signal SIGSEGV, Segmentation fault.
0x00005555577636fb in js::jit::BindNameIRGenerator::tryAttachEnvironmentName(js::jit::ObjOperandId, JS::Handle<JS::PropertyKey>) ()
#0 0x00005555577636fb in js::jit::BindNameIRGenerator::tryAttachEnvironmentName(js::jit::ObjOperandId, JS::Handle<JS::PropertyKey>) ()
#1 0x000055555776290c in js::jit::BindNameIRGenerator::tryAttachStub() ()
#2 0x00005555575b495b in js::jit::DoBindNameFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICBindName_Fallback*, JS::Handle<JSObject*>, JS::MutableHandle<JS::Value>) ()
#3 0x0000237def012f1f in ?? ()
[...]
rax 0x55555583ce6e 93824995282542
rbx 0x7fffffffa0a0 140737488330912
rcx 0x555557fef398 93825036907416
rdx 0x0 0
rsi 0x7ffff7105770 140737338431344
rdi 0x7ffff7104540 140737338426688
rbp 0x7fffffffa070 140737488330864
rsp 0x7fffffff9ff0 140737488330736
r8 0x7ffff7105770 140737338431344
r9 0x7ffff7f998c0 140737353717952
r10 0x58 88
r11 0x7ffff6dac7a0 140737334921120
r12 0xaaaaaaaaaaaaaaaa -6148914691236517206
r13 0x555557f6d970 93825036376432
r14 0x0 0
r15 0x7fffffffa160 140737488331104
rip 0x5555577636fb <js::jit::BindNameIRGenerator::tryAttachEnvironmentName(js::jit::ObjOperandId, JS::Handle<JS::PropertyKey>)+2043>
=> 0x5555577636fb <_ZN2js3jit19BindNameIRGenerator24tryAttachEnvironmentNameENS0_12ObjOperandIdEN2JS6HandleINS3_11PropertyKeyEEE+2043>: movl $0xb05,0x0
0x555557763706 <_ZN2js3jit19BindNameIRGenerator24tryAttachEnvironmentNameENS0_12ObjOperandIdEN2JS6HandleINS3_11PropertyKeyEEE+2054>: callq 0x555556a96f00 <abort>
Marking s-s until investigated, as this is a JIT assertion.
|
Reporter | |
Comment 1•3 years ago
|
||
|
Assignee | |
Updated•3 years ago
|
|
|
Assignee | |
Comment 3•3 years ago
|
||
Not security sensitive: normally the global object has an immutable prototype (but evalcx doesn't do that), and the assertion is unnecessary because we only care about 'own' properties.
|
|
Reporter | |
Updated•3 years ago
|
|
|
Assignee | |
Comment 4•3 years ago
|
||
This lets us write a test that uses newGlobal instead of the more weird evalcx the
fuzzers like to use.
|
||
Updated•3 years ago
|
|
|
Assignee | |
Comment 5•3 years ago
|
||
This was exposed by bug 1682767 part 36: since that change we treat the global
as any other object in SetProto (instead of splicing its prototype there), so the
global can now also have the UNCACHEABLE_PROTO flag. This doesn't matter in practice
because in the browser the global has an immutable prototype anyway.
For GetName we only handle own properties so we don't care about a mutated prototype.
Looking at hg history, the assertion was added when porting the code to CacheIR
but there's not a good reason for it.
BindName always stops at (and then returns) the global irrespective of what's on it.
The assertion here was likely copied from the similar GetName code.
Depends on D101171
|
||
Comment 6•3 years ago
|
||
Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20210108094818-2405ffdc136d.
The bug appears to have been introduced in the following build range:
Start: 80a1b997d77e48ae147662f2d341f2732801502a (20210107152347)
End: a5bfda24c62749b60708e04d35ab30df5924d10a (20210107153026)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=80a1b997d77e48ae147662f2d341f2732801502a&tochange=a5bfda24c62749b60708e04d35ab30df5924d10a
Pushed by jdemooij@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/b5a6e5dde811 part 1 - Add an immutablePrototype option to newGlobal. r=iain https://hg.mozilla.org/integration/autoland/rev/9c06c20f078e part 2 - Remove some unnecessary hasUncacheableProto asserts. r=iain
|
|
Assignee | |
Updated•3 years ago
|
|
||
Comment 8•3 years ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/b5a6e5dde811
https://hg.mozilla.org/mozilla-central/rev/9c06c20f078e
|
|
||
Comment 9•3 years ago
|
||
Bugmon Analysis:
Verified bug as fixed on rev mozilla-central 20210111215143-c6d819bd39da.
Removing bugmon keyword as no further action possible.
Please review the bug and re-add the keyword for further analysis.
|
||
Updated•3 years ago
|
|
||
Updated•3 years ago
|
Description
•