Assertion failure: !cx->runtime()->jitRuntime()->disallowArbitraryCode(), at /js/src/vm/Interpreter.cpp:331
Categories
(Core :: JavaScript Engine, defect, P1)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox-esr78 | --- | unaffected |
| firefox-esr91 | --- | unaffected |
| firefox90 | --- | unaffected |
| firefox91 | --- | unaffected |
| firefox92 | --- | verified |
People
(Reporter: decoder, Assigned: jandem)
References
(Regression)
Details
(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:update,bisect][fuzzblocker])
Attachments
(3 files)
The following testcase crashes on mozilla-central revision 20210731-e02e9a1e0b15 (debug build, run with --fuzzing-safe --ion-offthread-compile=off --baseline-eager --ion-warmup-threshold=0 test.js):
setJitCompilerOption("ion.forceinlineCaches", 1)
"".localeCompare()
Backtrace:
received signal SIGSEGV, Segmentation fault.
0x57b941a8 in js::RunScript(JSContext*, js::RunState&) ()
#0 0x57b941a8 in js::RunScript(JSContext*, js::RunState&) ()
#1 0x57ba9e86 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSObject*>, JS::Handle<JS::Value>, js::AbstractFramePtr, JS::MutableHandle<JS::Value>) ()
#2 0x57baa466 in js::Execute(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSObject*>, JS::MutableHandle<JS::Value>) ()
#3 0x57d6acd3 in ExecuteScript(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSScript*>, JS::MutableHandle<JS::Value>) ()
#4 0x57d6ae7c in JS_ExecuteScript(JSContext*, JS::Handle<JSScript*>) ()
#5 0x57f8f371 in JSRuntime::getSelfHostedValue(JSContext*, JS::Handle<js::PropertyName*>, JS::MutableHandle<JS::Value>) ()
#6 0x57e2c1a1 in js::GlobalObject::getIntrinsicValueSlow(JSContext*, JS::Handle<js::GlobalObject*>, JS::Handle<js::PropertyName*>, JS::MutableHandle<JS::Value>) ()
#7 0x5862e649 in js::jit::GetIntrinsicValue(JSContext*, JS::Handle<js::PropertyName*>, JS::MutableHandle<JS::Value>) ()
#8 0x3e6ab463 in ?? ()
Backtrace stopped: Cannot access memory at address 0xffffff87
eax 0x56721ab6 1450318518
ebx 0x59073394 1493644180
ecx 0x59074d44 1493650756
edx 0xf7b4ccc7 -139146041
esi 0xf6911400 -158264320
edi 0xf6934000 -158121984
ebp 0xffc9e598 4291421592
esp 0xffc9e530 4291421488
eip 0x57b941a8 <js::RunScript(JSContext*, js::RunState&)+1128>
=> 0x57b941a8 <_ZN2js9RunScriptEP9JSContextRNS_8RunStateE+1128>: movl $0x14b,0x0
0x57b941b2 <_ZN2js9RunScriptEP9JSContextRNS_8RunStateE+1138>: call 0x57aaab1a <abort>
This is a highly frequent fuzzblocker.
|
Reporter | |
Comment 1•3 years ago
|
||
|
|
Reporter | |
Comment 2•3 years ago
|
||
|
||
Updated•3 years ago
|
|
Assignee | |
Comment 4•3 years ago
|
||
This fixes an assertion failure now that GetIntrinsicValue can execute the
self-hosted top-level script.
Code emitted for MCallGetIntrinsicValue is not executed at all on the typical
JS shell benchmarks. When running jit-tests with the default flags, just a single
test (that modifies warm-up thresholds) exercises it. This suggests the fix is
unlikely to affect performance.
|
||
Updated•3 years ago
|
|
|
Assignee | |
Comment 5•3 years ago
|
||
I looked at this fuzzblocker since today is a holiday in Canada.
Pushed by jdemooij@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/e55093498ff9 Don't override MCallGetIntrinsicValue alias set. r=tcampbell,nbp
|
||
Updated•3 years ago
|
|
||
Comment 7•3 years ago
|
||
| bugherder | ||
|
||
Updated•3 years ago
|
|
||
Comment 8•3 years ago
|
||
Bugmon Analysis
Verified bug as fixed on rev mozilla-central 20210802214356-3ff8ac39b364.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
Description
•