Closed Bug 886282 Opened 12 years ago Closed 12 years ago

OdinMonkey: Assertion failure: it.isBaselineJS(), at ion/IonFrames.cpp:1034 or Assertion failure: retAddr != __null, at ion/IonFrames.cpp:1012 or Crash [@ js::ion::IonFrameIterator::script] or Crash [@ containsReturnAddress]

Tracking

()

Status:

RESOLVED DUPLICATE of bug 886266

People

(Reporter: decoder, Assigned: h4writer)

Details

(5 keywords, Whiteboard: [jsbugmon:update,bisect])

Crash Data

Attachments

(1 file)

[crash-signature] Machine-readable crash signature 12 years ago Christian Holler (:decoder) 3.61 KB, text/plain		Details

Christian Holler (:decoder)

Reporter

Description

•

12 years ago

The following testcase asserts on mozilla-central revision 76820c6dff7b (run with --ion-eager): var lfcode = new Array(); lfcode.push("0"); lfcode.push("(function () { var f = function() { f(function () {"); lfcode.push("var { Int16Array } = 0; schedulegc(10);"); lfcode.push("\ function coerceForeign(stdlib, foreign) {\ \"use asm\";\ var g = foreign.g;\ function f() {\ +g(0);\ +g(1);\ +g(2);\ }\ return f;\ }\ var t = coerceForeign(undefined, { g: function() function d8 (code) {} });\ t();\ "); while (true) { var file = lfcode.shift(); if (file == undefined) { break; } loadFile(file) } function loadFile(lfVarx) { try { if (lfVarx.substr(-3) != ".js" && lfVarx.length != 1) { switch (lfRunTypeId) { default: evaluate(lfVarx, { noScriptRval : true }); break; } } else if (!isNaN(lfVarx)) { lfRunTypeId = parseInt(lfVarx); } } catch (lfVare) {} }

Christian Holler (:decoder)

Reporter

Comment 1

•

12 years ago

Attached file [crash-signature] Machine-readable crash signature — Details

Christian Holler (:decoder)

Reporter

Comment 2

•

12 years ago

The opt-crash looks s-s and it could be that an uninitialized value is involved: ==63079== Use of uninitialised value of size 8 ==63079== at 0x71AF68: js::ion::GetPcScript(JSContext*, JSScript**, unsigned char**) (PcScriptCache-inl.h:26) ==63079== by 0x59C7A5: JSContext::currentScript(unsigned char**, JSContext::MaybeAllowCrossCompartment) const (jscntxtinlines.h:579) ==63079== by 0x5A7F54: js::baseops::GetProperty(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSObject*>, JS::Handle<long>, JS::MutableHandle<JS::Value>) (jsobj.cpp:1644) ==63079== by 0x5A85C4: MaybeCallMethod(JSContext*, JS::Handle<JSObject*>, JS::Handle<long>, JS::MutableHandle<JS::Value>) (jsobjinlines.h:134) ==63079== by 0x5A866F: js::DefaultValue(JSContext*, JS::Handle<JSObject*>, JSType, JS::MutableHandle<JS::Value>) (jsobj.cpp:4673) ==63079== by 0x598C64: js::ToNumberSlow(JSContext*, JS::Value, double*) (jsobjinlines.h:37) ==63079== by 0x643607: ValueToNumber(JSContext*, JS::Value*) (jsapi.h:1515) ==63079== by 0x403F24D: ??? ==63079== by 0xFFFB800006E6D23F: ??? ==63079== by 0x630EE9F: ??? ==63079== by 0x6099ACF: ??? ==63079== by 0x7FEFFDF07: ??? ==63079== [...] ==63079== ==63079== Invalid read of size 8 ==63079== at 0x717DB9: js::ion::IonFrameIterator::script() const (IonFrames.cpp:1579) ==63079== by 0x717E41: js::ion::IonFrameIterator::checkInvalidation(js::ion::IonScript**) const (IonFrames.cpp:62) ==63079== by 0x718570: _ZN2js3ion16SnapshotIteratorC2ERKNS0_16IonFrameIteratorE.constprop.217 (IonFrames.cpp:1196) ==63079== by 0x71AA0D: js::ion::InlineFrameIteratorMaybeGC<(js::AllowGC)1>::resetOn(js::ion::IonFrameIterator const*) (IonFrames.cpp:1232) ==63079== by 0x71B147: js::ion::GetPcScript(JSContext*, JSScript**, unsigned char**) (IonFrameIterator-inl.h:66) ==63079== by 0x59C7A5: JSContext::currentScript(unsigned char**, JSContext::MaybeAllowCrossCompartment) const (jscntxtinlines.h:579) ==63079== by 0x5A7F54: js::baseops::GetProperty(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSObject*>, JS::Handle<long>, JS::MutableHandle<JS::Value>) (jsobj.cpp:1644) ==63079== by 0x5A85C4: MaybeCallMethod(JSContext*, JS::Handle<JSObject*>, JS::Handle<long>, JS::MutableHandle<JS::Value>) (jsobjinlines.h:134) ==63079== by 0x5A866F: js::DefaultValue(JSContext*, JS::Handle<JSObject*>, JSType, JS::MutableHandle<JS::Value>) (jsobj.cpp:4673) ==63079== by 0x598C64: js::ToNumberSlow(JSContext*, JS::Value, double*) (jsobjinlines.h:37) ==63079== by 0x643607: ValueToNumber(JSContext*, JS::Value*) (jsapi.h:1515) ==63079== by 0x403F24D: ??? ==63079== Address 0x87eefd4ea is not stack'd, malloc'd or (recently) free'd Marking s-s and sec-critical based on that. If this is not right, please change accordingly :)

Crash Signature: [@ js::ion::IonFrameIterator::script] [@ containsReturnAddress]

Keywords: crash, csec-uninitialized, sec-critical

Whiteboard: [jsbugmon:update,bisect]

Luke Wagner [:luke]

Comment 3

•

12 years ago

Hannes: looks like a dup of bug 886266, but I'm not sure.

Naveed Ihsanullah [:naveed]

Updated

•

12 years ago

Assignee: general → hv1989

Hannes Verschore [:h4writer]

Assignee

Updated

•

12 years ago

Status: NEW → RESOLVED

Closed: 12 years ago

Resolution: --- → DUPLICATE

Daniel Veditz [:dveditz]

Updated

•

10 years ago

Group: core-security

You need to log in before you can comment on or make changes to this bug.

Bugzilla

OdinMonkey: Assertion failure: it.isBaselineJS(), at ion/IonFrames.cpp:1034 or Assertion failure: retAddr != __null, at ion/IonFrames.cpp:1012 or Crash [@ js::ion::IonFrameIterator::script] or Crash [@ containsReturnAddress]

Categories

(Core :: JavaScript Engine, defect)

Tracking

()

People

(Reporter: decoder, Assigned: h4writer)

References

Details

(5 keywords, Whiteboard: [jsbugmon:update,bisect])

Crash Data

Security

(public)

User Story

Attachments

(1 file)

Description

Comment 1

Comment 2

Comment 3

Updated

Updated

Updated

Attachment

General

Description

File Name

Content Type