Closed Bug 1089761 Opened 10 years ago Closed 10 years ago

Assertion failure: data.s.payload.why == why, at dist/include/js/Value.h

Categories

(Core :: JavaScript Engine: JIT, defect)

Product:
Core
Component:
JavaScript Engine: JIT
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla36
Tracking Flags:
Tracking Status
firefox33 --- unaffected
firefox34 --- unaffected
firefox35 --- fixed
firefox36 --- fixed
firefox-esr31 --- unaffected

People

(Reporter: gkw, Assigned: shu)

References

Details

(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update])

Attachments

(4 files)

stack
3.97 KB, text/plain
Details
Initialize lexicals to throw on touch on CallObject templates.
3.27 KB, patch
jandem
: review+
Details | Diff | Splinter Review
Initialize lexicals to throw on CallObject::create cutouts for Ion.
12.08 KB, patch
Waldo
: review+
Details | Diff | Splinter Review
bug1089761.patch
13.14 KB, patch
lsblakk
: approval-mozilla-aurora+
Details | Diff | Splinter Review 
for (var j = 0; j < 9; ++j) {
    try {
        (function() {
            (function() {
                eval("x")
                let x
            })()
        })()
    } catch (e) {}
}

asserts js debug shell on m-c changeset 20408ad61ce5 with --ion-eager --no-threads at Assertion failure: data.s.payload.why == why, at dist/include/js/Value.h.

Debug configure options:

CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --enable-optimize --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests

Due to skipped revisions, the first bad revision could be any of:
changeset:   https://hg.mozilla.org/mozilla-central/rev/03242a11d044
user:        Shu-yu Guo
date:        Mon Sep 15 16:30:45 2014 -0700
summary:     Bug 1001090 - Part 2a: Compile new let opcodes in Baseline. (r=jandem)

changeset:   https://hg.mozilla.org/mozilla-central/rev/8114e77c253e
user:        Shu-yu Guo
date:        Mon Sep 15 16:30:46 2014 -0700
summary:     Bug 1001090 - Part 2b: Fix unwinding all scopes to not use pc. (r=jimb)

changeset:   https://hg.mozilla.org/mozilla-central/rev/31714af41f2c
user:        Shu-yu Guo
date:        Mon Sep 15 16:30:46 2014 -0700
summary:     Bug 1001090 - Part 3: Compile new let opcodes in Ion. (r=jandem)

Shu-yu, is bug 1001090 a possible regressor?
Flags: needinfo?(shu)
Attached file stack 
(lldb) bt 5
* thread #1: tid = 0x473e92, 0x000000010020ac52 js-dbg-opt-64-dm-nsprBuild-darwin-20408ad61ce5`js::jit::DoTypeMonitorFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICTypeMonitor_Fallback*, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) [inlined] JS::Value::isMagic(this=<unavailable>, why=<unavailable>) const + 28 at Value.h:1165, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
  * frame #0: 0x000000010020ac52 js-dbg-opt-64-dm-nsprBuild-darwin-20408ad61ce5`js::jit::DoTypeMonitorFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICTypeMonitor_Fallback*, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) [inlined] JS::Value::isMagic(this=<unavailable>, why=<unavailable>) const + 28 at Value.h:1165
    frame #1: 0x000000010020ac36 js-dbg-opt-64-dm-nsprBuild-darwin-20408ad61ce5`js::jit::DoTypeMonitorFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICTypeMonitor_Fallback*, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) [inlined] js::ValueOperations<JS::Handle<JS::Value> >::isMagic(why=<unavailable>) const at Value.h:1681
    frame #2: 0x000000010020ac36 js-dbg-opt-64-dm-nsprBuild-darwin-20408ad61ce5`js::jit::DoTypeMonitorFallback(cx=<unavailable>, frame=<unavailable>, stub=<unavailable>, value=<unavailable>, res=<unavailable>) + 998 at BaselineIC.cpp:1287
    frame #3: 0x0000000101afa69f
    frame #4: 0x0000000101aef940
(lldb)
Jan, this fixes 2 bugs: the bug you pointed out on IRC about fixed slots, and
the one that causes this bug. I was only setting lexicals to throw on touch on
the normal CallObject::create path, and not the createTemplateObject path, so
Ion would copy over undefineds instead of JS_MAGIC_UNINITIALIZED in the fast
path.
Attachment #8512194 - Flags: review?(jdemooij)
Flags: needinfo?(shu)
Comment on attachment 8512194 [details] [diff] [review]
Initialize lexicals to throw on touch on CallObject templates.

Review of attachment 8512194 [details] [diff] [review]:
-----------------------------------------------------------------

Looks good.

::: js/src/vm/ScopeObject-inl.h
@@ +56,5 @@
>  inline void
>  CallObject::setAliasedLexicalsToThrowOnTouch(JSScript *script)
>  {
>      uint32_t aliasedLexicalBegin = script->bindings.aliasedBodyLevelLexicalBegin();
> +    uint32_t aliasedLexicalEnd = numFixedSlots() + numDynamicSlots();

Nit: uint32_t aliasedLexicalEnd = slotSpan();

::: js/src/vm/ScopeObject.cpp
@@ +198,5 @@
>      if (!obj)
>          return nullptr;
>  
> +    // Set uninitialized lexicals even on template objects, as Ion will use
> +    // copy over the template object's slot values in the fast path.

Nit: s/use//
Attachment #8512194 - Flags: review?(jdemooij) → review+
Turns out we have many, many ways to create CallObjects.
Attachment #8513882 - Flags: review?(jwalden+bmo)
Flags: needinfo?(shu)
Comment on attachment 8513882 [details] [diff] [review]
Initialize lexicals to throw on CallObject::create cutouts for Ion.

Review of attachment 8513882 [details] [diff] [review]:
-----------------------------------------------------------------

Tacking on an extra index argument, the correctness of the passed value which isn't all that apparent at many call sites, is pretty smelltastic.  I don't have any better ideas, tho.

::: js/src/vm/ScopeObject-inl.h
@@ +53,5 @@
>          types::AddTypePropertyId(cx, this, id, v);
>  }
>  
>  inline void
> +CallObject::initRemainingSlotsToUninitializedLexicals(uint32_t begin)

Not entirely sure why this helper method exists, seeing as it has only one caller and the overall method is rather far from being overly complex.  Just assign the begin-index to a reasonably-named variable and things should be clear enough, seems to me.
Attachment #8513882 - Flags: review?(jwalden+bmo) → review+
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 675913ddbb55).
https://hg.mozilla.org/mozilla-central/rev/0fd815999686
Assignee: nobody → shu
Status: NEW → RESOLVED
Closed: 10 years ago
status-firefox36: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla36
Whiteboard: [jsbugmon:update,ignore] → [jsbugmon:update]
This needs a backport, no?
Flags: needinfo?(shu)
(In reply to Jeff Walden [:Waldo] (remove +bmo to email) from comment #10)
> This needs a backport, no?

I suppose so.
Flags: needinfo?(shu)
Attached patch bug1089761.patchSplinter Review 
Approval Request Comment
[Feature/regressing bug #]: 1001090
[User impact if declined]: Incorrect JS behavior when using 'let' bindings with closures.
[Describe test coverage new/current, TBPL]: Tested on m-c.
[Risks and why]: Low risk. Not a security issue. Spec compliance for ES6 feature that nobody is using yet.
[String/UUID change made/needed]: None.
Attachment #8516855 - Flags: approval-mozilla-aurora?
Hm, this reminds me, bug 1092833 will need backport as well.
Attachment #8516855 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: