Closed
Bug 1298809
Opened 8 years ago
Closed 8 years ago
Assertion failure: !cx->isExceptionPending(), at js/src/jit/IonAnalysis.cpp:4062
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla52
People
(Reporter: decoder, Assigned: shu)
Details
(4 keywords, Whiteboard: [jsbugmon:update,testComment=4,origRev=560b2c805bf7])
Attachments
(2 files)
4.80 KB,
patch
|
Waldo
:
review+
|
Details | Diff | Splinter Review |
3.28 KB,
patch
|
gchang
:
approval-mozilla-aurora+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision 1a5b53a831e5 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug --enable-optimize, run with --fuzzing-safe): function BigInteger(a, b, c) { if ("number" == typeof a) this.fromNumber(a, b, c); else this.fromString(a, b); } function bnpFromString(s, b) { this.s = 0; var i = s.length, sh = 0; while (--i >= 0) {} } BigInteger.prototype.fromString = bnpFromString; function bnpFromNumber(a, b, c) { if (t > 0) function TestCase(bs, this_array, r, nsh) x[1].get &= ((1 << t) - 1); else x[0] = 0; } BigInteger.prototype.fromNumber = bnpFromNumber; function parseBigInt(str, r) { return new BigInteger(str, r); } function RSAKey() {} function RSASetPublic(N, E) { this.n = parseBigInt(N, 16); } RSAKey.prototype.setPublic = RSASetPublic; nValue = "a5261939975948bb7a58dffe5ff54e65f0498f9175f5a09288810b8975871e99af" + "3b5dd94057b0fc07535f5f97444504fa35169d461d0d30cf0192e307727c065168" + "c788771c561a9400fb49175e9e6aa4e23fe11af69e9412dd23b0cb6684c4c2429b" + "ce139e848ab26d0829073351f4acd36074eafd036a5eb83359d2a698d3"; eValue = "10001"; var RSA = new RSAKey(); RSA.setPublic(nValue, eValue); Backtrace: received signal SIGSEGV, Segmentation fault. 0x000000000069e5b8 in js::jit::AnalyzeNewScriptDefiniteProperties (cx=cx@entry=0x7ffff695f000, fun=<optimized out>, group=group@entry=0x7ffff0670820, baseobj=..., baseobj@entry=..., initializerList=initializerList@entry=0x7fffffffc2b0) at js/src/jit/IonAnalysis.cpp:4062 #0 0x000000000069e5b8 in js::jit::AnalyzeNewScriptDefiniteProperties (cx=cx@entry=0x7ffff695f000, fun=<optimized out>, group=group@entry=0x7ffff0670820, baseobj=..., baseobj@entry=..., initializerList=initializerList@entry=0x7fffffffc2b0) at js/src/jit/IonAnalysis.cpp:4062 #1 0x0000000000bbeb71 in js::TypeNewScript::maybeAnalyze (this=0x7ffff03142e0, cx=cx@entry=0x7ffff695f000, group=group@entry=0x7ffff0670820, regenerate=regenerate@entry=0x0, force=force@entry=true) at js/src/vm/TypeInference.cpp:3752 #2 0x00000000006a4e0c in js::jit::IonCompile (cx=cx@entry=0x7ffff695f000, script=<optimized out>, baselineFrame=baselineFrame@entry=0x7fffffffc7d8, osrPc=<optimized out>, constructing=<optimized out>, recompile=<optimized out>, optimizationLevel=js::jit::OptimizationLevel::Normal) at js/src/jit/Ion.cpp:2252 #3 0x00000000006a5209 in js::jit::Compile (cx=cx@entry=0x7ffff695f000, script=script@entry=..., osrFrame=osrFrame@entry=0x7fffffffc7d8, osrPc=osrPc@entry=0x7ffff03cf34b "\343\201V", constructing=<optimized out>, forceRecompile=<optimized out>) at js/src/jit/Ion.cpp:2479 #4 0x00000000006a5b03 in BaselineCanEnterAtBranch (pc=0x7ffff03cf34b "\343\201V", osrFrame=0x7fffffffc7d8, script=..., cx=0x7ffff695f000) at js/src/jit/Ion.cpp:2666 #5 js::jit::IonCompileScriptForBaseline (cx=cx@entry=0x7ffff695f000, frame=frame@entry=0x7fffffffc7d8, pc=pc@entry=0x7ffff03cf34b "\343\201V") at js/src/jit/Ion.cpp:2724 #6 0x0000000000e24eaf in js::jit::DoWarmUpCounterFallbackOSR (cx=0x7ffff695f000, frame=0x7fffffffc7d8, stub=0x7ffff0335168, infoPtr=0x7fffffffc798) at js/src/jit/BaselineIC.cpp:143 #7 0x00007ffff7e3db24 in ?? () [...] #17 0x0000000000000000 in ?? () rax 0x0 0 rbx 0x7ffff695f000 140737330409472 rcx 0x7ffff6c28a2d 140737333332525 rdx 0x0 0 rsi 0x7ffff6ef7770 140737336276848 rdi 0x7ffff6ef6540 140737336272192 rbp 0x7fffffffc1f0 140737488339440 rsp 0x7fffffffb4e0 140737488336096 r8 0x7ffff6ef7770 140737336276848 r9 0x7ffff7fe4740 140737354024768 r10 0x58 88 r11 0x7ffff6b9f750 140737332770640 r12 0x1 1 r13 0x7ffff69ac048 140737330724936 r14 0x7fffffffb8e0 140737488337120 r15 0x7fffffffb5f0 140737488336368 rip 0x69e5b8 <js::jit::AnalyzeNewScriptDefiniteProperties(JSContext*, JSFunction*, js::ObjectGroup*, JS::Handle<js::PlainObject*>, mozilla::Vector<js::TypeNewScript::Initializer, 0ul, js::TempAllocPolicy>*)+3960> => 0x69e5b8 <js::jit::AnalyzeNewScriptDefiniteProperties(JSContext*, JSFunction*, js::ObjectGroup*, JS::Handle<js::PlainObject*>, mozilla::Vector<js::TypeNewScript::Initializer, 0ul, js::TempAllocPolicy>*)+3960>: movl $0x0,0x0 0x69e5c3 <js::jit::AnalyzeNewScriptDefiniteProperties(JSContext*, JSFunction*, js::ObjectGroup*, JS::Handle<js::PlainObject*>, mozilla::Vector<js::TypeNewScript::Initializer, 0ul, js::TempAllocPolicy>*)+3971>: ud2
Do we have the regression range?
Flags: needinfo?(choller)
Updated•8 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
Comment 3•8 years ago
|
||
JSBugMon: Bisection requested, failed due to error (try manually).
function g() { if (0 == true) { (function() { if (0) function f() x; else; })() } this.s = 0; while (0) {} } new g asserts js debug shell on m-c rev 560b2c805bf7 with --fuzzing-safe --no-threads --ion-eager at: Assertion failure: !cx->isExceptionPending(), at jit/IonAnalysis.cpp:4069 Full configuration command: CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin14.5.0 --disable-jemalloc --enable-debug --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests
Whiteboard: [jsbugmon:update] → [jsbugmon:update,testComment=4,origRev=560b2c805bf7]
Due to skipped revisions, the first bad revision could be any of: changeset: https://hg.mozilla.org/mozilla-central/rev/cb6fc6d38f8d user: Shu-yu Guo date: Thu Aug 25 01:28:47 2016 -0700 summary: Bug 1263355 - Rewrite the frontend: bindings. (r=jorendorff,Waldo) changeset: https://hg.mozilla.org/mozilla-central/rev/18bec78f348e user: Shu-yu Guo date: Thu Aug 25 01:28:47 2016 -0700 summary: Bug 1263355 - Report memory metrics for Scopes. (r=njn) Shu-yu, is bug 1263355 a likely regressor?
Flags: needinfo?(shu)
Assignee | ||
Comment 6•8 years ago
|
||
Attachment #8793599 -
Flags: review?(jwalden+bmo)
Assignee | ||
Updated•8 years ago
|
Flags: needinfo?(shu)
Comment 7•8 years ago
|
||
Comment on attachment 8793599 [details] [diff] [review] Fix skipping lazy function expression bodies to account for semicolon. Review of attachment 8793599 [details] [diff] [review]: ----------------------------------------------------------------- Don't land this without a minimal, non-fuzzing-garbage testcase included in the patch. ::: js/src/frontend/Parser.cpp @@ +2870,5 @@ > uint32_t userbufBase = lazyOuter->begin() - lazyOuter->column(); > + if (!tokenStream.advance(fun->lazyScript()->end() - userbufBase)) > + return false; > + > + if (fun->isExprBody() && kind == Statement) { The *comments* by isExprBody and EXPR_BODY suggest this is adequate to handle arrow and non-arrow functions. But the reality of what Parser::functionFormalParametersAndBody does, is that it only calls |fun->setIsExprBody()| for both sorts of functions, *if* JS_HAS_EXPR_CLOSURES. I think that needs to be moved outside JS_HAS_EXPR_CLOSURES code for this patch to work. Please check whether this patch works with JS_HAS_EXPR_CLOSURES not defined, and if it doesn't, move that call outside the #if.
Attachment #8793599 -
Flags: review?(jwalden+bmo) → review+
> Don't land this without a minimal, non-fuzzing-garbage testcase included in > the patch. I'm fairly sure I reduced the testcase in comment 0 to the one in comment 4, so the hard part is likely already done. :)
Pushed by shu@rfrn.org: https://hg.mozilla.org/integration/mozilla-inbound/rev/ab08affc3ca6 Fix skipping lazy function expression bodies to account for semicolon. (r=Waldo)
Comment 10•8 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/ab08affc3ca6
Status: NEW → RESOLVED
Closed: 8 years ago
status-firefox52:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla52
Comment 11•8 years ago
|
||
Hi :shu, Since this bug is a regression and also affects 51, do you consider to uplift this for 51 if this patch is not too risky?
Flags: needinfo?(shu)
Assignee | ||
Comment 12•8 years ago
|
||
Approval Request Comment [Feature/regressing bug #]: 1263355 [User impact if declined]: probably none, actually, since I don't think we expose function expressions to content [Describe test coverage new/current, TreeHerder]: on m-c [Risks and why]: low, not content-visible [String/UUID change made/needed]: none
Flags: needinfo?(shu)
Attachment #8798228 -
Flags: approval-mozilla-aurora?
Comment 13•8 years ago
|
||
Comment on attachment 8798228 [details] [diff] [review] bug1298809-uplift.patch Fix a regression. Take it in 51 aurora.
Attachment #8798228 -
Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Updated•8 years ago
|
Assignee: nobody → shu
Comment 14•8 years ago
|
||
bugherder uplift |
https://hg.mozilla.org/releases/mozilla-aurora/rev/23ed0770680c
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•