Closed Bug 1894025 Opened 9 months ago Closed 9 months ago

Assertion failure: result->isTenured(), at builtin/TestingFunctions.cpp:3785

Categories

(Core :: JavaScript: GC, defect, P1)

Product:
Core
Component:
JavaScript: GC
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
127 Branch
Tracking Flags:
Tracking Status
firefox-esr115 --- unaffected
firefox125 --- unaffected
firefox126 --- wontfix
firefox127 --- verified

People

(Reporter: decoder, Assigned: sfink)

References

(Blocks 1 open bug, Regression)

Details

(4 keywords, Whiteboard: [bugmon:update,bisected,confirmed])

Attachments

(3 files)

Detailed Crash Information
2.09 KB, text/plain
Details
Testcase
166 bytes, text/plain
Details
Bug 1894025 - Throw error rather than asserting when newDependentString creates string in different heap than requested
48 bytes, text/x-phabricator-request
Details | Review

The following testcase crashes on mozilla-central revision 20240428-f226353bd979 (debug build, run with --fuzzing-safe --cpu-count=2 --ion-offthread-compile=off):

function makeExtensibleStrFrom() {
               strstrstr;
}
a = makeExtensibleStrFrom;
b = newDependentString(a, 0, 60)
newDependentString(b, 0, { tenured: true })

Backtrace:

received signal SIGSEGV, Segmentation fault.
0x00005555576af8cd in NewDependentString(JSContext*, unsigned int, JS::Value*) ()
#0  0x00005555576af8cd in NewDependentString(JSContext*, unsigned int, JS::Value*) ()
#1  0x00005555570c7e25 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) ()
#2  0x00005555570c739b in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) ()
#3  0x00005555570d807b in js::Interpret(JSContext*, js::RunState&) ()
[...]
#12 0x0000555556ef84f9 in main ()
rax	0x55555575792e	93824994343214
rbx	0xfff9000000000001	-1970324836974591
rcx	0x555558aceaf8	93825048308472
rdx	0x0	0
rsi	0x7ffff7105770	140737338431344
rdi	0x7ffff7104540	140737338426688
rbp	0x7fffffffd040	140737488343104
rsp	0x7fffffffcf70	140737488342896
r8	0x7ffff7105770	140737338431344
r9	0x7ffff7f91840	140737353685056
r10	0x2	2
r11	0x0	0
r12	0x0	0
r13	0xfff9000000000001	-1970324836974591
r14	0x302cd30006b0	52969076688560
r15	0x7ffff3d39100	140737284116736
rip	0x5555576af8cd <NewDependentString(JSContext*, unsigned int, JS::Value*)+2813>
=> 0x5555576af8cd <_ZL18NewDependentStringP9JSContextjPN2JS5ValueE+2813>:	movl   $0xec9,0x0
   0x5555576af8d8 <_ZL18NewDependentStringP9JSContextjPN2JS5ValueE+2824>:	callq  0x555556f9c230 <abort>

Likely an issue with the testing function, so shell-only.

Attached file Testcase

Verified bug as reproducible on mozilla-central 20240429155147-04a668ef9c90.
The bug appears to have been introduced in the following build range:

Start: 8784930453c1609ff835c49e3c1d49e455357963 (20240409153807)
End: e3c9c90141d0f6b39792470ce489a5af6123cc15 (20240409170326)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=8784930453c1609ff835c49e3c1d49e455357963&tochange=e3c9c90141d0f6b39792470ce489a5af6123cc15

Whiteboard: [bugmon:update,bisect] → [bugmon:update,bisected,confirmed]

It's not reproducing for me. This bug looks very useful and I'd love to get it to work.

I'm on the right revision, using the given command-line flags. My mozconfig is:

ac_add_options --enable-project=js --with-project=js
ac_add_options --enable-debug
ac_add_options --enable-optimize
ac_add_options --enable-js-shell
ac_add_options --enable-fuzzing

What is your config?

Flags: needinfo?(choller)
Regressed by: 1879918

(The crash here is in testing code and doesn't matter much, but it might help explain how something might be happening in the field that I didn't think was possible yet, and I have some unexplained bugs that might be explained if it is.)

Set release status flags based on info from the regressing bug 1879918

status-firefox125: --- → unaffected
status-firefox126: --- → affected
status-firefox-esr115: --- → unaffected

(In reply to Steve Fink [:sfink] [:s:] from comment #4)

It's not reproducing for me. This bug looks very useful and I'd love to get it to work.

I'm on the right revision, using the given command-line flags. My mozconfig is:

ac_add_options --enable-project=js --with-project=js
ac_add_options --enable-debug
ac_add_options --enable-optimize
ac_add_options --enable-js-shell
ac_add_options --enable-fuzzing

What is your config?

I believe this is not an --enable-fuzzing build. You should be able to get this build from TC using python -mfuzzfetch --target js -d --build f226353bd979.

Flags: needinfo?(choller)

Huh. Strangely, I got the same result with the downloaded fuzzfetched build. But if I change the 60 in the test case to 50 (the string it's making a substring of is only 51 characters long), then I get the crash (in either build). Which is great, but it's a little weird because the length should be based on the source text for the function, which should be the same however you're running it.

Oh well, I'm good to go now. Thanks!

Bleh, turned out to be boring. Just a case of my trigger-happy checks to ensure that you're testing what you think you're testing, which is not normally the way I do these things.

Assignee: nobody → sphink
Status: NEW → ASSIGNED
Blocks: GC.stability
Severity: -- → S4
Priority: -- → P1
Pushed by sfink@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/54f4b0d6dc0f Throw error rather than asserting when newDependentString creates string in different heap than requested r=jonco

Argh, that's at least the second time I've done this: I have a test case that crashes. I fix the crash, turning it into an error throw. Yay! I land it, and get backed out because the test still (obviously) fails.

I suck.

Pushed by sfink@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/af5e3783b62e Throw error rather than asserting when newDependentString creates string in different heap than requested r=jonco
Flags: needinfo?(sphink)

https://hg.mozilla.org/mozilla-central/rev/af5e3783b62e

Status: ASSIGNED → RESOLVED
Closed: 9 months ago
status-firefox127: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 127 Branch

Verified bug as fixed on rev mozilla-central 20240501214803-0c09216614e4.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Status: RESOLVED → VERIFIED
status-firefox127: fixedverified
Keywords: bugmon

The patch landed in nightly and beta is affected.
:sfink, is this bug important enough to require an uplift?

  • If yes, please nominate the patch for beta approval.
  • If no, please set status-firefox126 to wontfix.

For more information, please visit BugBot documentation.

Flags: needinfo?(sphink)

S4 bug that appears to only impact fuzzing.
Setting Fx126 to wontfix, please reach out if there's disagreement

status-firefox126: affectedwontfix
Flags: needinfo?(sphink)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: