Closed Bug 1827372 Opened 3 years ago Closed 3 years ago

Assertion failure: mLength + 1 <= mTail.mReserved, at /builds/worker/workspace/obj-build/dist/include/mozilla/Vector.h:1303

Categories

(Core :: JavaScript Engine: JIT, defect)

x86_64
Linux
defect

Tracking

()

RESOLVED DUPLICATE of bug 1827073
Tracking Status
firefox113 --- affected

People

(Reporter: decoder, Unassigned)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:update,bisect])

Attachments

(2 files)

The following testcase crashes on mozilla-central revision 20230411-948cf466f3f2 (debug build, run with --fuzzing-safe --ion-offthread-compile=off --ion-warmup-threshold=0 --baseline-eager):

setJitCompilerOption('ion.forceinlineCaches', 1);
function g68(...rest) {
    g68.arguments;
}
g68();

Backtrace:

received signal SIGSEGV, Segmentation fault.
#0  0x0000555557304c51 in void js::jit::SnapshotIterator::readFunctionFrameArgs<CopyScriptFrameIterArgs::init(JSContext*)::{lambda(JS::Value const&)#1}>(CopyScriptFrameIterArgs::init(JSContext*)::{lambda(JS::Value const&)#1}&, js::ArgumentsObject**, JS::Value*, unsigned int, unsigned int, JSScript*, js::jit::MaybeReadFallback&) ()
#1  0x0000555557304478 in void js::jit::InlineFrameIterator::readFrameArgsAndLocals<CopyScriptFrameIterArgs::init(JSContext*)::{lambda(JS::Value const&)#1}, js::jit::InlineFrameIterator::Nop>(JSContext*, CopyScriptFrameIterArgs::init(JSContext*)::{lambda(JS::Value const&)#1}&, js::jit::InlineFrameIterator::Nop&, JSObject**, bool*, JS::Value*, js::ArgumentsObject**, bool*, js::jit::ReadFrameArgsBehavior, js::jit::MaybeReadFallback&) const ()
#2  0x0000555557303d29 in void js::FrameIter::unaliasedForEachActual<CopyScriptFrameIterArgs::init(JSContext*)::{lambda(JS::Value const&)#1}>(JSContext*, CopyScriptFrameIterArgs::init(JSContext*)::{lambda(JS::Value const&)#1}) ()
#3  0x00005555572fc2c6 in js::ArgumentsObject::createUnexpected(JSContext*, js::ScriptFrameIter&) ()
#4  0x0000555556f1ccd6 in ArgumentsGetterImpl(JSContext*, JS::CallArgs const&) ()
#5  0x0000555556f40828 in ArgumentsGetter(JSContext*, unsigned int, JS::Value*) ()
#6  0x0000555556d25e57 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) ()
#7  0x0000555556d255a5 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) ()
#8  0x0000555556d26d12 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) ()
#9  0x0000555556d27dd4 in js::CallGetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) ()
#10 0x0000555556fbe8cc in bool GetExistingProperty<(js::AllowGC)1>(JSContext*, js::MaybeRooted<JS::Value, (js::AllowGC)1>::HandleType, js::MaybeRooted<js::NativeObject*, (js::AllowGC)1>::HandleType, js::MaybeRooted<JS::PropertyKey, (js::AllowGC)1>::HandleType, js::PropertyInfoBase<unsigned int>, js::MaybeRooted<JS::Value, (js::AllowGC)1>::MutableHandleType) ()
#11 0x0000555556fbf18e in bool NativeGetPropertyInline<(js::AllowGC)1>(JSContext*, js::MaybeRooted<js::NativeObject*, (js::AllowGC)1>::HandleType, js::MaybeRooted<JS::Value, (js::AllowGC)1>::HandleType, js::MaybeRooted<JS::PropertyKey, (js::AllowGC)1>::HandleType, IsNameLookup, js::MaybeRooted<JS::Value, (js::AllowGC)1>::MutableHandleType) ()
#12 0x0000555556bf833f in js::GetProperty(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, js::PropertyName*, JS::MutableHandle<JS::Value>) ()
#13 0x0000555556d465ab in js::GetProperty(JSContext*, JS::Handle<JS::Value>, JS::Handle<js::PropertyName*>, JS::MutableHandle<JS::Value>) ()
#14 0x0000555557b8ce5e in js::jit::IonGetPropertyIC::update(JSContext*, JS::Handle<JSScript*>, js::jit::IonGetPropertyIC*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) ()
#15 0x00000797e4877377 in ?? ()
#16 0x0000000000000000 in ?? ()
rax	0x5555558c1dd7	93824995827159
rbx	0x1	1
rcx	0x555558303178	93825040134520
rdx	0x0	0
rsi	0x7ffff7105770	140737338431344
rdi	0x7ffff7104540	140737338426688
rbp	0x7fffffffb960	140737488337248
rsp	0x7fffffffb900	140737488337152
r8	0x7ffff7105770	140737338431344
r9	0x7ffff7f99840	140737353717824
r10	0x0	0
r11	0x0	0
r12	0x3	3
r13	0x7fffffffb920	140737488337184
r14	0x7fffffffbce8	140737488338152
r15	0x7fffffffbbe0	140737488337888
rip	0x555557304c51 <void js::jit::SnapshotIterator::readFunctionFrameArgs<CopyScriptFrameIterArgs::init(JSContext*)::{lambda(JS::Value const&)#1}>(CopyScriptFrameIterArgs::init(JSContext*)::{lambda(JS::Value const&)#1}&, js::ArgumentsObject**, JS::Value*, unsigned int, unsigned int, JSScript*, js::jit::MaybeReadFallback&)+609>
=> 0x555557304c51 <_ZN2js3jit16SnapshotIterator21readFunctionFrameArgsIZN23CopyScriptFrameIterArgs4initEP9JSContextEUlRKN2JS5ValueEE_EEvRT_PPNS_15ArgumentsObjectEPS7_jjP8JSScriptRNS0_17MaybeReadFallbackE+609>:	movl   $0x517,0x0
   0x555557304c5c <_ZN2js3jit16SnapshotIterator21readFunctionFrameArgsIZN23CopyScriptFrameIterArgs4initEP9JSContextEUlRKN2JS5ValueEE_EEvRT_PPNS_15ArgumentsObjectEPS7_jjP8JSScriptRNS0_17MaybeReadFallbackE+620>:	callq  0x555556c25fac <abort>

Marking s-s because the assert does look security-related.

Attached file Testcase
Status: NEW → RESOLVED
Closed: 3 years ago
Duplicate of bug: 1827073
Resolution: --- → DUPLICATE

No valid actions for resolution (DUPLICATE).
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Keywords: bugmon
Group: javascript-core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: