Closed Bug 1822710 Opened 2 years ago Closed 1 years ago

Assertion failure: totalPathsRecorded < totalMaxPathsToRecord, at js/UbiNodeShortestPaths.h:112

Categories

(Core :: JavaScript: GC, defect, P2)

Product:
Core
Component:
JavaScript: GC
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
116 Branch
Tracking Flags:
Tracking Status
firefox116 --- fixed

People

(Reporter: lukas.bernhard, Assigned: sfink)

References

(Blocks 2 open bugs)

Details

Attachments

(1 file)

Bug 1822710 - Check shortestPaths max paths value
(deleted), text/x-phabricator-request
Details

Steps to reproduce:

On git commit 8ed22fcd56968c95a73a6c82b42f732f01a4bdae the attached sample asserts in the js shell with the following stack trace when invoked via obj-x86_64-pc-linux-gnu/dist/bin/js --fuzzing-safe crash.js

#0  JS::ubi::ShortestPaths::Handler::operator() (this=0x7fffffffd008, traversal=..., origin=..., edge=..., back=back@entry=0x7fffffffcf88, 
    first=true) at obj-x86_64-pc-linux-gnu/dist/include/js/UbiNodeShortestPaths.h:112
#1  0x0000555557510074 in JS::ubi::BreadthFirst<JS::ubi::ShortestPaths::Handler>::traverse (this=this@entry=0x7fffffffd020)
    at obj-x86_64-pc-linux-gnu/dist/include/js/UbiNodeBreadthFirst.h:158
#2  0x00005555574a2d20 in JS::ubi::ShortestPaths::Create (cx=<optimized out>, noGC=..., maxNumPaths=1073741824, root=..., targets=...)
    at obj-x86_64-pc-linux-gnu/dist/include/js/UbiNodeShortestPaths.h:254
#3  0x00005555575a91b7 in ShortestPaths (cx=0x1, cx@entry=0x7ffff7435c00, argc=<optimized out>, vp=<optimized out>)
    at js/src/builtin/TestingFunctions.cpp:6085
#4  0x0000555556ec45d4 in CallJSNative (cx=cx@entry=0x7ffff7435c00, 
    native=native@entry=0x5555575a87f0 <ShortestPaths(JSContext*, unsigned int, JS::Value*)>, reason=reason@entry=js::CallReason::Call, 
    args=...) at js/src/vm/Interpreter.cpp:459
#5  0x0000555556ec399e in js::InternalCallOrConstruct (cx=0x7ffff7435c00, 
    cx@entry=0x5555589093c0 <Interpret(JSContext*, js::RunState&)::addresses>, args=..., construct=construct@entry=js::NO_CONSTRUCT, 
    reason=js::CallReason::Call, reason@entry=4294967286) at js/src/vm/Interpreter.cpp:553
#6  0x0000555556ec5706 in InternalCall (cx=0x7ffff79f8a00 <_IO_stdfile_2_lock>, args=..., reason=1497932848)
    at js/src/vm/Interpreter.cpp:620
#7  0x0000555556eb709a in js::CallFromStack (cx=0x7ffff79f8a00 <_IO_stdfile_2_lock>, cx@entry=0xffff800000000000, args=..., 
    reason=<optimized out>) at js/src/vm/Interpreter.cpp:625
#8  Interpret (cx=0x7ffff79f8a00 <_IO_stdfile_2_lock>, cx@entry=0x7ffff7435c00, state=...)
    at js/src/vm/Interpreter.cpp:3368
#9  0x0000555556eaa015 in js::RunScript (cx=cx@entry=0x7ffff7435c00, state=...) at js/src/vm/Interpreter.cpp:431
#10 0x0000555556ec7762 in js::ExecuteKernel (cx=cx@entry=0x7ffff7435c00, script=script@entry=..., envChainArg=envChainArg@entry=..., 
    evalInFrame=evalInFrame@entry=..., result=...) at js/src/vm/Interpreter.cpp:818
#11 0x0000555556ec7e11 in js::Execute (cx=cx@entry=0x7ffff7435c00, script=script@entry=..., envChain=..., rval=rval@entry=...)
    at js/src/vm/Interpreter.cpp:850
#12 0x0000555557075b26 in ExecuteScript (cx=cx@entry=0x7ffff7435c00, envChain=..., script=..., rval=rval@entry=...)
    at js/src/vm/CompilationAndEvaluation.cpp:472
#13 0x0000555557075e00 in JS_ExecuteScript (cx=cx@entry=0x7ffff7435c00, scriptArg=scriptArg@entry=...)
    at js/src/vm/CompilationAndEvaluation.cpp:496
#14 0x0000555556de02b0 in RunFile (cx=0x7ffff7435c00, filename=0x7fffffffea61 "crash_2023_03_15.js", file=<optimized out>, 
    compileMethod=CompileUtf8::DontInflate, compileOnly=false, fullParse=<optimized out>) at js/src/shell/js.cpp:1098
#15 0x0000555556ddf755 in Process (cx=cx@entry=0x7ffff7435c00, filename=0x1 <error: Cannot access memory at address 0x1>, forceTTY=false, 
    kind=kind@entry=FileScript) at js/src/shell/js.cpp:1697
#16 0x0000555556da12ef in ProcessArgs (cx=0x7ffff7435c00, op=0x7fffffffe428) at js/src/shell/js.cpp:10577
#17 Shell (cx=0x7ffff7435c00, op=op@entry=0x7fffffffe428) at js/src/shell/js.cpp:10801
#18 0x0000555556d9add7 in main (argc=<optimized out>, argv=<optimized out>) at js/src/shell/js.cpp:11233

let v0 = 1073741824;
SharedArrayBuffer.maxNumPaths = v0;
for (const v2 in SharedArrayBuffer) {
    v0 = v2;
}
function f3(a4, a5, a6, ...a7) {
    this.shortestPaths(a7, SharedArrayBuffer);
    return a4;
}
function f10(a11) {
    return a11;
}
class C12 extends f10 {
}
f3(SharedArrayBuffer, -1, f10, C12, v0, f10, f3);
Blocks: l11d-js-fuzzing
Component: Untriaged → JavaScript Engine
Product: Firefox → Core
Blocks: GC.stability
Severity: -- → S4
Component: JavaScript Engine → JavaScript: GC
Flags: needinfo?(jcoppeard)
Priority: -- → P2

I don't see how that could be related.

Flags: needinfo?(jcoppeard)
Assignee: nobody → sphink
Status: NEW → ASSIGNED

First, this will no longer reproduce with --fuzzing-safe since we disabled shortestPaths for fuzzing.

Second, this was just a problem with integer overflow. A max paths of 1073741824 is too large. When multiplied by the number of targets (4, here) it wrapped around to 0 and triggered the assert.

Pushed by sfink@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/34c52f424910 Check shortestPaths max paths value r=spidermonkey-reviewers,iain
Pushed by sfink@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/268cf2945e40 Check shortestPaths max paths value r=spidermonkey-reviewers,iain
Flags: needinfo?(sphink)

https://hg.mozilla.org/mozilla-central/rev/268cf2945e40

Status: ASSIGNED → RESOLVED
Closed: 1 years ago
status-firefox116: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 116 Branch
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: