Closed Bug 1924900 Opened 4 months ago Closed 4 months ago

Assertion failure: !getExtendedSlot(js::FunctionExtended::WASM_INSTANCE_SLOT).isUndefined(), at js/src/vm/JSFunction.h:941

Categories

(Core :: JavaScript: WebAssembly, defect)

Product:
Core
Component:
JavaScript: WebAssembly
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1924062

People

(Reporter: sm-bugs, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: reporter-external)

Steps to reproduce:

Version: 9b96f1292e43321df8b9c1710a3ef932bac8df48
Args:

js --fuzzing-safe <test-case>

Test-case:

a = Function(
    "g",
    "'use asm'; var tof=g.Math.fround; var fun=g.Math.ceil; function f(d) { d=tof(d); return tof(fun(d)) } return f")
disnative(a)

Actual results:

Assertion failure: !getExtendedSlot(js::FunctionExtended::WASM_INSTANCE_SLOT).isUndefined(), at js/src/vm/JSFunction.h:941

#0 0x55f653ee1682 in JSFunction::wasmInstance() const src/vm/JSFunction.h:940:3
#1 0x55f653ea53d5 in DisassembleNative(JSContext*, unsigned int, JS::Value*) src/builtin/TestingFunctions.cpp:1788:37
#2 0x55f653695fce in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) src/vm/Interpreter.cpp:527:13
#3 0x55f65369522f in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) src/vm/Interpreter.cpp:623:12
#4 0x55f6536ad424 in js::CallFromStack(JSContext*, JS::CallArgs const&, js::CallReason) src/vm/Interpreter.cpp:695:10
#5 0x55f6536ad424 in js::Interpret(JSContext*, js::RunState&) src/vm/Interpreter.cpp:3520:16
#6 0x55f653694060 in js::RunScript(JSContext*, js::RunState&) src/vm/Interpreter.cpp:497:13
#7 0x55f653699411 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSObject*>, js::AbstractFramePtr, JS::MutableHandle<JS::Value>) src/vm/Interpreter.cpp:888:13
#8 0x55f653699c1c in js::Execute(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSObject*>, JS::MutableHandle<JS::Value>) src/vm/Interpreter.cpp:921:10
#9 0x55f6538ea329 in ExecuteScript(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSScript*>, JS::MutableHandle<JS::Value>) src/vm/CompilationAndEvaluation.cpp:495:10
#10 0x55f6538ea5a7 in JS_ExecuteScript(JSContext*, JS::Handle<JSScript*>) src/vm/CompilationAndEvaluation.cpp:519:10
#11 0x55f6535fd7ce in RunFile(JSContext*, char const*, _IO_FILE*, CompileUtf8, bool, bool) src/shell/js.cpp:1317:10
#12 0x55f6535fcb35 in Process(JSContext*, char const*, bool, FileKind) src/shell/js.cpp
#13 0x55f6535b773e in ProcessArgs(JSContext*, js::cli::OptionParser*) src/shell/js.cpp:11494:10
#14 0x55f6535b773e in Shell(JSContext*, js::cli::OptionParser*) src/shell/js.cpp:11746:12
#15 0x55f6535ae71d in main src/shell/js.cpp:12303:12
#16 0x7fe02f61ed8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#17 0x7fe02f61ee3f in __libc_start_main csu/../csu/libc-start.c:392:3
#18 0x55f653577b98 in _start (/home/user/fuzzilli-ng/targets/spidermonkey/src/reproducebuild/dist/bin/js+0x1c3db98) (BuildId: 1121917b6dcdb4f8ec3555b4aec4c3ce)
Blocks: 1903968
Group: firefox-core-security → core-security
Component: Untriaged → JavaScript Engine
Product: Firefox → Core
Version: Firefox 130 → Trunk
Group: core-security → javascript-core-security
Component: JavaScript Engine → JavaScript: WebAssembly

My disnative + asm.js nemesis.

It's either a duplicate of an earlier bug I fixed or it's another case we need to handle.

Group: javascript-core-security

Verified duplicate of bug 1924062.

Status: NEW → RESOLVED
Closed: 4 months ago
Duplicate of bug: 1924062
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.