Assertion failure: !cx->isExceptionPending(), at js/src/jit/IonAnalysis.cpp:4062

RESOLVED FIXED in Firefox 51

Status

()

Core
JavaScript Engine
--
critical
RESOLVED FIXED
2 years ago
2 years ago

People

(Reporter: decoder, Assigned: shu)

Tracking

(Blocks: 1 bug, 4 keywords)

Trunk
mozilla52
x86_64
Linux
assertion, jsbugmon, regression, testcase
Points:
---
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(firefox51 fixed, firefox52 fixed)

Details

(Whiteboard: [jsbugmon:update,testComment=4,origRev=560b2c805bf7])

Attachments

(2 attachments)

(Reporter)

Description

2 years ago
The following testcase crashes on mozilla-central revision 1a5b53a831e5 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug --enable-optimize, run with --fuzzing-safe):

function BigInteger(a, b, c) {
    if ("number" == typeof a) this.fromNumber(a, b, c);
    else this.fromString(a, b);
}
function bnpFromString(s, b) {
    this.s = 0;
    var i = s.length,
        sh = 0;
    while (--i >= 0) {}
}
BigInteger.prototype.fromString = bnpFromString;
function bnpFromNumber(a, b, c) {
    if (t > 0)
    function TestCase(bs, this_array, r, nsh) x[1].get &= ((1 << t) - 1);
    else x[0] = 0;
}
BigInteger.prototype.fromNumber = bnpFromNumber;
function parseBigInt(str, r) {
    return new BigInteger(str, r);
}
function RSAKey() {}
function RSASetPublic(N, E) {
    this.n = parseBigInt(N, 16);
}
RSAKey.prototype.setPublic = RSASetPublic;
nValue = "a5261939975948bb7a58dffe5ff54e65f0498f9175f5a09288810b8975871e99af"
        + "3b5dd94057b0fc07535f5f97444504fa35169d461d0d30cf0192e307727c065168"
        + "c788771c561a9400fb49175e9e6aa4e23fe11af69e9412dd23b0cb6684c4c2429b"
        + "ce139e848ab26d0829073351f4acd36074eafd036a5eb83359d2a698d3";
eValue = "10001";
var RSA = new RSAKey();
RSA.setPublic(nValue, eValue);



Backtrace:

 received signal SIGSEGV, Segmentation fault.
0x000000000069e5b8 in js::jit::AnalyzeNewScriptDefiniteProperties (cx=cx@entry=0x7ffff695f000, fun=<optimized out>, group=group@entry=0x7ffff0670820, baseobj=..., baseobj@entry=..., initializerList=initializerList@entry=0x7fffffffc2b0) at js/src/jit/IonAnalysis.cpp:4062
#0  0x000000000069e5b8 in js::jit::AnalyzeNewScriptDefiniteProperties (cx=cx@entry=0x7ffff695f000, fun=<optimized out>, group=group@entry=0x7ffff0670820, baseobj=..., baseobj@entry=..., initializerList=initializerList@entry=0x7fffffffc2b0) at js/src/jit/IonAnalysis.cpp:4062
#1  0x0000000000bbeb71 in js::TypeNewScript::maybeAnalyze (this=0x7ffff03142e0, cx=cx@entry=0x7ffff695f000, group=group@entry=0x7ffff0670820, regenerate=regenerate@entry=0x0, force=force@entry=true) at js/src/vm/TypeInference.cpp:3752
#2  0x00000000006a4e0c in js::jit::IonCompile (cx=cx@entry=0x7ffff695f000, script=<optimized out>, baselineFrame=baselineFrame@entry=0x7fffffffc7d8, osrPc=<optimized out>, constructing=<optimized out>, recompile=<optimized out>, optimizationLevel=js::jit::OptimizationLevel::Normal) at js/src/jit/Ion.cpp:2252
#3  0x00000000006a5209 in js::jit::Compile (cx=cx@entry=0x7ffff695f000, script=script@entry=..., osrFrame=osrFrame@entry=0x7fffffffc7d8, osrPc=osrPc@entry=0x7ffff03cf34b "\343\201V", constructing=<optimized out>, forceRecompile=<optimized out>) at js/src/jit/Ion.cpp:2479
#4  0x00000000006a5b03 in BaselineCanEnterAtBranch (pc=0x7ffff03cf34b "\343\201V", osrFrame=0x7fffffffc7d8, script=..., cx=0x7ffff695f000) at js/src/jit/Ion.cpp:2666
#5  js::jit::IonCompileScriptForBaseline (cx=cx@entry=0x7ffff695f000, frame=frame@entry=0x7fffffffc7d8, pc=pc@entry=0x7ffff03cf34b "\343\201V") at js/src/jit/Ion.cpp:2724
#6  0x0000000000e24eaf in js::jit::DoWarmUpCounterFallbackOSR (cx=0x7ffff695f000, frame=0x7fffffffc7d8, stub=0x7ffff0335168, infoPtr=0x7fffffffc798) at js/src/jit/BaselineIC.cpp:143
#7  0x00007ffff7e3db24 in ?? ()
[...]
#17 0x0000000000000000 in ?? ()
rax	0x0	0
rbx	0x7ffff695f000	140737330409472
rcx	0x7ffff6c28a2d	140737333332525
rdx	0x0	0
rsi	0x7ffff6ef7770	140737336276848
rdi	0x7ffff6ef6540	140737336272192
rbp	0x7fffffffc1f0	140737488339440
rsp	0x7fffffffb4e0	140737488336096
r8	0x7ffff6ef7770	140737336276848
r9	0x7ffff7fe4740	140737354024768
r10	0x58	88
r11	0x7ffff6b9f750	140737332770640
r12	0x1	1
r13	0x7ffff69ac048	140737330724936
r14	0x7fffffffb8e0	140737488337120
r15	0x7fffffffb5f0	140737488336368
rip	0x69e5b8 <js::jit::AnalyzeNewScriptDefiniteProperties(JSContext*, JSFunction*, js::ObjectGroup*, JS::Handle<js::PlainObject*>, mozilla::Vector<js::TypeNewScript::Initializer, 0ul, js::TempAllocPolicy>*)+3960>
=> 0x69e5b8 <js::jit::AnalyzeNewScriptDefiniteProperties(JSContext*, JSFunction*, js::ObjectGroup*, JS::Handle<js::PlainObject*>, mozilla::Vector<js::TypeNewScript::Initializer, 0ul, js::TempAllocPolicy>*)+3960>:	movl   $0x0,0x0
   0x69e5c3 <js::jit::AnalyzeNewScriptDefiniteProperties(JSContext*, JSFunction*, js::ObjectGroup*, JS::Handle<js::PlainObject*>, mozilla::Vector<js::TypeNewScript::Initializer, 0ul, js::TempAllocPolicy>*)+3971>:	ud2
Do we have the regression range?
Flags: needinfo?(choller)
(Reporter)

Comment 2

2 years ago
Let's wait for a bisect from the bot.
Flags: needinfo?(choller)

Updated

2 years ago
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]

Comment 3

2 years ago
JSBugMon: Bisection requested, failed due to error (try manually).
function g() {
    if (0 == true) {
        (function() {
            if (0)
                function f() x;
            else;
        })()
    }
    this.s = 0;
    while (0) {}
}
new g

asserts js debug shell on m-c rev 560b2c805bf7 with --fuzzing-safe --no-threads --ion-eager at:

Assertion failure: !cx->isExceptionPending(), at jit/IonAnalysis.cpp:4069

Full configuration command:

CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin14.5.0 --disable-jemalloc --enable-debug --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests
Whiteboard: [jsbugmon:update] → [jsbugmon:update,testComment=4,origRev=560b2c805bf7]
Due to skipped revisions, the first bad revision could be any of:
changeset:   https://hg.mozilla.org/mozilla-central/rev/cb6fc6d38f8d
user:        Shu-yu Guo
date:        Thu Aug 25 01:28:47 2016 -0700
summary:     Bug 1263355 - Rewrite the frontend: bindings. (r=jorendorff,Waldo)

changeset:   https://hg.mozilla.org/mozilla-central/rev/18bec78f348e
user:        Shu-yu Guo
date:        Thu Aug 25 01:28:47 2016 -0700
summary:     Bug 1263355 - Report memory metrics for Scopes. (r=njn)

Shu-yu, is bug 1263355 a likely regressor?
Flags: needinfo?(shu)
(Assignee)

Comment 6

2 years ago
Created attachment 8793599 [details] [diff] [review]
Fix skipping lazy function expression bodies to account for semicolon.
Attachment #8793599 - Flags: review?(jwalden+bmo)
(Assignee)

Updated

2 years ago
Flags: needinfo?(shu)

Comment 7

2 years ago
Comment on attachment 8793599 [details] [diff] [review]
Fix skipping lazy function expression bodies to account for semicolon.

Review of attachment 8793599 [details] [diff] [review]:
-----------------------------------------------------------------

Don't land this without a minimal, non-fuzzing-garbage testcase included in the patch.

::: js/src/frontend/Parser.cpp
@@ +2870,5 @@
>      uint32_t userbufBase = lazyOuter->begin() - lazyOuter->column();
> +    if (!tokenStream.advance(fun->lazyScript()->end() - userbufBase))
> +        return false;
> +
> +    if (fun->isExprBody() && kind == Statement) {

The *comments* by isExprBody and EXPR_BODY suggest this is adequate to handle arrow and non-arrow functions.  But the reality of what Parser::functionFormalParametersAndBody does, is that it only calls |fun->setIsExprBody()| for both sorts of functions, *if* JS_HAS_EXPR_CLOSURES.

I think that needs to be moved outside JS_HAS_EXPR_CLOSURES code for this patch to work.  Please check whether this patch works with JS_HAS_EXPR_CLOSURES not defined, and if it doesn't, move that call outside the #if.
Attachment #8793599 - Flags: review?(jwalden+bmo) → review+
> Don't land this without a minimal, non-fuzzing-garbage testcase included in
> the patch.

I'm fairly sure I reduced the testcase in comment 0 to the one in comment 4, so the hard part is likely already done. :)

Comment 9

2 years ago
Pushed by shu@rfrn.org:
https://hg.mozilla.org/integration/mozilla-inbound/rev/ab08affc3ca6
Fix skipping lazy function expression bodies to account for semicolon. (r=Waldo)

Comment 10

2 years ago
bugherder
https://hg.mozilla.org/mozilla-central/rev/ab08affc3ca6
Status: NEW → RESOLVED
Last Resolved: 2 years ago
status-firefox52: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla52
Hi :shu,
Since this bug is a regression and also affects 51, do you consider to uplift this for 51 if this patch is not too risky?
Flags: needinfo?(shu)
(Assignee)

Comment 12

2 years ago
Created attachment 8798228 [details] [diff] [review]
bug1298809-uplift.patch

Approval Request Comment
[Feature/regressing bug #]: 1263355
[User impact if declined]: probably none, actually, since I don't think we expose function expressions to content
[Describe test coverage new/current, TreeHerder]: on m-c
[Risks and why]: low, not content-visible
[String/UUID change made/needed]: none
Flags: needinfo?(shu)
Attachment #8798228 - Flags: approval-mozilla-aurora?
Comment on attachment 8798228 [details] [diff] [review]
bug1298809-uplift.patch

Fix a regression. Take it in 51 aurora.
Attachment #8798228 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Assignee: nobody → shu

Comment 14

2 years ago
bugherderuplift
https://hg.mozilla.org/releases/mozilla-aurora/rev/23ed0770680c
status-firefox51: affected → fixed
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.