898734 - Assertion failure: is<T>(), at ../jsobj.h:1003 or Crash [@ JS::LossyTwoByteCharsToNewLatin1CharsZ] when calling uint8() without arguments

Status: VERIFIED FIXED

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

The following testcase asserts on mozilla-central revision fb48c7d58b8b (run with --fuzzing-safe --ion-eager):


uint8();

Comment 1

[Christian Holler (:decoder)]

Attachment: [crash-signature] Machine-readable crash signature

Comment 2

[Christian Holler (:decoder)]

Crash trace:

Program received signal SIGSEGV, Segmentation fault.
JS::LossyTwoByteCharsToNewLatin1CharsZ (cx=0x1629280, tbchars=...) at js/src/vm/CharacterEncoding.cpp:23
23              latin1[i] = static_cast<unsigned char>(tbchars[i]);
(gdb) bt 8
#0  JS::LossyTwoByteCharsToNewLatin1CharsZ (cx=0x1629280, tbchars=...) at js/src/vm/CharacterEncoding.cpp:23
#1  0x000000000052a967 in JS_EncodeString (cx=0x1629280, str=<optimized out>) at js/src/jsapi.cpp:6223
#2  0x000000000086f56e in js::NumericType<unsigned char>::call (cx=0x1629280, argc=<optimized out>, vp=0x7fffffffceb8) at js/src/builtin/BinaryData.cpp:397
#3  0x0000000000451449 in CallJSNative (args=..., native=<optimized out>, cx=0x1629280) at ../jscntxtinlines.h:225
#4  js::Invoke (cx=0x1629280, args=..., construct=<optimized out>) at js/src/vm/Interpreter.cpp:486
#5  0x0000000000451cd4 in js::Invoke (cx=0x1629280, thisv=..., fval=..., argc=0, argv=<optimized out>, rval=...) at js/src/vm/Interpreter.cpp:536
#6  0x0000000000689824 in js::ion::DoCallFallback (cx=0x1629280, frame=0x7fffffffd248, stub=0x164ac40, argc=0, vp=0x7fffffffd200, res=...) at js/src/ion/BaselineIC.cpp:7051
#7  0x00007ffff6bc6e96 in ?? ()
(More stack frames follow...)
(gdb) x /i $pc
=> 0x41e013 <JS::LossyTwoByteCharsToNewLatin1CharsZ(js::ThreadSafeContext*, JS::TwoByteChars)+83>:      movzwl 0x0(%rbp,%rcx,2),%ecx
(gdb) info reg ebp rcx ecx
ebp            0xf6954040       -157990848
rcx            0xd5fe0  876512
ecx            0xd5fe0  876512



It looks like this is caused by the error reporting when the uint8() function is called without parameters. If that function is available in the browser, then this could be sec-high. If this is a shell-only testing function, please remove the security rating.

Comment 3

[Christian Holler (:decoder)]

Attachment: [crash-signature] Machine-readable crash signature

Comment 4

[Christian Holler (:decoder)]

uint16() also crashes, updated the attached crash signature to match that as well.

Comment 5

[Christian Holler (:decoder)]

JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   http://hg.mozilla.org/mozilla-central/rev/2aa4435cd798
user:        Nikhil Marathe
date:        Thu Jul 25 17:58:50 2013 -0700
summary:     Bug 578700 - Numeric types implementation. r=nmatsakis

This iteration took 353.268 seconds to run.

Comment 6

[Nikhil Marathe [:nsm] (No longer reading bugmail, please needinfo?)]

I'm waiting to land 898661 so that all these bugs don't block a release.

Comment 7

[Nikhil Marathe [:nsm] (No longer reading bugmail, please needinfo?)]

Attachment: Fix segfault in error handling.

Comment 8

[Christian Holler (:decoder)]

JSBugMon: The testcase found in this bug no longer reproduces (tried revision b8c7acba4b40).

Comment 9

[Nikhil Marathe [:nsm] (No longer reading bugmail, please needinfo?)]

https://hg.mozilla.org/integration/mozilla-inbound/rev/4e20058bb808

Comment 10

[Ryan VanderMeulen [:RyanVM]]

https://hg.mozilla.org/mozilla-central/rev/4e20058bb808

Comment 11

[Christian Holler (:decoder)]

JSBugMon: This bug has been automatically verified fixed.