811697 - Assertion failure: i >= 0, at js/src/jsopcode.cpp:5834 or Crash [@ DecompileExpressionFromStack] with -a

Status: RESOLVED DUPLICATE of bug 787283

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

The following testcase asserts on mozilla-central revision 4e9567eeb09e (run with -a):


Array.prototype.__proto__ = Function.prototype;
var x = [1,2,3];
function h() {
    return (x).apply(null, arguments);
}
assertEq(h(1,2,3), 24);

Comment 1

[Christian Holler (:decoder)]

This only happens with -a, with --ion-eager it goes away again, so I assume it's taking a different code path when ion optimizations jump in.


Crash trace:

==54851== Invalid read of size 8
==54851==    at 0x4EB87A: DecompileExpressionFromStack(JSContext*, int, int, JS::Value, char**) (jsopcode.cpp:5837)
==54851==    by 0x4ED45A: js::DecompileValueGenerator(JSContext*, int, JS::Handle<JS::Value>, JS::Handle<JSString*>, int) (jsopcode.cpp:6242)
==54851==    by 0x449448: js_ReportValueErrorFlags(JSContext*, unsigned int, unsigned int, int, JS::Handle<JS::Value>, JS::Handle<JSString*>, char const*, char const*) (jscntxt.cpp:1224)
==54851==    by 0x4A5DE2: js::ReportIsNotFunction(JSContext*, JS::Value const*, js::MaybeConstruct) (jsinterp.cpp:249)
==54851==    by 0x4B34FC: js::InvokeKernel(JSContext*, JS::CallArgs, js::MaybeConstruct) (jsinterp.cpp:361)
==54851==    by 0x6D0E57: js::mjit::stubs::SlowCall(js::VMFrame&, unsigned int) (InvokeHelpers.cpp:138)
==54851==    by 0x6BADD7: js::mjit::ic::NativeCall(js::VMFrame&, js::mjit::ic::CallICInfo*) (MonoIC.cpp:1322)
==54851==    by 0x40270F5: ???
==54851==    by 0x640325: js::mjit::EnterMethodJIT(JSContext*, js::StackFrame*, void*, JS::Value*, bool) (MethodJIT.cpp:1043)
==54851==    by 0x6405A3: js::mjit::JaegerShot(JSContext*, bool) (MethodJIT.cpp:1101)
==54851==    by 0x4B26BC: js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) (jsinterp.cpp:2385)
==54851==    by 0x640374: js::mjit::EnterMethodJIT(JSContext*, js::StackFrame*, void*, JS::Value*, bool) (MethodJIT.cpp:1070)
==54851==  Address 0x5f1ea98 is 8 bytes before a block of size 40 alloc'd
==54851==    at 0x4C2B6CD: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==54851==    by 0x4EB81B: DecompileExpressionFromStack(JSContext*, int, int, JS::Value, char**) (Utility.h:148)
==54851==    by 0x4ED45A: js::DecompileValueGenerator(JSContext*, int, JS::Handle<JS::Value>, JS::Handle<JSString*>, int) (jsopcode.cpp:6242)
==54851==    by 0x449448: js_ReportValueErrorFlags(JSContext*, unsigned int, unsigned int, int, JS::Handle<JS::Value>, JS::Handle<JSString*>, char const*, char const*) (jscntxt.cpp:1224)
==54851==    by 0x4A5DE2: js::ReportIsNotFunction(JSContext*, JS::Value const*, js::MaybeConstruct) (jsinterp.cpp:249)
==54851==    by 0x4B34FC: js::InvokeKernel(JSContext*, JS::CallArgs, js::MaybeConstruct) (jsinterp.cpp:361)
==54851==    by 0x6D0E57: js::mjit::stubs::SlowCall(js::VMFrame&, unsigned int) (InvokeHelpers.cpp:138)
==54851==    by 0x6BADD7: js::mjit::ic::NativeCall(js::VMFrame&, js::mjit::ic::CallICInfo*) (MonoIC.cpp:1322)
==54851==    by 0x40270F5: ???
==54851==    by 0x640325: js::mjit::EnterMethodJIT(JSContext*, js::StackFrame*, void*, JS::Value*, bool) (MethodJIT.cpp:1043)
==54851==    by 0x6405A3: js::mjit::JaegerShot(JSContext*, bool) (MethodJIT.cpp:1101)
==54851==    by 0x4B26BC: js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) (jsinterp.cpp:2385)


This looks quite dangerous, at least sec-high.

Comment 2

[Christian Holler (:decoder)]

JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   106741:6cd206b37176
parent:      106740:b63bb39ed1c0
parent:      103644:a0240c1043ee
user:        David Anderson
date:        Wed Aug 29 17:51:24 2012 -0700
summary:     Merge from mozilla-central.

This iteration took 4.716 seconds to run.

Oops! We didn't test rev b63bb39ed1c0, a parent of the blamed revision! Let's do that now.
Rev b63bb39ed1c0: Found cached shell...    Testing... [Uninteresting] It didn't crash. (0.203 seconds)
good (not interesting) 
As expected, the parent's label is the opposite of the blamed rev's label.

Oops! We didn't test rev a0240c1043ee, a parent of the blamed revision! Let's do that now.
Rev a0240c1043ee: Found cached shell...    Testing... [Uninteresting] It didn't crash. (0.186 seconds)
good (not interesting) 
As expected, the parent's label is the opposite of the blamed rev's label.

Comment 3

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

This seems similar to bug 787283. Brian, assigning this to you since that bug is already on your plate - there is a chance that these 2 bugs may be related.

Comment 4

[Christian Holler (:decoder)]

JSBugMon: Cannot process bug: Unknown exception (check manually)

Comment 5

[Christian Holler (:decoder)]

JSBugMon: The testcase found in this bug no longer reproduces (tried revision 712eca11a04e).

Comment 6

[Christian Holler (:decoder)]

JSBugMon: Fix Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first good revision is:
changeset:   118999:39885ae3a597
user:        Brendan Eich
date:        Tue Jan 15 18:17:50 2013 -0800
summary:     Bug 810525 - unregress DecompileValueGenerator change to handle object literal reference bases (r=jandem).

This iteration took 1.120 seconds to run.

Comment 7

[Christian Holler (:decoder)]

Brendan, did the patch mentioned in comment 6 fix this security bug? Is it a dup of bug 787283? Thanks!

Comment 8

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

jandem, ditto this bug and bug 787283, which seem pretty similar.

Comment 9

[Jan de Mooij [:jandem]]

(In reply to Gary Kwong [:gkw] [:nth10sd] from comment #8)
> jandem, ditto this bug and bug 787283, which seem pretty similar.

Yeah, this looks like bug 787283.

Comment 10

[Christian Holler (:decoder)]

Thanks Jan!