1118865 - Assertion failure: isFunctionScope(scope) && !scope.as<CallObject>().callee().nonLazyScript()->needsArgsObj(), at js/src/vm/ScopeObject.cpp:1507

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

The following testcase crashes on mozilla-central revision 33781a3a5201 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --target=i686-pc-linux-gnu --enable-debug, run with --fuzzing-safe --no-threads):

var evalInFrame = (function (global) {
  var dbgGlobal = newGlobal();
  var dbg = new dbgGlobal.Debugger();
  return function evalInFrame(upCount, code) {
    dbg.addDebuggee(global);
    var frame = dbg.getNewestFrame().older;
      frame = frame.older;
    var completion = frame.eval(code);
  };
})(this);
function h() {
  evalInFrame(1, "a.push(0)");
}
function f() {
  var a = arguments;
  h(a["1".concat("")], 1);
}
f();



Backtrace:

Program received signal SIGSEGV, Segmentation fault.
0x0873f4b2 in (anonymous namespace)::DebugScopeProxy::isMagicMissingArgumentsValue (scope=(js::ScopeObject &) @0xf6900070 [object Call] delegate, v=..., cx=<optimized out>) at js/src/vm/ScopeObject.cpp:1506
1506	        MOZ_ASSERT_IF(isMagic, isFunctionScope(scope) &&
#0  0x0873f4b2 in (anonymous namespace)::DebugScopeProxy::isMagicMissingArgumentsValue (scope=(js::ScopeObject &) @0xf6900070 [object Call] delegate, v=..., cx=<optimized out>) at js/src/vm/ScopeObject.cpp:1506
#1  0x087764d1 in (anonymous namespace)::DebugScopeProxy::get (this=0x963cbdc, cx=0x967d518, proxy=(JSObject * const) 0xf68480a0 [object Proxy], receiver=(JSObject * const) 0xf68480a0 [object Proxy], id=$jsid("a"), vp=$jsval(-nan(0xfff8400000008))) at js/src/vm/ScopeObject.cpp:1643
#2  0x086741f7 in js::Proxy::get (cx=0x967d518, proxy=(JSObject * const) 0xf68480a0 [object Proxy], receiver=(JSObject * const) 0xf68480a0 [object Proxy], id=$jsid("a"), vp=$jsval(-nan(0xfff8400000008))) at js/src/proxy/Proxy.cpp:299
#3  0x080bb9d3 in JSObject::getGeneric (cx=0x967d518, obj=(JSObject * const) 0xf68480a0 [object Proxy], receiver=(JSObject * const) 0xf68480a0 [object Proxy], id=$jsid("a"), vp=$jsval(-nan(0xfff8400000008))) at js/src/vm/NativeObject.h:1403
#4  0x08410ad0 in js::FetchName<false> (cx=0x967d518, obj=(JSObject * const) 0xf68480a0 [object Proxy], obj2=(JSObject * const) 0xf68480a0 [object Proxy], name="a", shape=0x1, vp=$jsval(-nan(0xfff8400000008))) at js/src/vm/Interpreter-inl.h:243
#5  0x086eaa44 in NameOperation (vp=$jsval(-nan(0xfff8400000008)), pc=0x9745c71 ";", fp=<optimized out>, cx=0x967d518) at js/src/vm/Interpreter.cpp:303
#6  Interpret (cx=0x967d518, state=...) at js/src/vm/Interpreter.cpp:2672
#7  0x086f0db2 in js::RunScript (cx=0x967d518, state=...) at js/src/vm/Interpreter.cpp:452
#8  0x086f10f5 in js::ExecuteKernel (cx=0x967d518, script=0xf684b420, scopeChainArg=(JSObject &) @0xf68480a0 [object Proxy], thisv=..., type=js::EXECUTE_DEBUG, evalInFrame=..., result=0xffffb600) at js/src/vm/Interpreter.cpp:661
#9  0x086f1723 in js::EvaluateInEnv (cx=0x967d518, env=(JSObject * const) 0xf68480a0 [object Proxy], thisv=$jsval(-nan(0xfff88f6847040)), frame=..., chars=..., filename=0x89d6495 "debugger eval code", lineno=1, rval=$jsval(-nan(0xfff8200000000))) at js/src/vm/Debugger.cpp:5928
#10 0x08702762 in DebuggerGenericEval (cx=0x967d518, fullMethodName=<optimized out>, code=..., evalWithBindings=EvalWithDefaultBindings, bindings=$jsval(-nan(0xfff8200000000)), options=$jsval(-nan(0xfff8200000000)), vp=$jsval(-nan(0xfff88f685ec60)), dbg=0x9730a10, scope=0x0, iter=0xffffb7e4) at js/src/vm/Debugger.cpp:6065
#11 0x08703378 in DebuggerFrame_eval (cx=0x967d518, argc=1, vp=0xffffbdf4) at js/src/vm/Debugger.cpp:6079
#12 0x08712be3 in js::CallJSNative (cx=0x967d518, native=0x8703070 <DebuggerFrame_eval(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:231
#13 0x086f19a4 in js::Invoke (cx=0x967d518, args=..., construct=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:502
#14 0x086f2dac in js::Invoke (cx=0x967d518, thisv=..., fval=..., argc=1, argv=0x97130b8, rval=$jsval(-nan(0xfff88f685ec60))) at js/src/vm/Interpreter.cpp:558
#15 0x0867699c in js::DirectProxyHandler::call (this=0x963cb78, cx=0x967d518, proxy=(JSObject * const) 0xf6848090 [object Proxy], args=...) at js/src/proxy/DirectProxyHandler.cpp:79
#16 0x08677f30 in js::CrossCompartmentWrapper::call (this=0x963cb78, cx=0x967d518, wrapper=(JSObject * const) 0xf6848090 [object Proxy], args=...) at js/src/proxy/CrossCompartmentWrapper.cpp:286
#17 0x08675360 in js::Proxy::call (cx=0x967d518, proxy=(JSObject * const) 0xf6848090 [object Proxy], args=...) at js/src/proxy/Proxy.cpp:401
#18 0x0867544a in js::proxy_Call (cx=0x967d518, argc=1, vp=0x97130a8) at js/src/proxy/Proxy.cpp:792
#19 0x08712be3 in js::CallJSNative (cx=0x967d518, native=0x86753d0 <js::proxy_Call(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:231
#20 0x086f1cbc in js::Invoke (cx=0x967d518, args=..., construct=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:495
#21 0x086e3820 in Interpret (cx=0x967d518, state=...) at js/src/vm/Interpreter.cpp:2560
#22 0x086f0db2 in js::RunScript (cx=0x967d518, state=...) at js/src/vm/Interpreter.cpp:452
#23 0x086f10f5 in js::ExecuteKernel (cx=0x967d518, script=0xf684b128, scopeChainArg=(JSObject &) @0xf6847040 [object global] delegate, thisv=..., type=js::EXECUTE_GLOBAL, evalInFrame=..., result=0x0) at js/src/vm/Interpreter.cpp:661
#24 0x086f14ad in js::Execute (cx=0x967d518, script=0xf684b128, scopeChainArg=(JSObject &) @0xf6847040 [object global] delegate, rval=0x0) at js/src/vm/Interpreter.cpp:698
#25 0x0855f021 in ExecuteScript (cx=0x967d518, obj=(JSObject * const) 0xf6847040 [object global] delegate, scriptArg=0xf684b128, rval=0x0) at js/src/jsapi.cpp:4324
#26 0x0805bc99 in RunFile (compileOnly=false, file=0x9729e78, filename=0xffffd0e0 "min.js", obj=..., cx=0x967d518) at js/src/shell/js.cpp:450
#27 Process (cx=0x967d518, obj_=<optimized out>, filename=0xffffd0e0 "min.js", forceTTY=false) at js/src/shell/js.cpp:583
#28 0x08068f34 in ProcessArgs (op=0xffffcca8, obj_=<optimized out>, cx=0x967d518) at js/src/shell/js.cpp:5320
#29 Shell (op=0xffffcca8, cx=0x967d518, envp=<optimized out>) at js/src/shell/js.cpp:5559
#30 main (argc=0, argv=0x0, envp=0x0) at js/src/shell/js.cpp:5898
eax	0x0	0
ebx	0x963bff4	157532148
ecx	0xf7e618ac	-135915348
edx	0x0	0
esi	0xf6900070	-158334864
edi	0x9608b00	157321984
ebp	0xffffabf8	4294945784
esp	0xffffabd0	4294945744
eip	0x873f4b2 <(anonymous namespace)::DebugScopeProxy::isMagicMissingArgumentsValue(js::ScopeObject&, JS::HandleValue)+98>
=> 0x873f4b2 <(anonymous namespace)::DebugScopeProxy::isMagicMissingArgumentsValue(js::ScopeObject&, JS::HandleValue)+98>:	movl   $0x7b,0x0
   0x873f4bc <(anonymous namespace)::DebugScopeProxy::isMagicMissingArgumentsValue(js::ScopeObject&, JS::HandleValue)+108>:	call   0x804a9d0 <abort@plt>

Comment 1

[Christian Holler (:decoder)]

JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/cb3487d8700b
user:        Nicolas B. Pierron
date:        Thu Jul 24 04:30:50 2014 -0700
summary:     Bug 1039607 - Scalar Replacement support dynamic slots. r=h4writer

This iteration took 199.509 seconds to run.

Comment 2

[Christian Holler (:decoder)]

Needinfo from nbp based on comment 1.

Comment 3

[Nicolas B. Pierron [:nbp]]

So far, breaking on ObjectMemoryView and ArrayMemoryView constructor does not seems to have any hit, so I do not see how this could be related to the current patch.

Comment 4

[Nicolas B. Pierron [:nbp]]

I cannot get any failure when Ion is disabled.  --ion-eager is useful to get a well formatted output for iongraph.

I reduced the test case, and I can reproduce with  --ion-offthread-compile=off --ion-eager --ion-scalar-replacement=off ,


var dbgGlobal = newGlobal();
var dbg = new dbgGlobal.Debugger();
dbg.addDebuggee(this);
function f() {
  var a = arguments;
  a[1];
  dbg.getNewestFrame().eval("a");
}
f();


Running git bisect on my own, highlights the following commit:

4b43078ae46c827ff1edc7b9fe55a592d42795af is the first bad commit
commit 4b43078ae46c827ff1edc7b9fe55a592d42795af (https://hg.mozilla.org/mozilla-central/rev/fe70a6c9a374)
Author: Shu-yu Guo <shu@rfrn.org>
Date:   Mon Dec 15 18:21:09 2014 -0800

    Bug 1109964 - Recover missing arguments in DebugScopeProxy when the optimized arguments comes from a non-'arguments' slot. (r=luke)


Which looks more likely to me as it adds a similar test case as the one above.

Comment 5

[Shu-yu Guo [:shu]]

Attachment: Relax assertion in DebugScopeProxy::isMagicMissingArgumentsValue.

Oops, the assertion was too strict. Ion can emit OPTIMIZED_ARGUMENTS even when
the script !needsArgsObj(), such as in IonBuilder.cpp:877.

Comment 6

[Nicolas B. Pierron [:nbp]]

Comment on attachment 8584902 [details] [diff] [review]
Relax assertion in DebugScopeProxy::isMagicMissingArgumentsValue.

Review of attachment 8584902 [details] [diff] [review]:
-----------------------------------------------------------------

Ok, I am not an expert of this code, but I see that isMagicMissingArgumentsValue is used as a guard before calling CreateMissingArguments, which call createUnexpected which I know is handling properly the case where Ion does not have an argument object.
Also createUnexpected will cause an invalidation, but it should be handled properly by the LiveScope, if I understand correctly (and I would expect such failure to have already appeared in fuzz bugs)

Sounds good to me.

Comment 7

[Wes Kocher (:KWierso) (Not reading bugmail; email directly if needed)]

Backed out for windows bc1 bustage https://hg.mozilla.org/integration/mozilla-inbound/rev/40f56ea6598a

https://treeherder.mozilla.org/logviewer.html#?job_id=8256219&repo=mozilla-inbound

Comment 8

[Carsten Book [:Tomcat]]

https://hg.mozilla.org/mozilla-central/rev/5d53f0949d96