1185959 - Assertion failure: frame.stackDepth() == 0, at js/src/jit/BaselineCompiler.cpp:3268 with ES6 Classes

Status: VERIFIED FIXED

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

The following testcase crashes on mozilla-central revision 481da0cbe1e3 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe --ion-eager):

class test {
    constructor() {};
    static constructor() {};
}


Backtrace:

Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x0000000000898944 in js::jit::BaselineCompiler::emit_JSOP_RETRVAL (
    this=this@entry=0x7fff7f7c2030)
    at js/src/jit/BaselineCompiler.cpp:3268
To enable execution of this file add
	add-auto-load-safe-path /srv/repos/mozilla-central/js/src/debug64/dist/bin/js-gdb.py
line to your configuration file "/home/decoder/.gdbinit".
To completely disable this security protection add
	set auto-load safe-path /
line to your configuration file "/home/decoder/.gdbinit".
For more information about this security protection see the
"Auto-loading safe path" section in the GDB manual.  E.g., run from the shell:
	info "(gdb)Auto-loading safe path"
#0  0x0000000000898944 in js::jit::BaselineCompiler::emit_JSOP_RETRVAL (this=this@entry=0x7fff7f7c2030) at js/src/jit/BaselineCompiler.cpp:3268
#1  0x00000000008d7828 in js::jit::BaselineCompiler::emitBody (this=this@entry=0x7fff7f7c2030) at js/src/jit/BaselineCompiler.cpp:968
#2  0x00000000008e64cc in js::jit::BaselineCompiler::compile (this=this@entry=0x7fff7f7c2030) at js/src/jit/BaselineCompiler.cpp:101
#3  0x00000000008e785d in js::jit::BaselineCompile (cx=cx@entry=0x7fc708a1b4e0, script=0x7fc7052378f8, forceDebugInstrumentation=<optimized out>) at js/src/jit/BaselineJIT.cpp:263
#4  0x00000000008e80a9 in CanEnterBaselineJIT (cx=cx@entry=0x7fc708a1b4e0, script=..., script@entry=..., osrFrame=osrFrame@entry=0x0) at js/src/jit/BaselineJIT.cpp:302
#5  0x00000000008e83b6 in js::jit::CanEnterBaselineMethod (cx=cx@entry=0x7fc708a1b4e0, state=...) at js/src/jit/BaselineJIT.cpp:370
#6  0x000000000099213a in js::jit::CanEnter (cx=cx@entry=0x7fc708a1b4e0, state=...) at js/src/jit/Ion.cpp:2373
#7  0x00000000006b62f5 in js::RunScript (cx=cx@entry=0x7fc708a1b4e0, state=...) at js/src/vm/Interpreter.cpp:637
#8  0x00000000006b6964 in js::Invoke (cx=cx@entry=0x7fc708a1b4e0, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:738
#9  0x00000000006b84f6 in js::Invoke (cx=cx@entry=0x7fc708a1b4e0, thisv=..., fval=..., argc=argc@entry=0, argv=argv@entry=0x7fff7f7c3768, rval=..., rval@entry=...) at js/src/vm/Interpreter.cpp:775
#10 0x00000000008e571a in js::jit::DoCallFallback (cx=0x7fc708a1b4e0, frame=0x7fff7f7c3798, stub_=<optimized out>, argc=<optimized out>, vp=0x7fff7f7c3758, res=...) at js/src/jit/BaselineIC.cpp:9859
#11 0x00007fc70a0b8bdf in ?? ()
[...]
#21 0x0000000000000000 in ?? ()
rax	0x0	0
rbx	0x7fff7f7c2030	140735332229168
rcx	0x7fc708d6d3cd	140492823516109
rdx	0x0	0
rsi	0x7fc7090429d0	140492826487248
rdi	0x7fc7090411c0	140492826481088
rbp	0x7fff7f7c1ba0	140735332228000
rsp	0x7fff7f7c1b60	140735332227936
r8	0x7fc70a09e780	140492843640704
r9	0x6372732f736a2f6c	7165916604736876396
r10	0x7fc70903ebe0	140492826471392
r11	0x0	0
r12	0x21	33
r13	0x7fff7f7c2a50	140735332231760
r14	0x99	153
r15	0x7fff7f7c2030	140735332229168
rip	0x898944 <js::jit::BaselineCompiler::emit_JSOP_RETRVAL()+228>
=> 0x898944 <js::jit::BaselineCompiler::emit_JSOP_RETRVAL()+228>:	movl   $0xcc4,0x0
   0x89894f <js::jit::BaselineCompiler::emit_JSOP_RETRVAL()+239>:	callq  0x498eb0 <abort()>

Comment 1

[Eric Faust [:efaust]]

Attachment: Fix

Welp. Embarassing.

Can't just skip all methods named "constructor". Gotta only skip non-static ones.

Comment 3

[Christian Holler (:decoder)]

Actually I'm seeing lots of different crashes that involve constructor + static constructor, even things looking like memory corruption and use-after-free. Assuming that this bug is s-s because of that.

Please make sure this patch is landed quickly so we don't miss any other bugs in the noise of this one.

Comment 4

[Liz Henry (:lizzard) (relman/hg->git project)]

Should this apply to 43 as well? It seems likely.

Comment 5

[Eric Faust [:efaust]]

Sigh. This shouldn't have landed, because it got marked ss while I was not paying attention, but I landed it anyway, without sec approval, because I'm a fool.

anyway, it did land: https://hg.mozilla.org/integration/mozilla-inbound/rev/23ccfe877f67

Comment 6

[Christian Holler (:decoder)]

As far as I know, this is Nightly only code, so it's fine to land.

Comment 7

[Christian Holler (:decoder)]

Marking the non-nighly affected versions as disabled, since ES6 classes aren't enabled there.

Comment 8

[Wes Kocher (:KWierso) (Not reading bugmail; email directly if needed)]

https://hg.mozilla.org/mozilla-central/rev/23ccfe877f67

Comment 9

[Fuzzing Team]

JSBugMon: This bug has been automatically verified fixed.
JSBugMon: This bug has been automatically verified fixed on Fx43