Closed Bug 1326589 Opened 8 years ago Closed 8 years ago

Assertion failure: info.frame()->isFunctionFrame() || info.frame()->isEvalFrame(), at js/src/jit/SharedIC.cpp:2612 or Assertion failure: stub->monitorsThis() || *GetNextPc(pc) == JSOP_CHECKTHIS || *GetNextPc(pc) == JSOP_CHECKRETURN, at js/src/jit/SharedIC

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla53
Tracking Flags:
Tracking Status
firefox50 --- unaffected
firefox51 --- unaffected
firefox52 --- unaffected
firefox53 --- fixed

People

(Reporter: gkw, Assigned: evilpies)

References

Details

(4 keywords, Whiteboard: [fuzzblocker][jsbugmon:update])

Crash Data

Attachments

(2 files)

Detailed Crash Information
27.46 KB, text/plain
Details
Fix
952 bytes, patch
jandem
: review+
Details | Diff | Splinter Review
The following testcase crashes on mozilla-central revision 81463aec62d0 (build with --enable-debug --enable-more-deterministic, run with --fuzzing-safe --no-threads --ion-eager): s = newGlobal(); try { evalcx("undefined(); const x = [];", s); } catch (e) {} evalcx("\ for (var i = 0; i < 2; i++) {\ try { Function()(x); } catch (e) {}\ }\ ", s); Backtrace: 0 js-dbg-64-dm-clang-darwin-81463aec62d0 0x000000010e28e05d js::jit::DoTypeMonitorFallback(JSContext*, void*, js::jit::ICTypeMonitor_Fallback*, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) + 1469 (SharedIC.cpp:2612) 1 ??? 0x00000001100ebecd 0 + 4564369101 /snip For detailed crash information, see attachment.
Setting [fuzzblocker] because this is happening very often.
Whiteboard: [jsbugmon:update] → [fuzzblocker][jsbugmon:update]
autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/1832a6e47f1c user: Tom Schuster date: Fri Dec 30 17:38:08 2016 +0100 summary: Bug 1324566 - Port Baseline GlobalNameAccessor to CacheIR. r=jandem Tom, is bug 1324566 a likely regressor?
Blocks: 1324566
Flags: needinfo?(evilpies)
s = newGlobal(); try { evalcx("undefined(); const x = [];", s); } catch (e) {} evalcx("\ for (var i = 0; i < 2; i++) {\ try { (function () { Function()(x) })(); } catch (e) {}\ }\ ", s); This variant asserts at: Assertion failure: stub->monitorsThis() || *GetNextPc(pc) == JSOP_CHECKTHIS || *GetNextPc(pc) == JSOP_CHECKRETURN, at js/src/jit/SharedIC.cpp:2615 Segmentation fault: 11
Summary: Assertion failure: info.frame()->isFunctionFrame() || info.frame()->isEvalFrame(), at js/src/jit/SharedIC.cpp:2612 → Assertion failure: info.frame()->isFunctionFrame() || info.frame()->isEvalFrame(), at js/src/jit/SharedIC.cpp:2612 or Assertion failure: stub->monitorsThis() || *GetNextPc(pc) == JSOP_CHECKTHIS || *GetNextPc(pc) == JSOP_CHECKRETURN, at js/src/jit/SharedIC
try { evaluate("n;let x;"); } catch (e) {} function g() { function f(m) { !x; } return f; } try { g()(0); } catch (e) {} g()(undefined); crashes [@ js::ToBooleanSlow]. Process 10913 stopped * thread #1: tid = 0xcd0cc, 0x00000001003a90a5 js-64-dm-clang-darwin-81463aec62d0`js::ToBooleanSlow(JS::Handle<JS::Value>) [inlined] js::GetObjectClass(obj=0x000000000000000f) at jsfriendapi.h:635, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0xf) frame #0: 0x00000001003a90a5 js-64-dm-clang-darwin-81463aec62d0`js::ToBooleanSlow(JS::Handle<JS::Value>) [inlined] js::GetObjectClass(obj=0x000000000000000f) at jsfriendapi.h:635 [opt] 632 inline const js::Class* 633 GetObjectClass(const JSObject* obj) 634 { -> 635 return reinterpret_cast<const shadow::Object*>(obj)->group->clasp; 636 } 637 638 inline const JSClass* (lldb) bt * thread #1: tid = 0xcd0cc, 0x00000001003a90a5 js-64-dm-clang-darwin-81463aec62d0`js::ToBooleanSlow(JS::Handle<JS::Value>) [inlined] js::GetObjectClass(obj=0x000000000000000f) at jsfriendapi.h:635, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0xf) * frame #0: 0x00000001003a90a5 js-64-dm-clang-darwin-81463aec62d0`js::ToBooleanSlow(JS::Handle<JS::Value>) [inlined] js::GetObjectClass(obj=0x000000000000000f) at jsfriendapi.h:635 [opt] frame #1: 0x00000001003a90a5 js-64-dm-clang-darwin-81463aec62d0`js::ToBooleanSlow(JS::Handle<JS::Value>) [inlined] js::IsProxy(obj=0x000000000000000f) at Proxy.h:362 [opt] frame #2: 0x00000001003a90a5 js-64-dm-clang-darwin-81463aec62d0`js::ToBooleanSlow(JS::Handle<JS::Value>) [inlined] js::IsWrapper(obj=0x000000000000000f) at jswrapper.h:339 [opt] frame #3: 0x00000001003a90a5 js-64-dm-clang-darwin-81463aec62d0`js::ToBooleanSlow(JS::Handle<JS::Value>) [inlined] bool JSObject::is<js::WrapperObject>(this=0x000000000000000f) const at WrapperObject.h:35 [opt] frame #4: 0x00000001003a90a5 js-64-dm-clang-darwin-81463aec62d0`js::ToBooleanSlow(JS::Handle<JS::Value>) [inlined] js::EmulatesUndefined(obj=0x000000000000000f) at jsboolinlines.h:20 [opt] frame #5: 0x00000001003a90a5 js-64-dm-clang-darwin-81463aec62d0`js::ToBooleanSlow(v=<unavailable>) + 37 at jsbool.cpp:176 [opt] frame #6: 0x000000010072fa0c js-64-dm-clang-darwin-81463aec62d0`js::jit::DoToBoolFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICToBool_Fallback*, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) [inlined] JS::ToBoolean(JS::Handle<JS::Value>) + 212 at Conversions.h:125 [opt] frame #7: 0x000000010072f938 js-64-dm-clang-darwin-81463aec62d0`js::jit::DoToBoolFallback(cx=<unavailable>, frame=<unavailable>, stub=<unavailable>, arg=<unavailable>, ret=<unavailable>) + 56 at BaselineIC.cpp:448 [opt] frame #8: 0x00000001030b9202 (lldb) x/i $pc -> 0x1003a90a5: 48 8b 08 movq (%rax), %rcx (lldb) x/b $rax error: memory read failed for 0x0 (lldb) x/b $rcx error: memory read failed for 0x1fe00 (lldb)
Crash Signature: [@ js::ToBooleanSlow]
> crashes [@ js::ToBooleanSlow]. This crashes happens on 64-bit opt builds: CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh ./configure --target=x86_64-apple-darwin14.5.0 --disable-jemalloc --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests
Attached patch FixSplinter Review
We attach the stub before executing the GetName operation, so we might still have uninitialized lexicals. Don't attach the stub in that case.
Assignee: nobody → evilpies
Status: NEW → ASSIGNED
Flags: needinfo?(evilpies)
Attachment #8822945 - Flags: review?(jdemooij)
Comment on attachment 8822945 [details] [diff] [review] Fix Review of attachment 8822945 [details] [diff] [review]: ----------------------------------------------------------------- Can we add a testcase for this? Maybe something like the one in comment 0 with global.evaluate() instead of evalcx. ::: js/src/jit/CacheIR.cpp @@ +1218,4 @@ > if (!shape->hasDefaultGetter() || !shape->hasSlot()) > return false; > > + // This might stil be an unitialized lexical. Nit: uninitialized, typo
Attachment #8822945 - Flags: review?(jdemooij) → review+
Pushed by evilpies@gmail.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/c32cbdff356e Correct CacheIR issue with uninitialized let and GetGName. r=jandem
https://hg.mozilla.org/mozilla-central/rev/c32cbdff356e
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
status-firefox53: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla53
Is this actually a regression from bug 1324566? So, are 51 and 52 unaffected?
(In reply to Marco Castelluccio [:marco] (PTO until Jan 3) from comment #11) > Is this actually a regression from bug 1324566? > So, are 51 and 52 unaffected? Right, it's a regression from bug 1324566 so these are unaffected.
status-firefox50: ?unaffected
status-firefox51: ?unaffected
status-firefox52: ?unaffected
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: