Closed Bug 1236548 Opened 10 years ago Closed 10 years ago

Assertion failure: data.s.payload.why == why, at js/src/debug64/dist/include/js/Value.h:1218 with ES6 Classes

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla46
Tracking Flags:
Tracking Status
firefox46 --- fixed

People

(Reporter: decoder, Assigned: efaust)

References

Details

(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update])

Attachments

(1 file)

fixMagicConstructAssert.patch
1.18 KB, patch
Waldo
: review+
Details | Diff | Splinter Review
The following testcase crashes on mozilla-central revision d7a0ad85d9fb (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe --thread-count=2 --ion-extra-checks --ion-offthread-compile=off --baseline-eager): function f(thunk) { try { thunk() } catch (e) {} } class foo extends null { constructor() { class Array {} } } for (i = 0; i < 10000; ++i) f(() => new foo) Backtrace: Program received signal SIGSEGV, Segmentation fault. 0x00000000004492aa in JS::Value::isMagic (why=JS_IS_CONSTRUCTING, this=0x7fffffffc590) at js/src/debug64/dist/include/js/Value.h:1218 #0 0x00000000004492aa in JS::Value::isMagic (why=JS_IS_CONSTRUCTING, this=0x7fffffffc590) at js/src/debug64/dist/include/js/Value.h:1218 #1 0x00000000007fea71 in isMagic (why=JS_IS_CONSTRUCTING, this=0x7fffffffc590) at js/src/jscntxt.h:686 #2 isMagic (why=JS_IS_CONSTRUCTING, this=0x7fffffffc580) at js/src/debug64/dist/include/js/Value.h:1747 #3 js::jit::InvokeFunction (cx=0x7ffff6907800, obj=..., constructing=<optimized out>, argc=<optimized out>, argv=<optimized out>, rval=...) at js/src/jit/VMFunctions.cpp:81 #4 0x00007ffff7ff04df in ?? () #5 0x0000000000000000 in ?? () rax 0x0 0 rbx 0x7ffff6907800 140737330051072 rcx 0x7ffff6ca53cd 140737333842893 rdx 0x0 0 rsi 0x7ffff6f7a9d0 140737336814032 rdi 0x7ffff6f791c0 140737336807872 rbp 0x7fffffffc520 140737488340256 rsp 0x7fffffffc520 140737488340256 r8 0x7ffff7fe0780 140737354008448 r9 0x6372732f736a2f6c 7165916604736876396 r10 0x7fffffffc2e0 140737488339680 r11 0x7ffff6c27960 140737333328224 r12 0x7fffffffc5e0 140737488340448 r13 0x7fffffffc580 140737488340352 r14 0x1 1 r15 0x7fffffffc5a0 140737488340384 rip 0x4492aa <JS::Value::isMagic(JSWhyMagic) const+28> => 0x4492aa <JS::Value::isMagic(JSWhyMagic) const+28>: movl $0x4c2,0x0 0x4492b5 <JS::Value::isMagic(JSWhyMagic) const+39>: callq 0x4a4a90 <abort()>
ni efaust as classes are involved
Flags: needinfo?(efaustbmo)
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result: === Treeherder Build Bisection Results by autoBisect === The "good" changeset has the timestamp "20151009120049" and the hash "2c91f257f53d9c2d1e0df1578ccc0fcf9c740bf3". The "bad" changeset has the timestamp "20151009120613" and the hash "250cd0bf3ce07627f08057cc7a38bc2d67174f9f". Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=2c91f257f53d9c2d1e0df1578ccc0fcf9c740bf3&tochange=250cd0bf3ce07627f08057cc7a38bc2d67174f9f
Ignore comment 3, my bad. Eric, is bug 1105463 a likely regressor?
Uhm, it's a regressor inasmuch as the testcase wouldn't parse before then, but I don't think it's at fault, no. Anyway, I have a fix.
Flags: needinfo?(efaustbmo)
We have both JS_IS_CONSTRUCTING and JS_UNINITIALIZED_LEXICAL flowing validly through this space. Both are valid to use the construction code without creating a new object.
Assignee: nobody → efaustbmo
Status: NEW → ASSIGNED
Attachment #8706677 - Flags: review?(jwalden+bmo)
Comment on attachment 8706677 [details] [diff] [review] fixMagicConstructAssert.patch Review of attachment 8706677 [details] [diff] [review]: ----------------------------------------------------------------- Add a testcase, ideally the ones I put in the comments. Beware that inIon() allegedly throws if Ion is disabled, or something (i.e. tryserver carefully). ::: js/src/jit/VMFunctions.cpp @@ +75,5 @@ > cargs[i].set(argvWithoutThis[i]); > RootedValue newTarget(cx, argvWithoutThis[argc]); > + // If |this| hasn't been created, or is JS_UNINITIALIED_LEXICAL, > + // we can use normal construction code without creating an extraneous > + // object. IZED Add an assert that the magic-value is *only* one of these two values, so if more flow through in the future we learn about it (as the current code pointed out another one does flow through here now). I'd like to see demos of the relevant triggering cases. This language, disconnected from actual testcases, is very inscrutable, even considering I just touched this like three months ago. These should work: // JS_IS_CONSTRUCTING var g = newGlobal(); do { new g.String(); // jit::CreateThis passes JS_IS_CONSTRUCTING } while (!inIon()); // JS_UNINITIALIZED_LEXICAL class B {}; class D extends B { constructor() { super(); } }; do { new D(); // jit::CreateThis passes JS_UNINITIALIZED_LEXICAL } while (!inIon());
Attachment #8706677 - Flags: review?(jwalden+bmo) → review+
https://hg.mozilla.org/mozilla-central/rev/b8e4d6e226bd https://hg.mozilla.org/mozilla-central/rev/10164991b6cc
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
status-firefox46: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla46
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: