Closed
Bug 1719127
Opened 3 years ago
Closed 3 years ago
Assertion failure: data_ (Script doesn't seem to be compiled), at vm/JSScript.cpp:709 or Crash [@ js::frontend::DelazifyCanonicalScriptedFunction]
Categories
(Core :: JavaScript Engine, defect, P1)
Tracking
()
VERIFIED
FIXED
91 Branch
| Tracking | Status | |
|---|---|---|
| firefox-esr78 | --- | unaffected |
| firefox89 | --- | disabled |
| firefox90 | --- | disabled |
| firefox91 | --- | verified |
People
(Reporter: decoder, Assigned: arai)
References
(Blocks 1 open bug)
Details
(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:update,bisect][fuzzblocker])
Attachments
(2 files)
The following testcase crashes on mozilla-central revision 20210704-2db6a4941022 (debug build, run with --fuzzing-safe --ion-offthread-compile=off):
function testMainThread(script_str) {
stencil = compileToStencil(script_str, {});
evalStencil(stencil, { forceFullParse: true })
}
testMainThread(`
function f() {}
f()
`)
Backtrace:
received signal SIGSEGV, Segmentation fault.
#0 0x0000555556f41514 in js::BaseScript::enclosingScope() const ()
#1 0x00005555573e139e in js::frontend::CompilationInput::initFromLazy(js::BaseScript*, js::ScriptSource*) ()
#2 0x00005555573aae85 in js::frontend::DelazifyCanonicalScriptedFunction(JSContext*, JS::Handle<JSFunction*>) ()
#3 0x0000555556ef8cc7 in JSFunction::delazifyLazilyInterpretedFunction(JSContext*, JS::Handle<JSFunction*>) ()
#4 0x0000555556aa1e83 in JSFunction::getOrCreateScript(JSContext*, JS::Handle<JSFunction*>) ()
#5 0x0000555556ef8c97 in JSFunction::delazifyLazilyInterpretedFunction(JSContext*, JS::Handle<JSFunction*>) ()
#6 0x0000555556aa1e83 in JSFunction::getOrCreateScript(JSContext*, JS::Handle<JSFunction*>) ()
#7 0x0000555556be7176 in Interpret(JSContext*, js::RunState&) ()
#8 0x0000555556bdea51 in js::RunScript(JSContext*, js::RunState&) ()
#9 0x0000555556bf4876 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSObject*>, JS::Handle<JS::Value>, js::AbstractFramePtr, JS::MutableHandle<JS::Value>) ()
#10 0x0000555556bf4da4 in js::Execute(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSObject*>, JS::MutableHandle<JS::Value>) ()
#11 0x0000555556dd603f in ExecuteScript(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSScript*>, JS::MutableHandle<JS::Value>) ()
#12 0x0000555556dd5e5c in JS_ExecuteScript(JSContext*, JS::Handle<JSScript*>, JS::MutableHandle<JS::Value>) ()
#13 0x000055555717e265 in EvalStencil(JSContext*, unsigned int, JS::Value*) ()
#14 0x0000555556bf25d1 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) ()
[...]
#26 0x0000555556a5d902 in main ()
rax 0x55555572859d 93824994149789
rbx 0x7fffffffa4e8 140737488332008
rcx 0x5555580e27d8 93825037903832
rdx 0x0 0
rsi 0x7ffff7105770 140737338431344
rdi 0x7ffff7104540 140737338426688
rbp 0x7fffffffa3d0 140737488331728
rsp 0x7fffffffa3c0 140737488331712
r8 0x7ffff7105770 140737338431344
r9 0x7ffff7f99840 140737353717824
r10 0x0 0
r11 0x0 0
r12 0x7ffff4e29af0 140737301879536
r13 0x7ffff6019000 140737320685568
r14 0x1f61e09b040 2156577534016
r15 0x555558068fd0 93825037406160
rip 0x555556f41514 <js::BaseScript::enclosingScope() const+260>
=> 0x555556f41514 <_ZNK2js10BaseScript14enclosingScopeEv+260>: movl $0x2c5,0x0
0x555556f4151f <_ZNK2js10BaseScript14enclosingScopeEv+271>: callq 0x555556ae965a <abort>
|
Reporter | |
Comment 1•3 years ago
|
||
|
|
Reporter | |
Updated•3 years ago
|
Summary: Assertion failure: data_ (Script doesn't seem to be compiled), at vm/JSScript.cpp:709 → Assertion failure: data_ (Script doesn't seem to be compiled), at vm/JSScript.cpp:709 or Crash [@ js::frontend::DelazifyCanonicalScriptedFunction]
|
|
Reporter | |
Comment 2•3 years ago
|
||
On ASan, this also asserts as
Assertion failure: idx < storage_.size(), at dist/include/mozilla/Span.h:713
|
||
Comment 3•3 years ago
|
||
Arai, could you take a look at this bug? We thought it might be related to work you did recently.
Severity: -- → S3
Flags: needinfo?(arai.unmht)
Priority: -- → P1
|
Assignee | |
Updated•3 years ago
|
Assignee: nobody → arai.unmht
Status: NEW → ASSIGNED
|
||
Comment 4•3 years ago
|
||
(decoder mentioned this is a fuzzblocker with different signatures)
Whiteboard: [bugmon:update,bisect] → [bugmon:update,bisect][fuzzblocker]
|
|
Assignee | |
Comment 5•3 years ago
|
||
Depends on D119294
|
|
Assignee | |
Updated•3 years ago
|
Flags: needinfo?(arai.unmht)
Pushed by arai_a@mac.com:
https://hg.mozilla.org/integration/autoland/rev/9dd1d383c83e
Check CompileOptions in public Stencil API and Stencil testing function. r=nbp
|
||
Comment 7•3 years ago
|
||
| bugherder | ||
Status: ASSIGNED → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → 91 Branch
|
||
Comment 8•3 years ago
|
||
Bugmon Analysis
Verified bug as fixed on rev mozilla-central 20210708154614-ab46ef66acce.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
|
||
Updated•3 years ago
|
status-firefox89:
--- → disabled
status-firefox90:
--- → disabled
status-firefox-esr78:
--- → unaffected
Flags: in-testsuite+
|
|
Assignee | |
Updated•3 years ago
|
Blocks: stencil-backlog
|
||
Comment 9•2 years ago
|
||
:arai, since this bug contains a bisection range, could you fill (if possible) the regressed_by field?
For more information, please visit auto_nag documentation.
Flags: needinfo?(arai.unmht)
You need to log in
before you can comment on or make changes to this bug.
Description
•