Closed
Bug 926431
Opened 12 years ago
Closed 12 years ago
Assertion failure: isObject(), at js/Value.h:1129 with ASM.js and clone
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla28
People
(Reporter: decoder, Assigned: bbouvier)
Details
(Keywords: assertion, testcase, Whiteboard: [jsbugmon:update])
Attachments
(3 files)
Screenshot from 2014-02-05 16:05:50.png
The following testcase asserts on mozilla-central revision 211337f7fb83 (threadsafe build, run with --fuzzing-safe):
var g = newGlobal();
function cloneableFunction(body) {
'use asm';
function _main() {}
return _main;
}
g.f = cloneableFunction('return function(x) { return x };');
g.eval("clone(f)()")
|
Reporter | |
Comment 1•12 years ago
|
||
|
|
Reporter | |
Comment 2•12 years ago
|
||
This test uses the shell-only function "clone" which was once a known-unsafe function. If this function is still the only problem here, then please add it to the fuzzing-unsafe list to avoid this problem in the future.
Needinfo from Luke because this seems to involve asm.js.
Flags: needinfo?(luke)
Whiteboard: [jsbugmon:update,bisect]
|
||
Comment 3•12 years ago
|
||
Yes, cloning asm.js functions isn't allowed. This is prevented in normal browsing by only doing asm.js compilation for compile-and-go code (which can't be cloned), but the shell clone() function clones anyway, so it should be in the fuzzing-unsafe list.
Flags: needinfo?(luke)
|
|
Reporter | |
Updated•12 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
|
|
Reporter | |
Comment 4•12 years ago
|
||
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: http://hg.mozilla.org/mozilla-central/rev/b3d85b68449d
user: Luke Wagner
date: Fri Mar 15 02:29:02 2013 -0700
summary: Bug 840282 - OdinMonkey (sr=dmandelin)
This iteration took 163.127 seconds to run.
|
Assignee | |
Comment 5•12 years ago
|
||
|
|
||
Comment 6•12 years ago
|
||
Attachment #828163 -
Flags: review?(luke) → review+
|
|
Assignee | |
Updated•12 years ago
|
Keywords: checkin-needed
|
||
Comment 7•12 years ago
|
||
Keywords: checkin-needed
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla28
|
|
||
Comment 9•11 years ago
|
||
Tested on Ubuntu 13.04 32bit with Firefox 28:
- 11/01 JS Shell -> ../test926431.js:warning: successfully compiled asm.js code (total compilation time 0ms)
Assertion failure: isObject(), at ../../dist/include/js/Value.h:1128
Segmentation fault (core dumped)
- 02/04 JS Shell -> ../test926431.js:warning: successfully compiled asm.js code (total compilation time 0ms)
Assertion failure: isObject(), at ../../dist/include/js/Value.h:1124
Segmentation fault (core dumped)
It seems this bug is still reproducible.
Keywords: verifyme
|
||
Updated•11 years ago
|
Flags: needinfo?(benj)
|
|
Assignee | |
Comment 10•11 years ago
|
||
According to comment 4 and the patch that landed on this test case (disallowing fuzzers to use clone()), this cannot happen in the browser, as cloning asm.js functions can't happen.
|
|
Reporter | |
Comment 11•11 years ago
|
||
(In reply to Ioana Budnar, QA [:ioana] from comment #9)
> It seems this bug is still reproducible.
It should not be reproducible with --fuzzing-safe. That's the change that we made in the patch, so we can't hit this bug anymore :)
|
|
||
Comment 12•11 years ago
|
||
(In reply to Christian Holler (:decoder) from comment #11)
> (In reply to Ioana Budnar, QA [:ioana] from comment #9)
> > It seems this bug is still reproducible.
>
> It should not be reproducible with --fuzzing-safe. That's the change that we
> made in the patch, so we can't hit this bug anymore :)
I got those results with --fuzzing-safe (didn't think to mention it since comment 0 already specified that the testcase had to be run with this option).
|
|
Reporter | |
Comment 13•11 years ago
|
||
(In reply to Ioana Budnar, QA [:ioana] from comment #12)
> I got those results with --fuzzing-safe (didn't think to mention it since
> comment 0 already specified that the testcase had to be run with this
> option).
That is strange. I just ran the test with --fuzzing-safe and I get:
min.js:8:0 ReferenceError: clone is not defined
That's exactly what would be expected. Without --fuzzing-safe, I get the crash. Can you double check that you didn't forget that flag?
|
|
||
Comment 14•11 years ago
|
||
Re-did both runs (js...686-buggy is the 10/31 shell, js..686 is the 02/04 beta shell) and took a screenshot to make this go easier.
|
|
||
Comment 15•11 years ago
|
||
Gave it a try with the 02/05 Nightly shell and I get the same:
Assertion failure: isObject(), at ../../../../dist/include/js/Value.h:1124
Segmentation fault (core dumped)
Ran it with --fuzzing-safe here too.
|
|
||
Comment 16•11 years ago
|
||
FWIW, if I run this test without the flag, I get the exact same thing (no crash, just the assertion) on all versions.
|
||
Updated•11 years ago
|
status-firefox28:
--- → affected
status-firefox30:
--- → affected
tracking-firefox28:
--- → +
tracking-firefox30:
--- → +
|
|
||
Comment 17•11 years ago
|
||
Ioana, the flag should be inserted after the name of the js binary but before the name of testcase:
$ ./js-dbg-64-ts-er-darwin-262e73a6b7cd 926431.js
926431.js:warning: Successfully compiled asm.js code (total compilation time 13ms; not stored in cache)
Assertion failure: isObject(), at ../../../dist/include/js/Value.h:1124
Segmentation fault: 11
$ ./js-dbg-64-ts-er-darwin-262e73a6b7cd --fuzzing-safe 926431.js
926431.js:warning: Successfully compiled asm.js code (total compilation time 0ms; not stored in cache)
926431.js line 8 > eval:1:0 ReferenceError: clone is not defined
Please retry, and the status flags should also be revised as necessary.
Flags: needinfo?(ioana.budnar)
|
|
||
Comment 18•11 years ago
|
||
With the status flag positioned as you specified I get "../test926431.js:8:0 ReferenceError: clone is not defined", so no more assertion. I tested with the beta and nightly js shells.
Flags: needinfo?(ioana.budnar)
|
||
Comment 19•11 years ago
|
||
Benjamin - what's left to do here? This looks to have been fixed on FF28 already in comment 8 and Ioana looks to have cleared up the confusion about whether this was still reproducible.
Flags: needinfo?(benj)
|
|
Assignee | |
Comment 20•11 years ago
|
||
There is nothing left to do here.
The test case in comment 0 can not be reproduced in any browser build, as this is prevented upfront. This only was a problem in the shell, which fuzzers use to find bugs. The fix was just to prevent fuzzers to call the guilty function (see also comment 3).
Flags: needinfo?(benj)
|
|
||
Updated•11 years ago
|
status-firefox29:
affected → ---
status-firefox30:
affected → ---
tracking-firefox29:
+ → ---
tracking-firefox30:
+ → ---
You need to log in
before you can comment on or make changes to this bug.
Description
•