Closed
Bug 1275001
Opened 8 years ago
Closed 8 years ago
Assertion failure: data.s.payload.why == why, at dist/include/js/Value.h:1277 with Debugger
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla50
People
(Reporter: decoder, Assigned: shu)
References
Details
(Keywords: assertion, testcase, Whiteboard: [jsbugmon:update])
Attachments
(1 file)
|
2.04 KB,
patch
|
jandem
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision 16663eb3dcfa (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe --ion-offthread-compile=off --ion-eager):
g = newGlobal();
g.parent = this;
g.eval("(" + function() {
Debugger(parent).onExceptionUnwind = function(frame) {
frame.older
}
} + ")()")
function check_one(expected, f, err) {
try {
f()
} catch (ex) {
s = ex.toString()
assertEq(s.slice(11, -err.length), expected)
}
}
ieval = eval
function check(expr, expected = expr) {
var end, err
for ([end, err] of[[".random_prop", " is undefined" ]])
statement = "o = {};" + expr + end;
cases = [
function() ieval("var undef;" + statement),
Function(statement)
]
for (f of cases)
check_one(expected, f, err)
}
check("undef");
check("o.b");
Backtrace:
Program received signal SIGSEGV, Segmentation fault.
0x0000000000449550 in JS::Value::isMagic (why=JS_OPTIMIZED_ARGUMENTS, this=<optimized out>) at js/src/debug64/dist/include/js/Value.h:1277
#0 0x0000000000449550 in JS::Value::isMagic (why=JS_OPTIMIZED_ARGUMENTS, this=<optimized out>) at js/src/debug64/dist/include/js/Value.h:1277
#1 0x00000000007b1f10 in isMagic (why=JS_OPTIMIZED_ARGUMENTS, this=<optimized out>) at js/src/vm/Stack.h:177
#2 isMagic (why=JS_OPTIMIZED_ARGUMENTS, this=<synthetic pointer>) at js/src/debug64/dist/include/js/Value.h:1836
#3 js::jit::ComputeGetPropResult (cx=cx@entry=0x7ffff6908c00, frame=0x7fffffffc028, op=op@entry=JSOP_LENGTH, name=name@entry=..., val=..., val@entry=..., res=res@entry=...) at js/src/jit/SharedIC.cpp:2649
#4 0x00000000007c3eca in js::jit::DoGetPropFallback (cx=0x7ffff6908c00, payload=<optimized out>, stub_=<optimized out>, val=..., res=...) at js/src/jit/SharedIC.cpp:2745
#5 0x00007ffff7fed4db in ?? ()
[...]
#51 0x0000000000000000 in ?? ()
rax 0x0 0
rbx 0x7fffffffc028 140737488338984
rcx 0x7ffff6ca588d 140737333844109
rdx 0x0 0
rsi 0x7ffff6f7a9d0 140737336814032
rdi 0x7ffff6f791c0 140737336807872
rbp 0x7fffffffbab0 140737488337584
rsp 0x7fffffffbab0 140737488337584
r8 0x7ffff7fdf7c0 140737354004416
r9 0x6372732f736a2f6c 7165916604736876396
r10 0x7fffffffb870 140737488337008
r11 0x7ffff6c27ee0 140737333329632
r12 0xd9 217
r13 0x7ffff6908c00 140737330056192
r14 0x7fffffffbcb0 140737488338096
r15 0x7fffffffbfb0 140737488338864
rip 0x449550 <JS::Value::isMagic(JSWhyMagic) const+28>
=> 0x449550 <JS::Value::isMagic(JSWhyMagic) const+28>: movl $0x4fd,0x0
0x44955b <JS::Value::isMagic(JSWhyMagic) const+39>: callq 0x4b2d30 <abort()>
|
||
Updated•8 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
|
|
||
Comment 1•8 years ago
|
||
JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/3127df59e0dc user: Boris Zbarsky date: Fri Dec 12 20:52:40 2014 -0500 summary: Bug 1110871. Ion-compile JSOP_SYMBOL. r=jandem This iteration took 0.834 seconds to run.
Boris, is bug 1110871 a likely regressor? Also cc'ing Jim and Nick because Debugger seems to be involved.
Blocks: 1110871
Flags: needinfo?(bzbarsky)
|
||
Comment 3•8 years ago
|
||
> Boris, is bug 1110871 a likely regressor? Could be, indirectly. Before that, the for-of loop prevented the check() function from getting ion-compiled, so the handling of this testcase was totally different. The assert (and in fact the stack) being hit here is the same as in bug 1143194. Did that regress somehow?
Flags: needinfo?(bzbarsky) → needinfo?(shu)
|
Assignee | |
Comment 4•8 years ago
|
||
In the fuzz test, the first var |end| in the |check| function is never used and Ion optimizes it out. So, counting args, |check| has 4 slots when bailing to Baseline: [expr, expected, <optimized out>, err].
Because of a bug in RematerializedFrame::locals() not being aware of argument underflow, we were returning a pointer to:
[expr, expected, <optimized out>, err]
^
~~ rematFrame->locals()
whereas we should've been returning:
[expr, expected, <optimized out>, err]
^
~~ rematFrame->locals()
This caused the JITs to think the value of |err| is <optimized out> and passes it to |check_one| as the 3rd arg, causing this assertion.
|
||
Comment 6•8 years ago
|
||
Comment on attachment 8760512 [details] [diff] [review] remat-underflow.patch Review of attachment 8760512 [details] [diff] [review]: ----------------------------------------------------------------- Fuzzers <3 ::: js/src/jit/RematerializedFrame.h @@ +180,5 @@ > unsigned numActualArgs() const { > return numActualArgs_; > } > + unsigned numArgSlots() const { > + return std::max(numFormalArgs(), numActualArgs()); #include <algorithm> ?
Attachment #8760512 -
Flags: review?(jdemooij) → review+
Pushed by shu@rfrn.org: https://hg.mozilla.org/integration/mozilla-inbound/rev/4b405b61dff5 Fix RematerializedFrame::locals() when there's arguments underflow. (r=jandem)
Pushed by shu@rfrn.org: https://hg.mozilla.org/integration/mozilla-inbound/rev/d7978f23ee54 Fix Windows bustage. (r=me)
|
||
Comment 9•8 years ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/4b405b61dff5 https://hg.mozilla.org/mozilla-central/rev/d7978f23ee54
Status: NEW → RESOLVED
Closed: 8 years ago
status-firefox50:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla50
You need to log in
before you can comment on or make changes to this bug.
Description
•