Closed Bug 1707535 Opened 4 years ago Closed 4 years ago

Assertion failure: end == out.get(), at vm/StringType.cpp:493

Categories

(Core :: JavaScript Engine: JIT, defect)

Product:
Core
Component:
JavaScript Engine: JIT
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1707422
Tracking Flags:
Tracking Status
firefox90 --- affected

People

(Reporter: decoder, Unassigned)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:update,bisected])

Attachments

(1 file)

Testcase
487 bytes, text/plain
Details

The following testcase crashes on mozilla-central revision 20210421-683c2a81d1a3 (debug build, run with --fuzzing-safe --ion-offthread-compile=off --more-compartments):

primarySandbox = newGlobal();
function tryItOut (code) {
    try { evaluate(code, { global: primarySandbox }) } catch (e) {}
}
tryItOut(`
  g1=this;
  a=[];
  o=s2='';
  e2=new Set
for(w of[,,NaN,,NaN,,,,,,,,NaN,,,,,,,NaN,NaN,,NaN,NaN,1])
  s2+='x';
s=Array.prototype.join.call(a,g1.s2)
Object.defineProperty(this,'a0',{ 
  get: function() { return [(void 0),(void 0),1] }
})
Array.prototype.forEach.apply(a0,[
(function(j) {
  s0='x'
  s2+='x'
})
])
s0+=s2;
s2+=1;
e2.has(s2);
s0+'';
`)

Backtrace:

received signal SIGSEGV, Segmentation fault.
#0  0x0000555556fb363d in mozilla::UniquePtr<unsigned char [], JS::FreePolicy> JSRope::copyCharsInternal<unsigned char>(JSContext*, unsigned long) const ()
#1  0x0000555556fb3251 in JSRope::copyLatin1Chars(JSContext*, unsigned long) const ()
#2  0x0000555556d394f5 in JS::Compartment::wrap(JSContext*, JS::MutableHandle<JSString*>) ()
#3  0x0000555556a165f7 in JS::Compartment::wrap(JSContext*, JS::MutableHandle<JS::Value>) ()
#4  0x000055555716f529 in JS_WrapValue(JSContext*, JS::MutableHandle<JS::Value>) ()
#5  0x0000555556a1c720 in Evaluate(JSContext*, unsigned int, JS::Value*) ()
#6  0x0000555556b8c881 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) ()
[...]
#18 0x00005555569fa93f in main ()
rax	0x5555558388e4	93824995264740
rbx	0x14036ba04f40	22004923125568
rcx	0x555558022fa8	93825037119400
rdx	0x0	0
rsi	0x7ffff7105770	140737338431344
rdi	0x7ffff7104540	140737338426688
rbp	0x7fffffffb8c0	140737488337088
rsp	0x7fffffffb810	140737488336912
r8	0x7ffff7105770	140737338431344
r9	0x7ffff7f99840	140737353717824
r10	0x0	0
r11	0x0	0
r12	0x7ffff4f65600	140737303172608
r13	0x7ffff4f65619	140737303172633
r14	0x7fffffffb828	140737488336936
r15	0x7fffffffb820	140737488336928
rip	0x555556fb363d <mozilla::UniquePtr<unsigned char [], JS::FreePolicy> JSRope::copyCharsInternal<unsigned char>(JSContext*, unsigned long) const+989>
=> 0x555556fb363d <_ZNK6JSRope17copyCharsInternalIhEEN7mozilla9UniquePtrIA_T_N2JS10FreePolicyEEEP9JSContextm+989>:	movl   $0x1ed,0x0
   0x555556fb3648 <_ZNK6JSRope17copyCharsInternalIhEEN7mozilla9UniquePtrIA_T_N2JS10FreePolicyEEEP9JSContextm+1000>:	callq  0x555556a853ae <abort>
Attached file Testcase

Jon, could you check if this is a dup of bug 1707422? Thanks!

Flags: needinfo?(jcoppeard)

Yes, it's a dupe.

Status: NEW → RESOLVED
Closed: 4 years ago
Flags: needinfo?(jcoppeard)
Resolution: --- → DUPLICATE

Bugmon Analysis:
No valid actions for resolution (DUPLICATE)
The bug appears to have been fixed in the following build range:

Start: f96778ffc62746447bdaabd136d187637786f931 (20210426112245)
End: 87457b5402670d2288c4b2dee515a0f397d7b280 (20210426114015)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=f96778ffc62746447bdaabd136d187637786f931&tochange=87457b5402670d2288c4b2dee515a0f397d7b280
Removing bugmon keyword as no further action possible.
Please review the bug and re-add the keyword for further analysis.

Keywords: bugmon
Whiteboard: [bugmon:update,bisect] → [bugmon:update,bisected]
Group: javascript-core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: