1150837 - Crash [@ GetterSetterWriteBarrierPost] or [@ js::NativeDefineProperty] or [@ js::Nursery::moveToTenured] Assertion failure: !has(SHADOWABLE), at jsapi.h

Status: RESOLVED DUPLICATE of bug 1150906

(Core :: JavaScript Engine, defect)

Description

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Array.prototype.some.call([function() {}], function() {
    Object.defineProperty(arguments, 0, {
      get: function() {}
    });
});

asserts js debug shell on m-c changeset 70a113676b21 with --fuzzing-safe --no-threads --ion-eager at Assertion failure: !has(SHADOWABLE), at jsapi.h.

Configure options:

CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests

python -u ~/fuzzing/js/compileShell.py -b "--enable-debug --enable-more-deterministic --enable-nspr-build" -r 70a113676b21

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/f9c99e8ce207
user:        Jason Orendorff
date:        Mon Mar 23 14:32:27 2015 -0500
summary:     Bug 1138499, part 1 - Assert some basic rules on property descriptors on entry to DefineProperty and exit from GetOwnPropertyDescriptor. r=Waldo.

Jason, is bug 1138499 a likely regressor?

Comment 1

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Attachment: stack

(lldb) bt 5
* thread #1: tid = 0x1e7edf, 0x00000001008554ad js-dbg-64-dm-nsprBuild-darwin-70a113676b21`JS::PropertyDescriptorOperations<JS::Handle<JSPropertyDescriptor> >::assertValid(this=<unavailable>) const + 973 at jsapi.h:2597, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
  * frame #0: 0x00000001008554ad js-dbg-64-dm-nsprBuild-darwin-70a113676b21`JS::PropertyDescriptorOperations<JS::Handle<JSPropertyDescriptor> >::assertValid(this=<unavailable>) const + 973 at jsapi.h:2597
    frame #1: 0x0000000100298137 js-dbg-64-dm-nsprBuild-darwin-70a113676b21`js::NativeDefineProperty(cx=0x0000000101fa5180, desc_=Handle<JSPropertyDescriptor> at 0x00007fff5fbfbc20, result=0x00007fff5fbfbed0, obj=<unavailable>, id=<unavailable>) + 55 at NativeObject.cpp:1287
    frame #2: 0x000000010029a065 js-dbg-64-dm-nsprBuild-darwin-70a113676b21`js::NativeDefineProperty(cx=0x0000000101fa5180, getter=<unavailable>, setter=<unavailable>, attrs=209, result=0x00007fff5fbfbed0, obj=<unavailable>, id=<unavailable>, value=<unavailable>)(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>), bool (*)(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>, JS::ObjectOpResult&), unsigned int, JS::ObjectOpResult&) + 149 at NativeObject.cpp:1483
    frame #3: 0x0000000100800b0d js-dbg-64-dm-nsprBuild-darwin-70a113676b21`DefinePropertyOnObject(cx=0x0000000101fa5180, result=0x00007fff5fbfbed0, obj=<unavailable>, id=<unavailable>, desc=<unavailable>) + 3165 at jsobj.cpp:557
    frame #4: 0x00000001007c65e3 js-dbg-64-dm-nsprBuild-darwin-70a113676b21`js::StandardDefineProperty(cx=<unavailable>, result=<unavailable>, obj=<unavailable>, id=<unavailable>, desc=<unavailable>) + 675 at jsobj.cpp:661
(lldb)

Comment 2

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

This testcase also crashes opt builds at GetterSetterWriteBarrierPost with js::NativeDefineProperty on the stack.

Comment 3

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Attachment: stack of opt crash

(gdb) bt 5
#0  GetterSetterWriteBarrierPost (objp=0xf674aefc, shape=0xf674aee0) at /home/gkwong/trees/mozilla-central/js/src/vm/Shape.h:345
#1  AccessorShape (nfixed=<optimized out>, other=..., this=0xf674aee0) at /home/gkwong/trees/mozilla-central/js/src/vm/Shape.h:1284
#2  new_ (nfixed=<optimized out>, unrootedOther=..., cx=0xf7a5d0e0) at /home/gkwong/trees/mozilla-central/js/src/vm/Shape-inl.h:94
#3  js::PropertyTree::getChild (this=0xf7a5776c, cx=cx@entry=0xf7a5d0e0, parentArg=0xf6755778, unrootedChild=...) at /home/gkwong/trees/mozilla-central/js/src/jspropertytree.cpp:184
#4  0x0821e506 in js::NativeObject::getChildProperty (cx=cx@entry=0xf7a5d0e0, obj=obj@entry=..., parent=parent@entry=..., unrootedChild=...) at /home/gkwong/trees/mozilla-central/js/src/vm/Shape.cpp:406
(More stack frames follow...)
(gdb)

Comment 4

[Christian Holler (:decoder)]

I'm also hitting this pretty frequently and it's certainly s-s (opt crashes with unhealthy looking memory address).

Comment 5

[Christian Holler (:decoder)]

I'm also seeing an entirely different crash trace for this bug with an optimized build and a different test (but debug crash trace is equal to the ones here in the bug):


Program received signal SIGSEGV, Segmentation fault.
0x0000000000543cf1 in js::Nursery::moveToTenured (this=0x7ffff693c378, trc=0x7fffffefd410, src=0x7ffff544d7c0) at  js/src/jsobj.h:128
#0  0x0000000000543cf1 in js::Nursery::moveToTenured (this=0x7ffff693c378, trc=0x7fffffefd410, src=0x7ffff544d7c0) at  js/src/jsobj.h:128
#1  0x0000000000545a58 in js::Nursery::MinorGCCallback (jstrc=<optimized out>, thingp=0x7fffffefd160, kind=<optimized out>) at  js/src/gc/Nursery.cpp:787
#2  0x00000000005168d9 in invoke (kind=JSTRACE_OBJECT, thing=0x7fffffefd160, this=0x7fffffefd410) at ../../dist/include/js/TracingAPI.h:216
#3  DoTracing<JSObject*> (i=18446744073709551615, name=0xb5c970 "AccessorShape getter or setter", thingp=0x7fffffefd160, trc=0x7fffffefd410) at  js/src/gc/Marking.cpp:596
#4  DispatchToTracer<JSObject*> (trc=trc@entry=0x7fffffefd410, thingp=thingp@entry=0x7fffffefd160, name=name@entry=0xb5c970 "AccessorShape getter or setter", i=18446744073709551615) at  js/src/gc/Marking.cpp:500
#5  0x0000000000547f05 in js::TraceManuallyBarrieredEdge<JSObject*> (trc=trc@entry=0x7fffffefd410, thingp=thingp@entry=0x7fffffefd160, name=name@entry=0xb5c970 "AccessorShape getter or setter") at  js/src/gc/Marking.cpp:416
#6  0x00000000008f7bc4 in js::ShapeGetterSetterRef::mark (this=0x7ffff69a8068, trc=0x7fffffefd410) at  js/src/jspropertytree.cpp:325
#7  0x000000000067964c in js::gc::StoreBuffer::GenericBuffer::mark (this=this@entry=0x7ffff69424c8, owner=owner@entry=0x7ffff693c408, trc=trc@entry=0x7fffffefd410) at  js/src/gc/StoreBuffer.cpp:112
#8  0x0000000000544cdf in markGenericEntries (trc=0x7fffffefd410, this=0x7ffff693c408) at  js/src/gc/StoreBuffer.h:455
#9  js::Nursery::collect (this=this@entry=0x7ffff693c378, rt=0x7ffff693c000, reason=reason@entry=JS::gcreason::TOO_MUCH_MALLOC, pretenureGroups=pretenureGroups@entry=0x0) at  js/src/gc/Nursery.cpp:853
#10 0x00000000008aa7e6 in js::gc::GCRuntime::minorGCImpl (this=this@entry=0x7ffff693c330, reason=reason@entry=JS::gcreason::TOO_MUCH_MALLOC, pretenureGroups=pretenureGroups@entry=0x0) at  js/src/jsgc.cpp:6300
#11 0x00000000008f6023 in evictNursery (reason=JS::gcreason::TOO_MUCH_MALLOC, this=0x7ffff693c330, this@entry=0x7ffff69424e8) at  js/src/gc/GCRuntime.h:618
#12 js::gc::GCRuntime::gcCycle (this=this@entry=0x7ffff693c330, incremental=incremental@entry=true, budget=..., reason=reason@entry=JS::gcreason::TOO_MUCH_MALLOC) at  js/src/jsgc.cpp:5916
#13 0x00000000008f64e9 in js::gc::GCRuntime::collect (this=this@entry=0x7ffff693c330, incremental=incremental@entry=true, budget=..., reason=reason@entry=JS::gcreason::TOO_MUCH_MALLOC) at  js/src/jsgc.cpp:6089
#14 0x00000000008f7804 in gcSlice (millis=<optimized out>, reason=<optimized out>, this=<optimized out>) at  js/src/jsgc.cpp:6165
#15 js::gc::GCRuntime::gcIfRequested (this=this@entry=0x7ffff693c330, cx=cx@entry=0x7ffff69820f0) at  js/src/jsgc.cpp:6357
#16 0x000000000051c03b in js::gc::GCRuntime::gcIfNeededPerAllocation (this=0x7ffff693c330, cx=cx@entry=0x7ffff69820f0) at  js/src/gc/Allocator.cpp:34
#17 0x0000000000551030 in checkAllocatorState<(js::AllowGC)1> (kind=js::gc::FAT_INLINE_STRING, cx=0x7ffff69820f0, this=<optimized out>) at  js/src/gc/Allocator.cpp:55
#18 js::Allocate<JSFatInlineString, (js::AllowGC)1> (cx=0x7ffff69820f0) at  js/src/gc/Allocator.cpp:203
#19 0x00000000005fba65 in new_<(js::AllowGC)1> (cx=<optimized out>) at  js/src/vm/String-inl.h:257
#20 AllocateInlineString<(js::AllowGC)1, unsigned char> (chars=<synthetic pointer>, len=<optimized out>, cx=0x7ffff69820f0) at  js/src/vm/String-inl.h:37
#21 NewInlineStringDeflated<(js::AllowGC)1> (chars=..., cx=0x7ffff69820f0) at  js/src/vm/String.cpp:987
#22 NewStringDeflated<(js::AllowGC)1> (cx=0x7ffff69820f0, s=0x7ffff5156e80 u"too much recursion", n=<optimized out>) at  js/src/vm/String.cpp:1004
#23 0x000000000063ec6d in js::NewStringCopyN<(js::AllowGC)1, char16_t> (cx=cx@entry=0x7ffff69820f0, s=<optimized out>, n=<optimized out>) at  js/src/vm/String.cpp:1148
#24 0x000000000085e51d in NewStringCopyZ<(js::AllowGC)1> (s=<optimized out>, cx=0x7ffff69820f0) at  js/src/vm/String.h:1198
#25 JS_NewUCStringCopyZ (cx=cx@entry=0x0, s=<optimized out>) at  js/src/jsapi.cpp:4596
#26 0x000000000089d744 in js::ErrorToException (cx=0x0, cx@entry=0x7ffff69820f0, message=message@entry=0x7ffff514ce40 "too much recursion", reportp=reportp@entry=0x7fffffefd960, callback=<optimized out>, userRef=<optimized out>) at  js/src/jsexn.cpp:544
#27 0x000000000085d12a in ReportError (cx=0x7ffff69820f0, message=0x7ffff514ce40 "too much recursion", reportp=0x7fffffefd960, callback=<optimized out>, userRef=<optimized out>) at  js/src/jscntxt.cpp:230
#28 0x0000000000867ce0 in js::ReportErrorNumberVA(JSContext *, unsigned int, JSErrorCallback, void *, unsigned int, typedef __va_list_tag __va_list_tag *, js::ErrorArgumentsType) (cx=0x7ffff69820f0, flags=flags@entry=0, callback=0x856310 <js::GetErrorMessage(void*, unsigned int)>, userRef=0x0, errorNumber=109, ap=ap@entry=0x7fffffefda08, argumentsType=js::ArgumentsAreASCII) at  js/src/jscntxt.cpp:746
#29 0x0000000000867d53 in JS_ReportErrorNumberVA (cx=<optimized out>, errorCallback=<optimized out>, userRef=<optimized out>, errorNumber=<optimized out>, ap=ap@entry=0x7fffffefda08) at  js/src/jsapi.cpp:5091
#30 0x0000000000867ddd in JS_ReportErrorNumber (cx=cx@entry=0x7ffff69820f0, errorCallback=errorCallback@entry=0x856310 <js::GetErrorMessage(void*, unsigned int)>, userRef=userRef@entry=0x0, errorNumber=errorNumber@entry=109) at  js/src/jsapi.cpp:5080
#31 0x00000000008683ce in js::ReportOverRecursed (maybecx=maybecx@entry=0x7ffff69820f0) at  js/src/jscntxt.cpp:350
#32 0x00000000005979ea in js::RunScript (cx=cx@entry=0x7ffff69820f0, state=...) at  js/src/vm/Interpreter.cpp:616
#33 0x0000000000597aed in js::Invoke (cx=cx@entry=0x7ffff69820f0, args=..., construct=construct@entry=js::NO_CONSTRUCT) at  js/src/vm/Interpreter.cpp:720
#34 0x0000000000598f5a in js::Invoke (cx=cx@entry=0x7ffff69820f0, thisv=..., fval=..., argc=argc@entry=1, argv=argv@entry=0x7fffffefe590, rval=..., rval@entry=...) at  js/src/vm/Interpreter.cpp:757
#35 0x000000000090e970 in Trap (rval=..., argv=0x7fffffefe590, argc=1, fval=..., handler=..., cx=0x7ffff69820f0) at  js/src/proxy/ScriptedIndirectProxyHandler.cpp:45
#36 Trap1 (cx=0x7ffff69820f0, handler=..., fval=..., id=..., rval=...) at  js/src/proxy/ScriptedIndirectProxyHandler.cpp:53
#37 0x000000000091dfe9 in js::ScriptedIndirectProxyHandler::has (this=0x1712ae0 <js::ScriptedIndirectProxyHandler::singleton>, cx=0x7ffff69820f0, proxy=..., id=..., bp=0x7fffffefe7b0) at  js/src/proxy/ScriptedIndirectProxyHandler.cpp:270
#38 0x0000000000933669 in js::Proxy::has (cx=0x7ffff69820f0, proxy=..., id=..., bp=0x7fffffefe7b0) at  js/src/proxy/Proxy.cpp:245
#39 0x00000000005c9bf4 in js::NativeHasProperty (cx=0x7ffff69820f0, obj=..., id=..., foundp=0x7fffffefe7b0) at  js/src/vm/NativeObject.cpp:1590
#40 0x00000000008b9f65 in HasProperty (foundp=0x7fffffefe7b0, id=..., obj=..., cx=0x7ffff69820f0) at  js/src/vm/NativeObject.h:1429
#41 GetPropertyIfPresent (foundp=0x7fffffefe7b0, vp=..., id=..., obj=..., cx=0x7ffff69820f0) at  js/src/jsobj.cpp:212
#42 js::ToPropertyDescriptor (cx=cx@entry=0x7ffff69820f0, descval=..., checkAccessors=checkAccessors@entry=true, desc=...) at  js/src/jsobj.cpp:706
#43 0x00000000004a648e in js::obj_defineProperty (cx=0x7ffff69820f0, argc=<optimized out>, vp=<optimized out>) at  js/src/builtin/Object.cpp:821
#44 0x00007ffff7ff1f9e in ?? ()
#45 0x00007ffff6982108 in ?? ()
#46 0x00007fffffefe970 in ?? ()
#47 0x0000000000000000 in ?? ()
rax	0x2b2b2b2b2b2b2b2b	3110627432037296939
rbx	0x7ffff544d7c0	140737308317632
rcx	0xbad0bad1	3134241489
rdx	0x7ffff544d7c0	140737308317632
rsi	0x7fffffefd410	140737487295504
rdi	0x7ffff693c378	140737330267000
rbp	0x1715780 <js::ArrayObject::class_>
rsp	0x7fffffefd080	140737487294592
r8	0x7ffff3000000	140737270251520
r9	0xffff	65535
r10	0x10	16
r11	0x9ba26512	2611111186
r12	0x7ffff693c378	140737330267000
r13	0x7fffffefd410	140737487295504
r14	0x18	24
r15	0x7fffffefd410	140737487295504
rip	0x543cf1 <js::Nursery::moveToTenured(js::gc::MinorCollectionTracer*, JSObject*)+33>
=> 0x543cf1 <js::Nursery::moveToTenured(js::gc::MinorCollectionTracer*, JSObject*)+33>:	mov    (%rax),%rcx
   0x543cf4 <js::Nursery::moveToTenured(js::gc::MinorCollectionTracer*, JSObject*)+36>:	cmp    %rbp,%rcx

Comment 6

[Jason Orendorff [:jorendorff]]

Attachment: Assertion failure: !has(SHADOWABLE)

Comment 7

[Jason Orendorff [:jorendorff]]

Over in bug 1150906:
* figured out how my changes totally caused the crashes too, not just the assertions
* posted the above patch (which I think fixes both) in the open and landed it

Duping to that bug. Since this is definitely the fault of the changeset immediately after the one fingered in comment 0 here, it's only in Nightly (FF40, not FF39) and so I expect we can open this.

Comment 8

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Opening up as per comment 7.