Closed Bug 1878626 Opened 1 year ago Closed 1 year ago

Assertion failure: v.isSymbol() || v.isBigInt(), at js/src/jsnum.cpp:2058

Categories

(Core :: JavaScript Engine: JIT, defect, P2)

Product:
Core
Component:
JavaScript Engine: JIT
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1877357
Tracking Flags:
Tracking Status
firefox124 --- affected

People

(Reporter: decoder, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:update,bisected,confirmed][sp3])

Attachments

(2 files)

Detailed Crash Information
2.20 KB, text/plain
Details
Testcase
568 bytes, text/plain
Details

The following testcase crashes on mozilla-central revision 20240131-ad50a175a7c5 (debug build, run with --fuzzing-safe --cpu-count=2 --ion-offthread-compile=off):

var code = `
function int_seq(count) {
    var arr = [];
    var x43 = 0xfac83126;
    while (count--) {
        x43 ^= x43 << 13;
        Base = interpdiv3;
        arr.push(new class prox extends Base {});
    }
    return arr;
}
function test(asm) {
    let count = 10000;
    let seq = int_seq(count);
    for (let x43 of seq) {
        let rasm = asm(x43);
    }
}
var interpdiv3 = function(x43) {}
asmdiv3 = lfPromise;
test(asmdiv3);
`;
evaluate(`
  function lfPromise(x) {
    return new Promise(resolve => {
        ` + code + `
    });
  }
`);
evaluate(code);

Backtrace:

received signal SIGSEGV, Segmentation fault.
0x00005555576c2c47 in js::ToNumberSlow(JSContext*, JS::Handle<JS::Value>, double*) ()
#0  0x00005555576c2c47 in js::ToNumberSlow(JSContext*, JS::Handle<JS::Value>, double*) ()
#1  0x00005555576c2ce3 in js::ToNumericSlow(JSContext*, JS::MutableHandle<JS::Value>) ()
#2  0x00005555576c3594 in js::ToInt32OrBigIntSlow(JSContext*, JS::MutableHandle<JS::Value>) ()
#3  0x00005555570293e3 in js::BitLshOperation(JSContext*, JS::MutableHandle<JS::Value>, JS::MutableHandle<JS::Value>, JS::MutableHandle<JS::Value>) ()
#4  0x0000555557c000d4 in js::jit::DoBinaryArithFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICFallbackStub*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) ()
#5  0x00003cb7bdfb579f in ?? ()
[...]
#26 0x0000000000000000 in ?? ()
rax	0x55555576a640	93824994420288
rbx	0x7fffffffa1e0	140737488331232
rcx	0x5555589aef98	93825047130008
rdx	0x0	0
rsi	0x7ffff7105770	140737338431344
rdi	0x7ffff7104540	140737338426688
rbp	0x7fffffffa1d0	140737488331216
rsp	0x7fffffffa190	140737488331152
r8	0x7ffff7105770	140737338431344
r9	0x7ffff7f92840	140737353689152
r10	0x2	2
r11	0x0	0
r12	0x7fffffffa190	140737488331152
r13	0xfffc800000000000	-985162418487296
r14	0x7ffff3d32200	140737284088320
r15	0x7fffffffa1a0	140737488331168
rip	0x5555576c2c47 <js::ToNumberSlow(JSContext*, JS::Handle<JS::Value>, double*)+999>
=> 0x5555576c2c47 <_ZN2js12ToNumberSlowEP9JSContextN2JS6HandleINS2_5ValueEEEPd+999>:	movl   $0x80a,0x0
   0x5555576c2c52 <_ZN2js12ToNumberSlowEP9JSContextN2JS6HandleINS2_5ValueEEEPd+1010>:	callq  0x555556eca390 <abort>

Looks like a potential type confusion/mismatch, marking s-s until triaged.

Attached file Testcase

Testcase crashes using the initial build (mozilla-central 20240131095100-ad50a175a7c5) but not with tip (mozilla-central 20240205094658-9ca12d444230.)

The bug appears to have been fixed in the following build range:

Start: 67f13af428e383eb2f3472448564da31a6cd3eae (20240202195324)
End: 7a609350fd1141b84a9e3a8b006df4d6eb94abbf (20240202200120)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=67f13af428e383eb2f3472448564da31a6cd3eae&tochange=7a609350fd1141b84a9e3a8b006df4d6eb94abbf

decoder, can you confirm that the above bisection range is responsible for fixing this issue?
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Flags: needinfo?(choller)
Keywords: bugmon
Whiteboard: [bugmon:update,bisect] → [bugmon:update,bisected,confirmed]

Nicolas, this could be a duplicate of bug 1876978 considering the fix range. Can you confirm?

Flags: needinfo?(nicolas.b.pierron)
Flags: needinfo?(choller)

(In reply to Jan de Mooij [:jandem] from comment #4)

Nicolas, this could be a duplicate of bug 1876978 considering the fix range. Can you confirm?

I will hold before marking it as a duplicate as there is a second bug caused by fixing EliminateDeadResumePointOperands.
I noticed it while looking at a webcompat failure.

Flags: needinfo?(nicolas.b.pierron)
Blocks: 1874456
Severity: -- → S4
Flags: needinfo?(nicolas.b.pierron)
Priority: -- → P2

:decoder, since this bug is a regression, could you fill (if possible) the regressed_by field?
For more information, please visit BugBot documentation.

Flags: needinfo?(choller)
Status: NEW → RESOLVED
Closed: 1 year ago
Duplicate of bug: 1877357
Flags: needinfo?(nicolas.b.pierron)
Resolution: --- → DUPLICATE
Group: javascript-core-security
Flags: needinfo?(choller)
Whiteboard: [bugmon:update,bisected,confirmed] → [bugmon:update,bisected,confirmed][sp3]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: