Closed
Bug 1343072
Opened 6 years ago
Closed 6 years ago
Crash [@ js::CompartmentChecker::fail] or Assertion failure: data.s.payload.why == why, at dist/include/js/Value.h:563
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
mozilla54
| Tracking | Status | |
|---|---|---|
| firefox-esr45 | --- | unaffected |
| firefox51 | --- | unaffected |
| firefox52 | --- | unaffected |
| firefox-esr52 | --- | unaffected |
| firefox53 | --- | fixed |
| firefox54 | --- | verified |
People
(Reporter: gkw, Assigned: arai)
References
Details
(4 keywords, Whiteboard: [jsbugmon:update])
Attachments
(3 files)
The following testcase crashes on mozilla-central revision 7ef1e9abd296 (build with --enable-debug --enable-more-deterministic, run with --fuzzing-safe --no-threads --ion-eager):
// Adapted from randomly chosen test: js/src/jit-test/tests/profiler/debugmode-osr-exception-return-addr.js
g = newGlobal();
g.parent = this;
g.eval("new Debugger(parent).onExceptionUnwind = function () { };");
// jsfunfuzz-generated
for (var x of []) {};
for (var l of [0]) {
for (var y = 0; y < 1; y++) {
g2;
}
}
Backtrace:
0 js-dbg-64-dm-clang-darwin-7ef1e9abd296 0x000000010a240a59 js::jit::GetPropIRGenerator::tryAttachMagicArgumentsName(js::jit::ValOperandId, JS::Handle<jsid>) + 489 (Value.h:563)
1 js-dbg-64-dm-clang-darwin-7ef1e9abd296 0x000000010a23ce69 js::jit::GetPropIRGenerator::tryAttachStub() + 729 (CacheIR.cpp:205)
2 js-dbg-64-dm-clang-darwin-7ef1e9abd296 0x000000010a480715 js::jit::DoGetPropFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICGetProp_Fallback*, JS::MutableHandle<JS::Value>, JS::MutableHandle<JS::Value>) + 1573 (SharedIC.cpp:2043)
/snip
For detailed crash information, see attachment.
This also crashes js opt shells with a compartment mismatch. Setting s-s because of this, as a start.
|
Reporter | |
Comment 1•6 years ago
|
||
|
|
Reporter | |
Comment 2•6 years ago
|
||
autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/712e84866cf5 user: Tooru Fujisawa date: Sun Feb 26 14:02:37 2017 +0900 summary: Bug 1342553 - Part 0.2: Support JSOP_CHECKISCALLABLE in JIT. r=shu Arai-san, is bug 1342553 a likely regressor?
Flags: needinfo?(arai.unmht)
|
Assignee | |
Comment 3•6 years ago
|
||
looks like iterator object is optimized out (magic value JS_OPTIMIZED_OUT), at PC: 00376 below. it's getting "return" property from `[0][Symbol.iterator]()`. the assertion failure doesn't happen when onExceptionUnwind is not set. I'm not sure what happens there... # try-catch from try @ 00273 00357: jumptarget # [0][Symbol.iterator](...) [0][Symbol.iterator](...).next(...) [0][Symbol.iterator](...).next(...).value 00358: exception # [0][Symbol.iterator](...) [0][Symbol.iterator](...).next(...) [0][Symbol.iterator](...).next(...).value EXCEPTION 00359: dupat 3 # [0][Symbol.iterator](...) [0][Symbol.iterator](...).next(...) [0][Symbol.iterator](...).next(...).value EXCEPTION [0][Symbol.iterator](...) 00363: undefined # [0][Symbol.iterator](...) [0][Symbol.iterator](...).next(...) [0][Symbol.iterator](...).next(...).value EXCEPTION [0][Symbol.iterator](...) undefined 00364: strictne # [0][Symbol.iterator](...) [0][Symbol.iterator](...).next(...) [0][Symbol.iterator](...).next(...).value EXCEPTION ([0][Symbol.iterator](...) !== undefined) 00365: ifeq 431 (+66) # [0][Symbol.iterator](...) [0][Symbol.iterator](...).next(...) [0][Symbol.iterator](...).next(...).value EXCEPTION 00370: jumptarget # [0][Symbol.iterator](...) [0][Symbol.iterator](...).next(...) [0][Symbol.iterator](...).next(...).value EXCEPTION 00371: dupat 3 # [0][Symbol.iterator](...) [0][Symbol.iterator](...).next(...) [0][Symbol.iterator](...).next(...).value EXCEPTION [0][Symbol.iterator](...) 00375: dup # [0][Symbol.iterator](...) [0][Symbol.iterator](...).next(...) [0][Symbol.iterator](...).next(...).value EXCEPTION [0][Symbol.iterator](...) [0][Symbol.iterator](...) 00376: callprop "return" # [0][Symbol.iterator](...) [0][Symbol.iterator](...).next(...) [0][Symbol.iterator](...).next(...).value EXCEPTION [0][Symbol.iterator](...) [0][Symbol.iterator](...).return 00381: dup # [0][Symbol.iterator](...) [0][Symbol.iterator](...).next(...) [0][Symbol.iterator](...).next(...).value EXCEPTION [0][Symbol.iterator](...) [0][Symbol.iterator](...).return [0][Symbol.iterator](...).return 00382: undefined # [0][Symbol.iterator](...) [0][Symbol.iterator](...).next(...) [0][Symbol.iterator](...).next(...).value EXCEPTION [0][Symbol.iterator](...) [0][Symbol.iterator](...).return [0][Symbol.iterator](...).return undefined 00383: ne # [0][Symbol.iterator](...) [0][Symbol.iterator](...).next(...) [0][Symbol.iterator](...).next(...).value EXCEPTION [0][Symbol.iterator](...) [0][Symbol.iterator](...).return ([0][Symbol.iterator](...).return != undefined) 00384: ifeq 427 (+43) # [0][Symbol.iterator](...) [0][Symbol.iterator](...).next(...) [0][Symbol.iterator](...).next(...).value EXCEPTION [0][Symbol.iterator](...) [0][Symbol.iterator](...).return 00389: jumptarget # [0][Symbol.iterator](...) [0][Symbol.iterator](...).next(...) [0][Symbol.iterator](...).next(...).value EXCEPTION [0][Symbol.iterator](...) [0][Symbol.iterator](...).return 00390: checkiscallable 0 # [0][Symbol.iterator](...) [0][Symbol.iterator](...).next(...) [0][Symbol.iterator](...).next(...).value EXCEPTION [0][Symbol.iterator](...) [0][Symbol.iterator](...).return 00392: swap # [0][Symbol.iterator](...) [0][Symbol.iterator](...).next(...) [0][Symbol.iterator](...).next(...).value EXCEPTION [0][Symbol.iterator](...).return [0][Symbol.iterator](...) 00393: undefined # [0][Symbol.iterator](...) [0][Symbol.iterator](...).next(...) [0][Symbol.iterator](...).next(...).value EXCEPTION [0][Symbol.iterator](...).return [0][Symbol.iterator](...) undefined 00394: try 413 (+19) # [0][Symbol.iterator](...) [0][Symbol.iterator](...).next(...) [0][Symbol.iterator](...).next(...).value EXCEPTION [0][Symbol.iterator](...).return [0][Symbol.iterator](...) undefined 00395: dupat 2 # [0][Symbol.iterator](...) [0][Symbol.iterator](...).next(...) [0][Symbol.iterator](...).next(...).value EXCEPTION [0][Symbol.iterator](...).return [0][Symbol.iterator](...) undefined [0][Symbol.iterator](...).return 00399: dupat 2 # [0][Symbol.iterator](...) [0][Symbol.iterator](...).next(...) [0][Symbol.iterator](...).next(...).value EXCEPTION [0][Symbol.iterator](...).return [0][Symbol.iterator](...) undefined [0][Symbol.iterator](...).return [0][Symbol.iterator](...) 00403: call 0 # [0][Symbol.iterator](...) [0][Symbol.iterator](...).next(...) [0][Symbol.iterator](...).next(...).value EXCEPTION [0][Symbol.iterator](...).return [0][Symbol.iterator](...) undefined [0][Symbol.iterator](...).return(...) 00406: swap # [0][Symbol.iterator](...) [0][Symbol.iterator](...).next(...) [0][Symbol.iterator](...).next(...).value EXCEPTION [0][Symbol.iterator](...).return [0][Symbol.iterator](...) [0][Symbol.iterator](...).return(...) undefined 00407: pop # [0][Symbol.iterator](...) [0][Symbol.iterator](...).next(...) [0][Symbol.iterator](...).next(...).value EXCEPTION [0][Symbol.iterator](...).return [0][Symbol.iterator](...) [0][Symbol.iterator](...).return(...) 00408: goto 417 (+9) # [0][Symbol.iterator](...) [0][Symbol.iterator](...).next(...) [0][Symbol.iterator](...).next(...).value EXCEPTION [0][Symbol.iterator](...).return [0][Symbol.iterator](...) [0][Symbol.iterator](...).return(...) # try-catch from try @ 00394 00413: jumptarget # [0][Symbol.iterator](...) [0][Symbol.iterator](...).next(...) [0][Symbol.iterator](...).next(...).value EXCEPTION [0][Symbol.iterator](...).return [0][Symbol.iterator](...) undefined 00414: exception # [0][Symbol.iterator](...) [0][Symbol.iterator](...).next(...) [0][Symbol.iterator](...).next(...).value EXCEPTION [0][Symbol.iterator](...).return [0][Symbol.iterator](...) undefined EXCEPTION 00415: pop # [0][Symbol.iterator](...) [0][Symbol.iterator](...).next(...) [0][Symbol.iterator](...).next(...).value EXCEPTION [0][Symbol.iterator](...).return [0][Symbol.iterator](...) undefined 00416: nop # [0][Symbol.iterator](...) [0][Symbol.iterator](...).next(...) [0][Symbol.iterator](...).next(...).value EXCEPTION [0][Symbol.iterator](...).return [0][Symbol.iterator](...) undefined # from goto @ 00408 00417: jumptarget # [0][Symbol.iterator](...) [0][Symbol.iterator](...).next(...) [0][Symbol.iterator](...).next(...).value EXCEPTION [0][Symbol.iterator](...).return [0][Symbol.iterator](...) merged<[0][Symbol.iterator](...).return(...)> 00418: unpick 2 # [0][Symbol.iterator](...) [0][Symbol.iterator](...).next(...) [0][Symbol.iterator](...).next(...).value EXCEPTION merged<[0][Symbol.iterator](...).return(...)> [0][Symbol.iterator](...).return [0][Symbol.iterator](...) 00420: pop # [0][Symbol.iterator](...) [0][Symbol.iterator](...).next(...) [0][Symbol.iterator](...).next(...).value EXCEPTION merged<[0][Symbol.iterator](...).return(...)> [0][Symbol.iterator](...).return 00421: pop # [0][Symbol.iterator](...) [0][Symbol.iterator](...).next(...) [0][Symbol.iterator](...).next(...).value EXCEPTION merged<[0][Symbol.iterator](...).return(...)> 00422: goto 429 (+7) # [0][Symbol.iterator](...) [0][Symbol.iterator](...).next(...) [0][Symbol.iterator](...).next(...).value EXCEPTION merged<[0][Symbol.iterator](...).return(...)> # from ifeq @ 00384 00427: jumptarget # [0][Symbol.iterator](...) [0][Symbol.iterator](...).next(...) [0][Symbol.iterator](...).next(...).value EXCEPTION [0][Symbol.iterator](...) [0][Symbol.iterator](...).return 00428: pop # [0][Symbol.iterator](...) [0][Symbol.iterator](...).next(...) [0][Symbol.iterator](...).next(...).value EXCEPTION [0][Symbol.iterator](...) # from goto @ 00422 00429: jumptarget # [0][Symbol.iterator](...) [0][Symbol.iterator](...).next(...) [0][Symbol.iterator](...).next(...).value EXCEPTION merged<[0][Symbol.iterator](...).return(...)> 00430: pop # [0][Symbol.iterator](...) [0][Symbol.iterator](...).next(...) [0][Symbol.iterator](...).next(...).value EXCEPTION # from ifeq @ 00365 00431: jumptarget # [0][Symbol.iterator](...) [0][Symbol.iterator](...).next(...) [0][Symbol.iterator](...).next(...).value EXCEPTION 00432: throw # [0][Symbol.iterator](...) [0][Symbol.iterator](...).next(...) [0][Symbol.iterator](...).next(...).value 00433: goto 439 (+6) # !!! UNREACHABLE !!! 00438: nop # !!! UNREACHABLE !!!
|
|
Assignee | |
Comment 4•6 years ago
|
||
Do you know what's happening there with debugger interaction?
Flags: needinfo?(arai.unmht) → needinfo?(shu)
|
|
Assignee | |
Comment 5•6 years ago
|
||
looks like it's from InitFromBailout. https://dxr.mozilla.org/mozilla-central/rev/106a96755d3bcebe64bbbc3b521d65d262ba9c02/js/src/jit/BaselineBailouts.cpp#966 > v = MagicValue(JS_OPTIMIZED_OUT);
|
|
Assignee | |
Comment 6•6 years ago
|
||
sorry, it was caused by the code that wasn't updated to follow the stack depth change of for-of.
Assignee: nobody → arai.unmht
Status: NEW → ASSIGNED
Flags: needinfo?(shu)
Attachment #8841802 -
Flags: review?(shu)
|
||
Comment 7•6 years ago
|
||
Comment on attachment 8841802 [details] [diff] [review] Update HasLiveStackValueAtDepth to follow the change in JSTRY_FOR_OF Review of attachment 8841802 [details] [diff] [review]: ----------------------------------------------------------------- Nice find. Should've caught it myself but it's hard to keep it all in my head. :(
Attachment #8841802 -
Flags: review?(shu) → review+
|
|
Assignee | |
Comment 8•6 years ago
|
||
thank you for reviewing :) for clarification, this is nightly-only regression caused by bug 1342553. I'll land this shortly.
|
|
Assignee | |
Comment 9•6 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/2e920e33d89acdbaed9b54e439efa99c5f68b557 Bug 1343072 - Update HasLiveStackValueAtDepth to follow the change in JSTRY_FOR_OF r=shu
|
|
Reporter | |
Updated•6 years ago
|
Summary: Crash [@ js::CompartmentChecker::fail] or Assertion failure: data.s.payload.why == why, at /Users/skywalker/shell-cache/js-dbg-64-dm-clang-darwin-7ef1e9abd296/objdir-js/dist/include/js/Value.h:563 → Crash [@ js::CompartmentChecker::fail] or Assertion failure: data.s.payload.why == why, at dist/include/js/Value.h:563
https://hg.mozilla.org/mozilla-central/rev/2e920e33d89a
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla54
|
||
Updated•6 years ago
|
Status: RESOLVED → VERIFIED
|
|
||
Comment 11•6 years ago
|
||
JSBugMon: This bug has been automatically verified fixed.
|
||
Updated•6 years ago
|
status-firefox51:
--- → unaffected
status-firefox52:
--- → unaffected
status-firefox53:
--- → unaffected
status-firefox-esr45:
--- → unaffected
status-firefox-esr52:
--- → unaffected
|
||
Updated•6 years ago
|
Group: javascript-core-security → core-security-release
|
|
||
Comment 13•6 years ago
|
||
| uplift | ||
https://hg.mozilla.org/releases/mozilla-beta/rev/7dfe8ded9245
|
|
||
Updated•6 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•