Closed Bug 1673220 Opened 5 years ago Closed 5 years ago

Assertion failure: data->nfixed() <= AbstractGeneratorObject::FixedSlotLimit, at vm/JSScript-inl.h:185 with asm.js

Tracking

()

Status:

RESOLVED DUPLICATE of bug 1673080

Tracking Flags:

Tracking

Status

firefox84

---

affected

People

(Reporter: gkw, Unassigned)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: regression, reporter-external, testcase)

Attachments

(1 file)

testcase.js 5 years ago Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now) 4.76 KB, text/plain		Details

Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)

Reporter

Description

•

5 years ago

See testcase.

(gdb) bt
Assertion failure: data->nfixed() <= AbstractGeneratorObject::FixedSlotLimit, at /home/skygentoo/trees/mozilla-central/js/src/vm/JSScript-inl.h:185

Thread 1 "js-dbg-64-linux" received signal SIGSEGV, Segmentation fault.
js::BaseScript::initSharedData (this=<optimized out>, data=<optimized out>) at /home/skygentoo/trees/mozilla-central/js/src/vm/JSScript-inl.h:184
184	  MOZ_ASSERT_IF(isGenerator() || isAsync(),
(gdb) bt
#0  js::BaseScript::initSharedData (this=<optimized out>, data=<optimized out>) at /home/skygentoo/trees/mozilla-central/js/src/vm/JSScript-inl.h:184
#1  JSScript::fullyInitFromStencil (cx=0x7ffff6927000, compilationInfo=..., gcOutput=..., script=..., scriptStencil=..., fun=...) at /home/skygentoo/trees/mozilla-central/js/src/vm/JSScript.cpp:3810
#2  0x00005555575edab8 in JSScript::fromStencil (cx=0x7ffff6927000, compilationInfo=..., gcOutput=..., scriptStencil=..., fun=...) at /home/skygentoo/trees/mozilla-central/js/src/vm/JSScript.cpp:3867
#3  0x0000555557b4991d in InstantiateScriptStencils (cx=0x7ffff6927000, compilationInfo=..., gcOutput=...) at /home/skygentoo/trees/mozilla-central/js/src/frontend/Stencil.cpp:415
#4  js::frontend::CompilationInfo::instantiateStencils (this=<optimized out>, cx=<optimized out>, gcOutput=...) at /home/skygentoo/trees/mozilla-central/js/src/frontend/Stencil.cpp:687
#5  0x0000555557ac712d in js::frontend::InstantiateStencils (cx=0x7ffff6927000, compilationInfo=..., gcOutput=...) at /home/skygentoo/trees/mozilla-central/js/src/frontend/BytecodeCompiler.cpp:330
#6  0x0000555557ac8217 in CompileGlobalScriptImpl<mozilla::Utf8Unit> (cx=<optimized out>, options=..., srcBuf=..., scopeKind=js::ScopeKind::Global) at /home/skygentoo/trees/mozilla-central/js/src/frontend/BytecodeCompiler.cpp:396
#7  js::frontend::CompileGlobalScript (cx=<optimized out>, options=..., srcBuf=..., scopeKind=js::ScopeKind::Global) at /home/skygentoo/trees/mozilla-central/js/src/frontend/BytecodeCompiler.cpp:412
#8  0x0000555557481e54 in JS::CompileUtf8File (cx=0x7ffff6927000, options=..., file=<optimized out>) at /home/skygentoo/trees/mozilla-central/js/src/vm/CompilationAndEvaluation.cpp:164
#9  0x0000555557206216 in RunFile (cx=0x7ffff6927000, filename=0x7fffffffde10 "w125-reduced.js", file=0x7ffff7757100, compileMethod=CompileUtf8::DontInflate, compileOnly=false) at /home/skygentoo/trees/mozilla-central/js/src/shell/js.cpp:929
#10 0x0000555557205b8d in Process (cx=0x7ffff6927000, filename=<optimized out>, forceTTY=false, kind=FileScript) at /home/skygentoo/trees/mozilla-central/js/src/shell/js.cpp:1564
#11 0x00005555571cd316 in ProcessArgs (cx=<optimized out>, op=<optimized out>) at /home/skygentoo/trees/mozilla-central/js/src/shell/js.cpp:10367
#12 Shell (cx=0x7ffff6927000, op=<optimized out>, envp=<optimized out>) at /home/skygentoo/trees/mozilla-central/js/src/shell/js.cpp:11071
#13 0x00005555571c5da9 in main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at /home/skygentoo/trees/mozilla-central/js/src/shell/js.cpp:11844
(gdb)

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/8c9b3722eb05
user:        Jason Orendorff
date:        Wed Oct 21 20:13:35 2020 +0000
summary:     Bug 1671762 - Fix a broken assertion: nfixed <= GeneratorObject::FixedSlotLimit. r=tcampbell

Run with --fuzzing-safe --no-threads --no-baseline --no-ion, compile with AR=ar sh ./configure --enable-debug --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests, tested on m-c rev 2df411f95780.

Not sure if this is s-s, I'd leave it to Jason/Ted.

Flags: sec-bounty?

Flags: needinfo?(jorendorff)

Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)

Reporter

Comment 1

•

5 years ago

Attached file testcase.js — Details

Ted Campbell [:tcampbell]

Comment 2

•

5 years ago

This is the same bug as Bug 1673080. The "use asm"; block causes syntax-only-parsing to stop for code afterwards. (I used --code-coverage argument to achieve same effect.) I don't think we have a conclusion on if this is security or just perf impact.

Status: NEW → RESOLVED

Closed: 5 years ago

Flags: needinfo?(jorendorff)

Resolution: --- → DUPLICATE

Daniel Veditz [:dveditz] out until Nov 10

Updated

•

5 years ago

Group: core-security

Flags: sec-bounty? → sec-bounty-

BMO Automation

Updated

•

5 years ago

Has Regression Range: --- → yes

Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)

Reporter

Updated

•

1 year ago

Blocks: gkw-js-fuzzing

David Lawrence [:dkl]

Updated

•

1 year ago

Keywords: reporter-external

You need to log in before you can comment on or make changes to this bug.

Bugzilla

Assertion failure: data->nfixed() <= AbstractGeneratorObject::FixedSlotLimit, at vm/JSScript-inl.h:185 with asm.js

Categories

(Core :: JavaScript Engine, defect)

Tracking

()

People

(Reporter: gkw, Unassigned)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: regression, reporter-external, testcase)

Crash Data

Security

(public)

User Story

Attachments

(1 file)

Description

Comment 1

Comment 2

Updated

Updated

Updated

Updated

Attachment

General

Description

File Name

Content Type