Assertion failure: &i.block() == scope->as<ClonedBlockObject>().staticScope(), at js/src/vm/Stack.cpp:164 with OOM

RESOLVED FIXED in Firefox 48

Status

()

Core
JavaScript Engine
--
critical
RESOLVED FIXED
2 years ago
2 years ago

People

(Reporter: decoder, Unassigned)

Tracking

(Blocks: 2 bugs, {assertion, regression, testcase})

Trunk
mozilla48
x86_64
Linux
assertion, regression, testcase
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox46 wontfix, firefox48 fixed)

Details

(Whiteboard: [jsbugmon:update])

Attachments

(2 attachments)

(Reporter)

Description

2 years ago
The following testcase crashes on mozilla-central revision 6020a4cb41a7 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe):

oomTest(
  function x() {
    try {
      eval('let ')
    } catch (ex) {
      (function() {})()
    }
  }
);



Backtrace:

Program received signal SIGSEGV, Segmentation fault.
0x0000000000b01c66 in AssertDynamicScopeMatchesStaticScope (cx=<optimized out>, script=<optimized out>, scope=0x7ffff7e8a0a0) at js/src/vm/Stack.cpp:164
#0  0x0000000000b01c66 in AssertDynamicScopeMatchesStaticScope (cx=<optimized out>, script=<optimized out>, scope=0x7ffff7e8a0a0) at js/src/vm/Stack.cpp:164
#1  0x0000000000b02157 in js::InterpreterFrame::prologue (this=0x7ffff313d140, cx=cx@entry=0x7ffff6907800) at js/src/vm/Stack.cpp:246
#2  0x0000000000a3fcea in Interpret (cx=cx@entry=0x7ffff6907800, state=...) at js/src/vm/Interpreter.cpp:2874
#3  0x0000000000a47187 in js::RunScript (cx=cx@entry=0x7ffff6907800, state=...) at js/src/vm/Interpreter.cpp:424
#4  0x0000000000a474ac in js::Invoke (cx=cx@entry=0x7ffff6907800, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:495
#5  0x0000000000a48da8 in js::Invoke (cx=cx@entry=0x7ffff6907800, thisv=..., fval=..., argc=argc@entry=0, argv=argv@entry=0x0, rval=..., rval@entry=...) at js/src/vm/Interpreter.cpp:529
#6  0x00000000008daee4 in JS_CallFunction (cx=cx@entry=0x7ffff6907800, obj=..., fun=..., fun@entry=..., args=..., rval=..., rval@entry=...) at js/src/jsapi.cpp:2830
#7  0x0000000000a5f44e in OOMTest (cx=0x7ffff6907800, argc=<optimized out>, vp=0x7ffff313d0a0) at js/src/builtin/TestingFunctions.cpp:1196
#8  0x0000000000a4a842 in js::CallJSNative (cx=0x7ffff6907800, native=0xa5f1b0 <OOMTest(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235
[...]
#20 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:6918
rax	0x0	0
rbx	0x1b8dfc0	28893120
rcx	0x7ffff6ca53cd	140737333842893
rdx	0x0	0
rsi	0x7ffff6f7a9d0	140737336814032
rdi	0x7ffff6f791c0	140737336807872
rbp	0x7fffffffc210	140737488339472
rsp	0x7fffffffc170	140737488339312
r8	0x7ffff7fe0780	140737354008448
r9	0x6372732f736a2f6c	7165916604736876396
r10	0x7fffffffbf30	140737488338736
r11	0x7ffff6c27960	140737333328224
r12	0x7ffff7e67ca0	140737352465568
r13	0x1b8e100	28893440
r14	0x1b8e740	28895040
r15	0x7ffff7e8a0a0	140737352605856
rip	0xb01c66 <AssertDynamicScopeMatchesStaticScope(JSContext*, JSScript*, JSObject*)+1350>
=> 0xb01c66 <AssertDynamicScopeMatchesStaticScope(JSContext*, JSScript*, JSObject*)+1350>:	movl   $0xa4,0x0
   0xb01c71 <AssertDynamicScopeMatchesStaticScope(JSContext*, JSScript*, JSObject*)+1361>:	callq  0x4a2c00 <abort()>

Updated

2 years ago
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]

Comment 1

2 years ago
JSBugMon: Bisection requested, result:
=== Treeherder Build Bisection Results by autoBisect ===

The "good" changeset has the timestamp "20151013053056" and the hash "8d9c20c241be7d7b3cfa90a3368a77db42172781".
The "bad" changeset has the timestamp "20151013054956" and the hash "d80f9d6921f8209ef01aa730be9a97ab727704d1".

Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=8d9c20c241be7d7b3cfa90a3368a77db42172781&tochange=d80f9d6921f8209ef01aa730be9a97ab727704d1
Created attachment 8706587 [details]
OOM_VERBOSE=1 stack

The bisection window probably isn't accurate. I've attached the OOM_VERBOSE=1 stack obtained via:

https://developer.mozilla.org/en-US/docs/Mozilla/Projects/SpiderMonkey/Hacking_Tips#How_to_debug_oomTest%28%29_failures
This probably relates to something about shapes/protos/SavedStacks in the interpreter. Tentatively setting needinfo? from :Waldo, please feel free to forward the needinfo if necessary.
Flags: needinfo?(jwalden+bmo)
Naveed, can you help find an assignee?
Flags: needinfo?(nihsanullah)
Terrence please take a look and assign appropriately
Flags: needinfo?(nihsanullah) → needinfo?(terrence)
Passing ni? to shu.
Flags: needinfo?(terrence) → needinfo?(shu)

Comment 7

2 years ago
The scope that's mismatching is the static block scope for the catch block. What's going on here is this. In the test,

oomTest(
  function x() {
    try {
      eval('let ')
    } catch (ex) {
      (function() {})()
    }
  }
);

there are 2 lazy functions created internally, |x| and the anonymous IIFE in the catch block. oomTest causes the compilation of the outer function to fail *after* the IIFE gets successfully delazified. So, the IIFE function now has a JSScript whose enclosing static scope is a StaticBlockScope of the catch block created during the failed compilation. But since the compilation of |x| failed, we try to recompile again, creating a new StaticBlockScope for the catch block. We don't bother re-delazifing the IIFE because it's already delazified. Now the scopes don't match up.
Flags: needinfo?(shu)

Comment 8

2 years ago
Created attachment 8731438 [details] [diff] [review]
Always update the LazyScript's static scope chain when emitting functions.
Attachment #8731438 - Flags: review?(till)
Comment on attachment 8731438 [details] [diff] [review]
Always update the LazyScript's static scope chain when emitting functions.

Review of attachment 8731438 [details] [diff] [review]:
-----------------------------------------------------------------

That's a pretty amazing corner case.
Attachment #8731438 - Flags: review?(till) → review+
Backed out for opt-only jit-test failures.
https://hg.mozilla.org/integration/mozilla-inbound/rev/56cc2557cdff

https://treeherder.mozilla.org/logviewer.html#?job_id=24074969&repo=mozilla-inbound
TEST-UNEXPECTED-FAIL | tests/jit-test/jit-test/tests/gc/bug-1238555.js | /builds/slave/test/build/tests/jit-test/jit-test/tests/gc/bug-1238555.js:1:1 ReferenceError: oomTest is not defined (code 3, args "")

Comment 13

2 years ago
bugherder
https://hg.mozilla.org/mozilla-central/rev/ed7f0e024ce8
Status: NEW → RESOLVED
Last Resolved: 2 years ago
status-firefox48: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla48
Too late for assertion fixes in 46.
status-firefox46: affected → wontfix

Updated

2 years ago
Flags: needinfo?(jwalden+bmo)
You need to log in before you can comment on or make changes to this bug.