Closed Bug 919949 Opened 11 years ago Closed 11 years ago

Assertion failure: hasScript(), at ../../jsfun.h:299 or Crash [@ JSScript::markChildren]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 919140

People

(Reporter: decoder, Unassigned)

References

Details

(4 keywords)

Attachments

(2 files)

[crash-signature] Machine-readable crash signature
1.09 KB, text/plain
Details
stack
3.93 KB, text/plain
Details 
The following testcase asserts on mozilla-central revision 1fda74e33e06 (threadsafe build, run with --fuzzing-safe --ion-eager --thread-count=2 --ion-parallel-compile=on):


var lfcode = new Array();
lfcode.push("function $ERROR(message) { if ( !isFinite(year) || !isFinite(month) || !isFinite(date)) {  } }");
lfcode.push("gczeal(4);");
lfcode.push("function iterate(x) { while (x == 2046) $ERROR('');}try { Array.buildPar(2048, iterate); } catch(exc1) {}");
lfcode.push("gczeal(4,10);");
lfcode.push("function $ERROR(message) { if ( !isFinite(year) || !isFinite(month) || !isFinite(date)) {  }}");
var lfRunTypeId = -1;
while (true) {
	var file = lfcode.shift(); if (file == undefined) { break; }
        loadFile(file)
    }
function loadFile(lfVarx) {
    try {
        if (lfVarx.substr(-3) != ".js") {
            switch (lfRunTypeId) {
                default: evaluate(lfVarx, { noScriptRval : true }); break;
            }
        }
    } catch (lfVare) {}
}
any idea on a regression range?
Keywords: sec-high
(In reply to Daniel Veditz [:dveditz] from comment #2)
> any idea on a regression range?

This would require a manual bisection with a threadsafe build which JSBugMon doesn't support. Maybe gkw can help with that?
Flags: needinfo?(gary)
This sounds like a problem linked to the lazy JSOP_LAMBDA compilations.  Where we might access a script from another thread. Does Bug 901178 last patch (adding assertions) catch anything here?
Flags: needinfo?(bhackett1024)
Decoder, can you attach a stack?
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   http://hg.mozilla.org/mozilla-central/rev/72681e08a35d
user:        Brian Hackett
date:        Fri Sep 20 07:43:46 2013 -0600
summary:     Bug 918116 - Don't delazify scripts during Ion compilation, r=jandem.

Brian, is bug 918116 a likely cause?
Blocks: 918116
Flags: needinfo?(gary)
Keywords: regression
I can't reproduce, but this should be trivial to figure out if someone attaches a stack.
Needinfoing for a stack.
Flags: needinfo?(gary)
Flags: needinfo?(choller)
Attached file stack 
I've attached the stack from m-c rev a2c31dc69ab3.
Flags: needinfo?(gary)
autoBisect shows this is probably related to the following changeset:

The first good revision is:
changeset:   http://hg.mozilla.org/mozilla-central/rev/732581f15f34
user:        Brian Hackett
date:        Wed Sep 25 13:14:21 2013 -0600
summary:     Bug 919140 - Watch for lazy scripts in AddPossibleCallees, r=jandem.

However, bug 919140 may have fixed this - does this seem possible?
Flags: needinfo?(choller)
Yeah, this bug is fixed (and was never a security risk, as it depends on PJS).
Group: core-security
Flags: needinfo?(bhackett1024)
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → DUPLICATE
Keywords: sec-high
(In reply to Brian Hackett (:bhackett) from comment #11)
> Yeah, this bug is fixed (and was never a security risk, as it depends on
> PJS).

What exactly does it depend on that's not yet shipped? I thought parallel compilation was on by default by now.
(In reply to Christian Holler (:decoder) from comment #13)
> (In reply to Brian Hackett (:bhackett) from comment #11)
> > Yeah, this bug is fixed (and was never a security risk, as it depends on
> > PJS).
> 
> What exactly does it depend on that's not yet shipped? I thought parallel
> compilation was on by default by now.

Parallel JS, which is activated by the call to Array.buildPar, is I think only turned on in nightlies and is separate from parallel compilation (which is on by default everywhere).
Nightly-only security bugs are still tracked as security-sensitive bugs.
Re-adding the security rating, but leaving the bug open now because only nightlies were affected and the bug is fixed there.
Keywords: sec-high
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: