OdinMonkey: Assertion failure: it.isBaselineJS(), at ion/IonFrames.cpp:1034 or Assertion failure: retAddr != __null, at ion/IonFrames.cpp:1012 or Crash [@ js::ion::IonFrameIterator::script] or Crash [@ containsReturnAddress]

RESOLVED DUPLICATE of bug 886266

Status

()

--
critical
RESOLVED DUPLICATE of bug 886266
5 years ago
3 years ago

People

(Reporter: decoder, Assigned: h4writer)

Tracking

(Blocks: 1 bug, 5 keywords)

Trunk
x86_64
Linux
assertion, crash, csectype-uninitialized, sec-critical, testcase
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [jsbugmon:update,bisect], crash signature)

Attachments

(1 attachment)

(Reporter)

Description

5 years ago
The following testcase asserts on mozilla-central revision 76820c6dff7b (run with --ion-eager):


var lfcode = new Array();
lfcode.push("0");
lfcode.push("(function () { var f = function() { f(function () {");
lfcode.push("var { Int16Array }  = 0; schedulegc(10);");
lfcode.push("\
function coerceForeign(stdlib, foreign) {\
    \"use asm\";\
    var g = foreign.g;\
    function f() {\
        +g(0);\
        +g(1);\
        +g(2);\
    }\
    return f;\
}\
var t = coerceForeign(undefined, { g: function() function d8 (code) {} });\
t();\
");
while (true) {
  var file = lfcode.shift(); if (file == undefined) { break; }
  loadFile(file)
}
function loadFile(lfVarx) {
    try {
        if (lfVarx.substr(-3) != ".js" && lfVarx.length != 1) {
            switch (lfRunTypeId) {
                default: evaluate(lfVarx, { noScriptRval : true }); break;
            }
        } else if (!isNaN(lfVarx)) {
            lfRunTypeId = parseInt(lfVarx);
        }
    } catch (lfVare) {}
}
(Reporter)

Comment 1

5 years ago
Created attachment 766647 [details]
[crash-signature] Machine-readable crash signature
(Reporter)

Comment 2

5 years ago
The opt-crash looks s-s and it could be that an uninitialized value is involved:

==63079== Use of uninitialised value of size 8
==63079==    at 0x71AF68: js::ion::GetPcScript(JSContext*, JSScript**, unsigned char**) (PcScriptCache-inl.h:26)
==63079==    by 0x59C7A5: JSContext::currentScript(unsigned char**, JSContext::MaybeAllowCrossCompartment) const (jscntxtinlines.h:579)
==63079==    by 0x5A7F54: js::baseops::GetProperty(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSObject*>, JS::Handle<long>, JS::MutableHandle<JS::Value>) (jsobj.cpp:1644)
==63079==    by 0x5A85C4: MaybeCallMethod(JSContext*, JS::Handle<JSObject*>, JS::Handle<long>, JS::MutableHandle<JS::Value>) (jsobjinlines.h:134)
==63079==    by 0x5A866F: js::DefaultValue(JSContext*, JS::Handle<JSObject*>, JSType, JS::MutableHandle<JS::Value>) (jsobj.cpp:4673)
==63079==    by 0x598C64: js::ToNumberSlow(JSContext*, JS::Value, double*) (jsobjinlines.h:37)
==63079==    by 0x643607: ValueToNumber(JSContext*, JS::Value*) (jsapi.h:1515)
==63079==    by 0x403F24D: ???
==63079==    by 0xFFFB800006E6D23F: ???
==63079==    by 0x630EE9F: ???
==63079==    by 0x6099ACF: ???
==63079==    by 0x7FEFFDF07: ???
==63079== 
[...]
==63079== 
==63079== Invalid read of size 8
==63079==    at 0x717DB9: js::ion::IonFrameIterator::script() const (IonFrames.cpp:1579)
==63079==    by 0x717E41: js::ion::IonFrameIterator::checkInvalidation(js::ion::IonScript**) const (IonFrames.cpp:62)
==63079==    by 0x718570: _ZN2js3ion16SnapshotIteratorC2ERKNS0_16IonFrameIteratorE.constprop.217 (IonFrames.cpp:1196)
==63079==    by 0x71AA0D: js::ion::InlineFrameIteratorMaybeGC<(js::AllowGC)1>::resetOn(js::ion::IonFrameIterator const*) (IonFrames.cpp:1232)
==63079==    by 0x71B147: js::ion::GetPcScript(JSContext*, JSScript**, unsigned char**) (IonFrameIterator-inl.h:66)
==63079==    by 0x59C7A5: JSContext::currentScript(unsigned char**, JSContext::MaybeAllowCrossCompartment) const (jscntxtinlines.h:579)
==63079==    by 0x5A7F54: js::baseops::GetProperty(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSObject*>, JS::Handle<long>, JS::MutableHandle<JS::Value>) (jsobj.cpp:1644)
==63079==    by 0x5A85C4: MaybeCallMethod(JSContext*, JS::Handle<JSObject*>, JS::Handle<long>, JS::MutableHandle<JS::Value>) (jsobjinlines.h:134)
==63079==    by 0x5A866F: js::DefaultValue(JSContext*, JS::Handle<JSObject*>, JSType, JS::MutableHandle<JS::Value>) (jsobj.cpp:4673)
==63079==    by 0x598C64: js::ToNumberSlow(JSContext*, JS::Value, double*) (jsobjinlines.h:37)
==63079==    by 0x643607: ValueToNumber(JSContext*, JS::Value*) (jsapi.h:1515)
==63079==    by 0x403F24D: ???
==63079==  Address 0x87eefd4ea is not stack'd, malloc'd or (recently) free'd


Marking s-s and sec-critical based on that. If this is not right, please change accordingly :)
Crash Signature: [@ js::ion::IonFrameIterator::script] [@ containsReturnAddress]
Keywords: crash, csec-uninitialized, sec-critical
Whiteboard: [jsbugmon:update,bisect]

Comment 3

5 years ago
Hannes: looks like a dup of bug 886266, but I'm not sure.
Assignee: general → hv1989
(Assignee)

Updated

5 years ago
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 886266
Group: core-security
You need to log in before you can comment on or make changes to this bug.