Crash [@ js::jit::IonBuilder::jsop_rest] or [@ JSObject::updateSlotsForSpan] or Assertion failure: templateObject->is<ArrayObject>(), at jit/IonBuilder.cpp or Assertion failure: !templateObject->getDenseInitializedLength(), at jit/IonMacroAssembler.cpp

RESOLVED DUPLICATE of bug 936004

Status

()

Core
JavaScript Engine: JIT
--
critical
RESOLVED DUPLICATE of bug 936004
4 years ago
a year ago

People

(Reporter: gkw, Unassigned)

Tracking

(Blocks: 1 bug, 4 keywords)

Trunk
x86_64
Mac OS X
assertion, crash, regression, testcase
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite ?

Firefox Tracking Flags

(firefox25 unaffected, firefox26 unaffected, firefox27 unaffected, firefox28 affected, firefox-esr17 unaffected, firefox-esr24 unaffected, b2g18 unaffected, b2g-v1.1hd unaffected, b2g-v1.2 unaffected)

Details

(Whiteboard: [fuzzblocker] [jsbugmon:update], crash signature)

Attachments

(2 attachments)

(Reporter)

Description

4 years ago
Created attachment 829096 [details]
stack without symbols

function f(...x)(gcPreserveCode())
{}
([0].some(f))
for (var x = f in 7);
for (e in schedulegc(7))
function s() {}
new(x)

crashes js debug shell on m-c changeset 9cd9aae255b5 with --baseline-eager at js::jit::IonBuilder::jsop_rest.

A variant (with a similar stack) asserts at Assertion failure: templateObject->is<ArrayObject>(), at jit/IonBuilder.cpp:

function window(u, ...x) {}
let(c = gcPreserveCode()) {}
([0].some(window, 8));
for (var x = window in 7)
s;
for (e in schedulegc(7))
function s() {};
new(x)()

Yet another variant (which I'll comment soon) asserts at Assertion failure: !templateObject->getDenseInitializedLength(), at jit/IonMacroAssembler.cpp

Tested with:

https://ftp.mozilla.org/pub/mozilla.org/firefox/tinderbox-builds/mozilla-central-macosx64-debug/1383872900/jsshell-mac64.zip

which I presume is a 64-bit debug non-deterministic threadsafe build.
(Reporter)

Comment 1

4 years ago
(not-so-well-reduced, but this assertion testcase was starting to mutate to a crash-only testcase)

function f(code) {
    try {
        eval(code);
    } catch (e) {}
};
f("\
    function f0()((function() {\
        return {\
            or: function(ne) {},\
        }\
    }));\
    t1 = Int32Array(3);\
    g1 = p1 = ParallelArray(t1);\
    for (rdaxbi = 0; rdaxbi < 9; ++rdaxbi) {\
        if (rdaxbi == 21) {} else {\
            a2 = p1.shape;\
        }\
    }\
    o2 = 1;\
    for (p in g1) b2 = new ArrayBuffer(56);\
    a2[9] = a2[1] = (4277);\
    gcPreserveCode();\
    o0 = Object.create({});\
    p1 = p1.flatten();\
    m0 = wrapWithProto(p1, o0);\
    m0.get(b2);\
    p(schedulegc(2));\
");
f("\
    p1 + o2;\
")

Assertion failure: !templateObject->getDenseInitializedLength(), at jit/IonMacroAssembler.cpp
(Reporter)

Comment 2

4 years ago
This was set as a fuzzblocker because it occurs very often and mutates signatures (crash or assertion names).
(Reporter)

Updated

4 years ago
Group: core-security
(Reporter)

Comment 3

4 years ago
Created attachment 829102 [details]
opt stack

Testcase in comment 1 seems to access weird memory address 0xfff9000000000000.
(Reporter)

Updated

4 years ago
Crash Signature: [@ js::jit::IonBuilder::jsop_rest] [@ JSObject::updateSlotsForSpan]
Summary: Crash [@ js::jit::IonBuilder::jsop_rest] or Assertion failure: templateObject->is<ArrayObject>(), at jit/IonBuilder.cpp or Assertion failure: !templateObject->getDenseInitializedLength(), at jit/IonMacroAssembler.cpp → Crash [@ js::jit::IonBuilder::jsop_rest] or [@ JSObject::updateSlotsForSpan] or Assertion failure: templateObject->is<ArrayObject>(), at jit/IonBuilder.cpp or Assertion failure: !templateObject->getDenseInitializedLength(), at jit/IonMacroAssembler.cpp
(Reporter)

Updated

4 years ago
status-firefox28: --- → affected
tracking-firefox28: --- → ?
Crash Signature: [@ js::jit::IonBuilder::jsop_rest] [@ JSObject::updateSlotsForSpan] → [@ js::jit::IonBuilder::jsop_rest] [@ JSObject::updateSlotsForSpan]
Whiteboard: [fuzzblocker][jsbugmon:update,bisect] → [fuzzblocker] [jsbugmon:update]
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   http://hg.mozilla.org/mozilla-central/rev/3f88f1e41372
user:        Brian Hackett
date:        Tue Nov 05 17:54:29 2013 -0800
summary:     Bug 935027 - Don't create 'rest' template objects in IonBuilder, r=jandem.

This iteration took 364.221 seconds to run.
(Reporter)

Comment 5

4 years ago
Brian, is bug 935027 a likely regressor?
Blocks: 935027
Crash Signature: [@ js::jit::IonBuilder::jsop_rest] [@ JSObject::updateSlotsForSpan] → [@ js::jit::IonBuilder::jsop_rest] [@ JSObject::updateSlotsForSpan]
status-b2g18: --- → unaffected
status-b2g-v1.1hd: --- → unaffected
status-b2g-v1.2: --- → unaffected
status-firefox25: --- → unaffected
status-firefox26: --- → unaffected
status-firefox27: --- → unaffected
status-firefox-esr17: --- → unaffected
status-firefox-esr24: --- → unaffected
Flags: needinfo?(bhackett1024)
(Reporter)

Updated

4 years ago
Keywords: crash
Very likely a dup of bug 936004.
Status: NEW → RESOLVED
Last Resolved: 4 years ago
Flags: needinfo?(bhackett1024)
Resolution: --- → DUPLICATE
Duplicate of bug: 936004
(Reporter)

Updated

4 years ago
Flags: in-testsuite?
(Reporter)

Updated

4 years ago
Component: JavaScript Engine → JavaScript Engine: JIT
tracking-firefox28: ? → ---

Updated

2 years ago
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.