Closed Bug 1147216 Opened 11 years ago Closed 11 years ago

Assertion failure: i <= 65535, at frontend/BytecodeEmitter.cpp

Categories

(Core :: JavaScript Engine, defect)

x86_64
macOS
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla40
Tracking Status
firefox39 --- fixed
firefox40 --- fixed

People

(Reporter: gkw, Assigned: jandem)

References

Details

(Keywords: assertion, regression, testcase)

Attachments

(4 files)

The upcoming hard-to-reduce testcase asserts js debug shell on m-c changeset 2e2244031032 with --fuzzing-safe --no-threads --no-ion at Assertion failure: i <= 65535, at frontend/BytecodeEmitter.cpp. Configure options: CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests python -u ~/fuzzing/js/compileShell.py -b "--enable-debug --enable-more-deterministic --enable-nspr-build" -r 2e2244031032 === Treeherder Build Bisection Results by autoBisect === The "good" changeset has the timestamp "20150321073953" and the hash "a6e177495aa9". The "bad" changeset has the timestamp "20150321082224" and the hash "787394ba34a2". Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=a6e177495aa9&tochange=787394ba34a2 Jan, is bug 1143704 a likely regressor?
Flags: needinfo?(jdemooij)
Attached file stack
(lldb) bt 5 * thread #1: tid = 0x43a3e, 0x0000000100188882 js-dbg-64-dm-nsprBuild-darwin-2e2244031032`js::frontend::BytecodeEmitter::emitCallOrNew(js::frontend::ParseNode*) [inlined] js::frontend::BytecodeEmitter::emitUint16Operand(this=<unavailable>, op=<unavailable>, i=<unavailable>) + 67 at BytecodeEmitter.cpp:540, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0) * frame #0: 0x0000000100188882 js-dbg-64-dm-nsprBuild-darwin-2e2244031032`js::frontend::BytecodeEmitter::emitCallOrNew(js::frontend::ParseNode*) [inlined] js::frontend::BytecodeEmitter::emitUint16Operand(this=<unavailable>, op=<unavailable>, i=<unavailable>) + 67 at BytecodeEmitter.cpp:540 frame #1: 0x000000010018883f js-dbg-64-dm-nsprBuild-darwin-2e2244031032`js::frontend::BytecodeEmitter::emitCallOrNew(this=<unavailable>, pn=<unavailable>) + 1711 at BytecodeEmitter.cpp:6221 frame #2: 0x000000010016fe6f js-dbg-64-dm-nsprBuild-darwin-2e2244031032`js::frontend::BytecodeEmitter::emitTree(this=0x00007fff5fbfacf0, pn=0x00000001053f8d40) + 575 at BytecodeEmitter.cpp:7223 frame #3: 0x0000000100187328 js-dbg-64-dm-nsprBuild-darwin-2e2244031032`js::frontend::BytecodeEmitter::emitStatement(this=0x00007fff5fbfacf0, pn=<unavailable>) + 696 at BytecodeEmitter.cpp:5913 frame #4: 0x000000010016ffab js-dbg-64-dm-nsprBuild-darwin-2e2244031032`js::frontend::BytecodeEmitter::emitTree(this=0x00007fff5fbfacf0, pn=0x00000001053f8cd0) + 891 at BytecodeEmitter.cpp:7107 (lldb)
Awesome. I added this i <= UINT16_MAX assertion in bug 1143704 after I converted this code from a macro to a proper method, and the assert caught a real bug. Basically the JSOP_LINENO op we emit after an eval has an uint16 operand but the line number does not necessarily fit in that. That's why your testcase is hard to reduce because you need a line number > 65536 :) Below is a testcase that fails in opt builds (and also failed before my patches) because we get a bogus line number. Yay, proper asserts :) Not security sensitive and not a major bug, but we should fix this. function f() { var s = ""; var x, stack; for (var i=0; i<70000; i++) { s += "x = 0;\n"; if (i === 68000) s += "eval('stack = Error().stack');"; } eval(s); assertEq(stack.indexOf("line 68002") > 0, true); } f();
This prevents diagnosing bug 1143449, as firefox crashes trying to load the referenced page.
Blocks: 1143449
(In reply to Tom Tromey :tromey from comment #4) > This prevents diagnosing bug 1143449, as firefox crashes trying to load the > referenced page. Great! So before I added this assert this was a correctness bug that wouldn't be that easy to track down, but now we get a nice assertion failure and the cause of bug 1143449 is obvious :) (looks like it's the same issue, big line numbers) I'll get to this tomorrow.
FWIW I took a quick look at it. Changing JSOP_LINENO to take an int32 seems doable. But on the other hand, JSOP_LINENO could also just be removed. It's only used in one spot.
(In reply to Jan de Mooij [:jandem] from comment #5) > but now we get a nice assertion failure > and the cause of bug 1143449 is obvious :) (looks like it's the same issue, > big line numbers) Well I may be a bit too optimistic; it could be completely unrelated of course. (In reply to Tom Tromey :tromey from comment #6) > FWIW I took a quick look at it. Changing JSOP_LINENO to take an int32 seems > doable. > But on the other hand, JSOP_LINENO could also just be removed. It's only > used in one spot. Yes I'm not sure why we use this path for direct eval but not for the other callers of DescribeScriptedCallerForCompilation. We should probably do some bug/hg archaeology; the code doesn't explain why we have that special CALLED_FROM_JSOP_EVAL path...
Flags: needinfo?(jdemooij)
Flags: needinfo?(jdemooij)
(In reply to Jan de Mooij [:jandem] from comment #7) > (In reply to Jan de Mooij [:jandem] from comment #5) > > but now we get a nice assertion failure > > and the cause of bug 1143449 is obvious :) (looks like it's the same issue, > > big line numbers) > > Well I may be a bit too optimistic; it could be completely unrelated of > course. Yeah -- that bug is about a failure of the debugger to stop at the right spot; it's just that when I tried to investigate that bug, I couldn't due to this one. So this is a prerequisite but unfortunately not a solution :)
Hitting this one too on larger asm.js applications. Assertion failure: i <= (65535), at src/frontend/BytecodeEmitter.cpp:528 Program received signal SIGSEGV, Segmentation fault. 0x00000000005a2281 in js::frontend::BytecodeEmitter::emitUint16Operand (this=this@entry=0x7fffffffc4c0, op=op@entry=JSOP_LINENO, i=<optimized out>) at src/js/src/frontend/BytecodeEmitter.cpp:528 528 MOZ_ASSERT(i <= UINT16_MAX); Missing separate debuginfos, use: debuginfo-install glibc-2.18-19.fc20.x86_64 libgcc-4.8.3-7.fc20.x86_64 libstdc++-4.8.3-7.fc20.x86_64 nspr-4.10.8-1.fc20.x86_64 (gdb) back #0 0x00000000005a2281 in js::frontend::BytecodeEmitter::emitUint16Operand (this=this@entry=0x7fffffffc4c0, op=op@entry=JSOP_LINENO, i=<optimized out>) at src/js/src/frontend/BytecodeEmitter.cpp:528 #1 0x00000000005c7e64 in js::frontend::BytecodeEmitter::emitCallOrNew (this=this@entry=0x7fffffffc4c0, pn=pn@entry=0x7fffeb302f28) at src/js/src/frontend/BytecodeEmitter.cpp:6173
Attached patch PatchSplinter Review
Give JSOP_LINENO an uint32 (instead of uint16) operand.
Assignee: nobody → jdemooij
Status: NEW → ASSIGNED
Flags: needinfo?(jdemooij)
Attachment #8587975 - Flags: review?(luke)
Comment on attachment 8587975 [details] [diff] [review] Patch Review of attachment 8587975 [details] [diff] [review]: ----------------------------------------------------------------- Nice!
Attachment #8587975 - Flags: review?(luke) → review+
Attached patch Another fixSplinter Review
I noticed another bug in DescribeScriptedCallerForCompilation. It does: MOZ_ASSERT(*(pc + (isSpread ? JSOP_SPREADEVAL_LENGTH : JSOP_EVAL_LENGTH)) == JSOP_LINENO); *linenop = GET_UINT32(pc + (JSOp(*pc) == JSOP_EVAL ? JSOP_EVAL_LENGTH : JSOP_SPREADEVAL_LENGTH)); So the assert is correct but the code after it is wrong: if *pc == JSOP_STRICTEVAL, we add JSOP_SPREADEVAL_LENGTH instead of JSOP_EVAL_LENGTH. This patch refactors the code a bit to avoid the duplication and fixes the bug. But this means our line numbers for eval in strict mode have been wrong since JSOP_STRICTEVAL was added :(
Attachment #8587984 - Flags: review?(luke)
Attachment #8587984 - Flags: review?(luke) → review+
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla40
Comment on attachment 8587975 [details] [diff] [review] Patch Approval Request Comment [Feature/regressing bug #]: Bug 1143704 exposed this, actual bug is much older. [User impact if declined]: Assertion failures in debug builds, or incorrect line numbers in stack traces. [Describe test coverage new/current, TreeHerder]: Tested on TreeHerder. [Risks and why]: Very low. [String/UUID change made/needed]: None.
Attachment #8587975 - Flags: approval-mozilla-aurora?
Comment on attachment 8587984 [details] [diff] [review] Another fix Approval Request Comment [Feature/regressing bug #]: Bug 1101905. [User impact if declined]: Bogus line numbers in stack traces for eval in strict mode. [Describe test coverage new/current, TreeHerder]: Tested on TreeHerder. [Risks and why]: Simple patch, no risk. [String/UUID change made/needed]: None.
Attachment #8587984 - Flags: approval-mozilla-aurora?
Comment on attachment 8587984 [details] [diff] [review] Another fix Looks like this fix will help with diagnosing crashes and the tests look good on m-c. Approved for uplift to aurora.
Attachment #8587984 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
This has Xdr.h conflicts on Aurora, and I'm not sure what the rules are for bytecode version bumps on uplifts.
Flags: needinfo?(jdemooij)
Got my questions answered on IRC.
Flags: needinfo?(jdemooij)
Comment on attachment 8587975 [details] [diff] [review] Patch Marking this approved too. Looks like it was already uplifted. Thanks RyanVM.
Attachment #8587975 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: