The default bug view has changed. See this FAQ.

JS Shell: Crashes with call to mjitChunkLimit without arguments

RESOLVED FIXED in mozilla13

Status

()

Core
JavaScript Engine
--
critical
RESOLVED FIXED
5 years ago
4 years ago

People

(Reporter: decoder, Assigned: bhackett)

Tracking

(Blocks: 1 bug, {assertion, crash, testcase})

Trunk
mozilla13
x86_64
Linux
assertion, crash, testcase
Points:
---
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

(Reporter)

Description

5 years ago
The following test asserts on mozilla-central revision 4a9a6ffd1f21 (options -m -n):

function jsTestDriverEnd() {}
this.__defineSetter__("x", function () {});
x %= 5;
jsTestDriverEnd();
mjitChunkLimit();


I'm getting 

Assertion failure: v.isObject(), at js/src/jsnum.cpp:1257

for this test, but it can also cause other assertions (e.g. ptrBits) or crashes. I assume this is a shell only issue with the debug function mjitChunkLimit, which is supposed to take one parameter.

It would be nice if this could be fixed (I assume it's an easy thing), because it causes multiple signatures in the fuzzer.
function tryItOut(code) {
    nestingConsistencyTest()
    sandboxResult(code, "new-compartment")
}
function nestingConsistencyTest(c) {
    var e
    depth = rnd() + 4
    for (var i; depth;)(p)
}
function sandboxResult(code, globalType) {
    try {
        var sandbox = newGlobal(globalType)
        t = evalcx(code, sandbox)
    } catch (e) {}
}
function f() {
    this.g1 = function() {}
    this.g2 = function() {
        return this.g1()
    }
}(function() {
    fInst = new f
    rnd = function(n) {
        Math.floor(fInst.g2())
    }
}())
tryItOut("mjitChunkLimit()")

Here's another testcase w/ 32-bit debug shell on Linux on m-c changeset ebafee0cea36

*** Compartment mismatch 0x8b14520 vs. 0x8b0ad00
Assertion failure: compartment mismatched, at /home/fuzz2lin/Desktop/jsfunfuzz-dbg-32-mc-86707-ebafee0cea36/compilePath/js/src/jscntxtinlines.h:153
Created attachment 596830 [details] [diff] [review]
patch

Dumb bug, mjitChunkLimit checks for argument overflow but not underflow.
Assignee: general → bhackett1024
Attachment #596830 - Flags: review?(dvander)

Updated

5 years ago
Keywords: crash
Attachment #596830 - Flags: review?(dvander) → review+
https://hg.mozilla.org/integration/mozilla-inbound/rev/3fa51ff647cb
https://hg.mozilla.org/mozilla-central/rev/3fa51ff647cb
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla13
(Reporter)

Comment 5

4 years ago
Automatically extracted testcase for this bug was committed:

https://hg.mozilla.org/mozilla-central/rev/efaf8960a929
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.