Closed
Bug 1827372
Opened 3 years ago
Closed 3 years ago
Assertion failure: mLength + 1 <= mTail.mReserved, at /builds/worker/workspace/obj-build/dist/include/mozilla/Vector.h:1303
Categories
(Core :: JavaScript Engine: JIT, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1827073
| Tracking | Status | |
|---|---|---|
| firefox113 | --- | affected |
People
(Reporter: decoder, Unassigned)
Details
(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:update,bisect])
Attachments
(2 files)
The following testcase crashes on mozilla-central revision 20230411-948cf466f3f2 (debug build, run with --fuzzing-safe --ion-offthread-compile=off --ion-warmup-threshold=0 --baseline-eager):
setJitCompilerOption('ion.forceinlineCaches', 1);
function g68(...rest) {
g68.arguments;
}
g68();
Backtrace:
received signal SIGSEGV, Segmentation fault.
#0 0x0000555557304c51 in void js::jit::SnapshotIterator::readFunctionFrameArgs<CopyScriptFrameIterArgs::init(JSContext*)::{lambda(JS::Value const&)#1}>(CopyScriptFrameIterArgs::init(JSContext*)::{lambda(JS::Value const&)#1}&, js::ArgumentsObject**, JS::Value*, unsigned int, unsigned int, JSScript*, js::jit::MaybeReadFallback&) ()
#1 0x0000555557304478 in void js::jit::InlineFrameIterator::readFrameArgsAndLocals<CopyScriptFrameIterArgs::init(JSContext*)::{lambda(JS::Value const&)#1}, js::jit::InlineFrameIterator::Nop>(JSContext*, CopyScriptFrameIterArgs::init(JSContext*)::{lambda(JS::Value const&)#1}&, js::jit::InlineFrameIterator::Nop&, JSObject**, bool*, JS::Value*, js::ArgumentsObject**, bool*, js::jit::ReadFrameArgsBehavior, js::jit::MaybeReadFallback&) const ()
#2 0x0000555557303d29 in void js::FrameIter::unaliasedForEachActual<CopyScriptFrameIterArgs::init(JSContext*)::{lambda(JS::Value const&)#1}>(JSContext*, CopyScriptFrameIterArgs::init(JSContext*)::{lambda(JS::Value const&)#1}) ()
#3 0x00005555572fc2c6 in js::ArgumentsObject::createUnexpected(JSContext*, js::ScriptFrameIter&) ()
#4 0x0000555556f1ccd6 in ArgumentsGetterImpl(JSContext*, JS::CallArgs const&) ()
#5 0x0000555556f40828 in ArgumentsGetter(JSContext*, unsigned int, JS::Value*) ()
#6 0x0000555556d25e57 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) ()
#7 0x0000555556d255a5 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) ()
#8 0x0000555556d26d12 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) ()
#9 0x0000555556d27dd4 in js::CallGetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) ()
#10 0x0000555556fbe8cc in bool GetExistingProperty<(js::AllowGC)1>(JSContext*, js::MaybeRooted<JS::Value, (js::AllowGC)1>::HandleType, js::MaybeRooted<js::NativeObject*, (js::AllowGC)1>::HandleType, js::MaybeRooted<JS::PropertyKey, (js::AllowGC)1>::HandleType, js::PropertyInfoBase<unsigned int>, js::MaybeRooted<JS::Value, (js::AllowGC)1>::MutableHandleType) ()
#11 0x0000555556fbf18e in bool NativeGetPropertyInline<(js::AllowGC)1>(JSContext*, js::MaybeRooted<js::NativeObject*, (js::AllowGC)1>::HandleType, js::MaybeRooted<JS::Value, (js::AllowGC)1>::HandleType, js::MaybeRooted<JS::PropertyKey, (js::AllowGC)1>::HandleType, IsNameLookup, js::MaybeRooted<JS::Value, (js::AllowGC)1>::MutableHandleType) ()
#12 0x0000555556bf833f in js::GetProperty(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, js::PropertyName*, JS::MutableHandle<JS::Value>) ()
#13 0x0000555556d465ab in js::GetProperty(JSContext*, JS::Handle<JS::Value>, JS::Handle<js::PropertyName*>, JS::MutableHandle<JS::Value>) ()
#14 0x0000555557b8ce5e in js::jit::IonGetPropertyIC::update(JSContext*, JS::Handle<JSScript*>, js::jit::IonGetPropertyIC*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) ()
#15 0x00000797e4877377 in ?? ()
#16 0x0000000000000000 in ?? ()
rax 0x5555558c1dd7 93824995827159
rbx 0x1 1
rcx 0x555558303178 93825040134520
rdx 0x0 0
rsi 0x7ffff7105770 140737338431344
rdi 0x7ffff7104540 140737338426688
rbp 0x7fffffffb960 140737488337248
rsp 0x7fffffffb900 140737488337152
r8 0x7ffff7105770 140737338431344
r9 0x7ffff7f99840 140737353717824
r10 0x0 0
r11 0x0 0
r12 0x3 3
r13 0x7fffffffb920 140737488337184
r14 0x7fffffffbce8 140737488338152
r15 0x7fffffffbbe0 140737488337888
rip 0x555557304c51 <void js::jit::SnapshotIterator::readFunctionFrameArgs<CopyScriptFrameIterArgs::init(JSContext*)::{lambda(JS::Value const&)#1}>(CopyScriptFrameIterArgs::init(JSContext*)::{lambda(JS::Value const&)#1}&, js::ArgumentsObject**, JS::Value*, unsigned int, unsigned int, JSScript*, js::jit::MaybeReadFallback&)+609>
=> 0x555557304c51 <_ZN2js3jit16SnapshotIterator21readFunctionFrameArgsIZN23CopyScriptFrameIterArgs4initEP9JSContextEUlRKN2JS5ValueEE_EEvRT_PPNS_15ArgumentsObjectEPS7_jjP8JSScriptRNS0_17MaybeReadFallbackE+609>: movl $0x517,0x0
0x555557304c5c <_ZN2js3jit16SnapshotIterator21readFunctionFrameArgsIZN23CopyScriptFrameIterArgs4initEP9JSContextEUlRKN2JS5ValueEE_EEvRT_PPNS_15ArgumentsObjectEPS7_jjP8JSScriptRNS0_17MaybeReadFallbackE+620>: callq 0x555556c25fac <abort>
Marking s-s because the assert does look security-related.
| Reporter | ||
Comment 1•3 years ago
|
||
| Reporter | ||
Comment 2•3 years ago
|
||
Updated•3 years ago
|
Comment 4•3 years ago
|
||
No valid actions for resolution (DUPLICATE).
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
Keywords: bugmon
Updated•2 years ago
|
Group: javascript-core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•