Closed Bug 763950 Opened 8 years ago Closed 8 years ago

Assertion failure: (ptrBits & 0x7) == 0, at ../../jsval.h:700 or Crash [@ ToNumberSlow]

Categories

(Core :: JavaScript Engine, defect)

x86_64
Linux
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla16
Tracking Status
firefox15 --- unaffected
firefox16 --- fixed
firefox-esr10 --- unaffected

People

(Reporter: decoder, Assigned: luke)

References

Details

(5 keywords, Whiteboard: js-triage-done [jsbugmon:ignore][advisory-tracking-])

Crash Data

Attachments

(1 file)

The following test asserts/crashes on mozilla-central revision e9bf05c14376 (options -m -n -a):


Object.prototype.inheritsFrom = function (shuper) {
  this.superConstructor = shuper;
}
function Strength(strengthValue, name) {
  this.strengthValue = strengthValue;
}
Strength.weaker = function (s1, s2) {
  return this  ( UTCDate.stack , 'No Crash').super > s2.strengthValue;
}
Strength.REQUIRED = new Strength(0, "required");
function BinaryConstraint(var1, var2, strength) {
  this.v1 = var1;
  this.v2 = var2;
  if (Strength.weaker(this.v1.walkStrength, this.v2.walkStrength)) {}
}
function EqualityConstraint(var1, var2, strength) {
  EqualityConstraint.superConstructor.call(this, var1, var2, strength);
}
EqualityConstraint.inheritsFrom(BinaryConstraint);
function Variable(name, initialValue) {
}
function chainTest(n) {
  var prev = null, first = null, last = null;
  for (var i = 0; i <= n; i++) {
    var name = "v" + i;
    var v = new Variable(name);
    if (prev != null)
      new EqualityConstraint(prev, v, Strength.REQUIRED);
    prev = v;
  }
}
chainTest(100);


Opt-crash looks like this:

==9184== Invalid read of size 8
==9184==    at 0x4859D2: ToNumberSlow (jsnum.cpp:1435)
==9184==    by 0x62CE49: js::mjit::stubs::Pos(js::VMFrame&) (jsnum.h:133)
==9184==    by 0x403A435: ???
==9184==    by 0x585CB6: js::mjit::EnterMethodJIT(JSContext*, js::StackFrame*, void*, JS::Value*, bool) (MethodJIT.cpp:1016)
==9184==    by 0x47B475: js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) (jsinterp.cpp:1494)
==9184==    by 0x585CF3: js::mjit::EnterMethodJIT(JSContext*, js::StackFrame*, void*, JS::Value*, bool) (MethodJIT.cpp:1043)
==9184==    by 0x585E42: js::mjit::JaegerShot(JSContext*, bool) (MethodJIT.cpp:1074)
==9184==    by 0x47D169: js::RunScript(JSContext*, JSScript*, js::StackFrame*) (jsinterp.cpp:264)
==9184==    by 0x47DD61: js::Execute(JSContext*, JSScript*, JSObject&, JS::Value*) (jsinterp.cpp:455)
==9184==    by 0x4181CC: JS_ExecuteScript (jsapi.cpp:5320)
==9184==    by 0x4081FC: Process(JSContext*, JSObject*, char const*, bool) (js.cpp:438)
==9184==    by 0x40B13B: Shell(JSContext*, js::cli::OptionParser*, char**) (js.cpp:4732)
==9184==  Address 0x1 is not stack'd, malloc'd or (recently) free'd


S-s because the assertion is GC-related.
The test in comment 1 is plain wrong -.- (happy cloning day!) This is the right one, sorry for that:


function testMulOverflow() {
    var a = [];
    for (let j=0;j<015 ;++j) 
        a.push(0 | (((function  () function push(){ for(j in j); })) * 0x60000009));
}
assertEq(testMulOverflow(), "-1073741824,-1073741824,-1073741824,-1073741824,-1073741824");
Whiteboard: js-triage-needed → js-triage-needed [jsbugmon:ignore]
Assignee: general → luke
Blocks: 659577
Oops, this repros before bug 659577; un-assigning.

I looked into it for a few seconds though: it seems to be a simple case of Compiler::jsop_setprop calling frame.tempRegForData(lhs) when lhs->isConstant().
Assignee: luke → general
No longer blocks: 659577
nm, I was confused by comment 0.  comment 1 is bug 659577.
Blocks: 659577
Attached patch fix and testSplinter Review
Simple bug: ScopeCoordiante::slot is relative to the scope object, hence for blocks, it is 0-based, not including StaticBlockObject::depth.  This logic shows up in two places (the other one I wrote first got it right), so this patch factors it out into one place.
Assignee: general → luke
Status: NEW → ASSIGNED
Attachment #632416 - Flags: review?(dvander)
David: you may want to reuse this function in the IM scope access path.
Attachment #632416 - Flags: review?(dvander) → review+
https://hg.mozilla.org/integration/mozilla-inbound/rev/6312cccf540d
Whiteboard: js-triage-needed [jsbugmon:ignore] → js-triage-done [jsbugmon:ignore]
Target Milestone: --- → mozilla16
https://hg.mozilla.org/mozilla-central/rev/6312cccf540d
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
I am assuming "[this] is bug 659577." means a "regression from" and marked branch status fields accordingly. If this is incorrect please set the appropriate statuses to "affected".
Not tracking for advisories since 15 and earlier are unaffected.
Whiteboard: js-triage-done [jsbugmon:ignore] → js-triage-done [jsbugmon:ignore][advisory-tracking-]
Keywords: sec-high
Group: core-security
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/testBug763950.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.