1348777 - Assertion failure: this->is<T>(), at js/src/jsobj.h:568 with TypedObject

Status: RESOLVED FIXED

(Core :: JavaScript Engine: JIT, defect, P1)

Description

[Christian Holler (:decoder)]

The following testcase crashes on mozilla-central revision e1576dd8bd9d (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-stdcxx-compat --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe --ion-offthread-compile=off):

var uint8 = TypedObject.uint8;
function check(v) {
    return v.toSource();
}
function test() {
    var fake1 = {};
    var fake2 = [];
    fake2.toSource = uint8;
    var a = [fake1, fake2];
    for (var i = 0; i < 1000; i++) try {
        check(a[i % 2]);
    } catch (e) {}
}
test();



Backtrace:

 received signal SIGSEGV, Segmentation fault.
0x000000000076b9a8 in JSObject::as<JSFunction> (this=0x7ffff46b0100) at js/src/jsobj.h:568
#0  0x000000000076b9a8 in JSObject::as<JSFunction> (this=0x7ffff46b0100) at js/src/jsobj.h:568
#1  js::jit::InlinePropertyTable::trimTo (this=this@entry=0x7ffff69b57e0, targets=..., choiceSet=...) at js/src/jit/MIR.cpp:5424
#2  0x00000000006eb6e2 in js::jit::IonBuilder::inlineCalls (this=this@entry=0x7ffff69b4270, callInfo=..., targets=..., choiceSet=..., maybeCache=<optimized out>) at js/src/jit/IonBuilder.cpp:4540
#3  0x00000000006ec1e6 in js::jit::IonBuilder::inlineCallsite (this=this@entry=0x7ffff69b4270, targets=..., callInfo=...) at js/src/jit/IonBuilder.cpp:4261
#4  0x00000000006ec4b2 in js::jit::IonBuilder::jsop_call (this=this@entry=0x7ffff69b4270, argc=0, constructing=<optimized out>) at js/src/jit/IonBuilder.cpp:5205
#5  0x00000000006f1887 in js::jit::IonBuilder::inspectOpcode (this=this@entry=0x7ffff69b4270, op=op@entry=JSOP_CALL) at js/src/jit/IonBuilder.cpp:2016
#6  0x00000000006f307a in js::jit::IonBuilder::visitBlock (this=this@entry=0x7ffff69b4270, cfgblock=cfgblock@entry=0x7ffff69bc078, mblock=<optimized out>) at js/src/jit/IonBuilder.cpp:1528
#7  0x00000000006e86fc in js::jit::IonBuilder::traverseBytecode (this=this@entry=0x7ffff69b4270) at js/src/jit/IonBuilder.cpp:1449
#8  0x00000000006e93cb in js::jit::IonBuilder::build (this=this@entry=0x7ffff69b4270) at js/src/jit/IonBuilder.cpp:844
#9  0x00000000004325bb in js::jit::IonCompile (cx=cx@entry=0x7ffff6948000, script=<optimized out>, baselineFrame=baselineFrame@entry=0x7fffffffc5f8, osrPc=osrPc@entry=0x0, recompile=<optimized out>, optimizationLevel=<optimized out>) at js/src/jit/Ion.cpp:2270
#10 0x00000000006fd078 in js::jit::Compile (cx=cx@entry=0x7ffff6948000, script=script@entry=..., osrFrame=osrFrame@entry=0x7fffffffc5f8, osrPc=osrPc@entry=0x0, forceRecompile=forceRecompile@entry=false) at js/src/jit/Ion.cpp:2534
#11 0x00000000006fd892 in BaselineCanEnterAtEntry (frame=0x7fffffffc5f8, script=..., cx=0x7ffff6948000) at js/src/jit/Ion.cpp:2663
#12 js::jit::IonCompileScriptForBaseline (cx=0x7ffff6948000, frame=0x7fffffffc5f8, pc=<optimized out>) at js/src/jit/Ion.cpp:2786
#13 0x00000c9706b5b42a in ?? ()
[...]
#43 0x0000000000000000 in ?? ()
rax	0x0	0
rbx	0x7ffff46b0100	140737294041344
rcx	0x7ffff6c28a2d	140737333332525
rdx	0x0	0
rsi	0x7ffff6ef7770	140737336276848
rdi	0x7ffff6ef6540	140737336272192
rbp	0x7fffffffbc00	140737488337920
rsp	0x7fffffffbbd0	140737488337872
r8	0x7ffff6ef7770	140737336276848
r9	0x7ffff7fe4740	140737354024768
r10	0x58	88
r11	0x7ffff6b9f750	140737332770640
r12	0x7ffff69b5818	140737330763800
r13	0x0	0
r14	0x8	8
r15	0x7ffff69b5820	140737330763808
rip	0x76b9a8 <js::jit::InlinePropertyTable::trimTo(mozilla::Vector<JSObject*, 4ul, js::jit::JitAllocPolicy> const&, mozilla::Vector<bool, 4ul, js::jit::JitAllocPolicy> const&)+440>
=> 0x76b9a8 <js::jit::InlinePropertyTable::trimTo(mozilla::Vector<JSObject*, 4ul, js::jit::JitAllocPolicy> const&, mozilla::Vector<bool, 4ul, js::jit::JitAllocPolicy> const&)+440>:	movl   $0x0,0x0
   0x76b9b3 <js::jit::InlinePropertyTable::trimTo(mozilla::Vector<JSObject*, 4ul, js::jit::JitAllocPolicy> const&, mozilla::Vector<bool, 4ul, js::jit::JitAllocPolicy> const&)+451>:	ud2    



Marking s-s because previous bugs with this assert have been s-s and might indicate a type problem.

Comment 1

[Andrew McCreight [:mccr8]]

I'll just mark this sec-high for now.

Comment 2

[Hannes Verschore [:h4writer]]

Attachment: Patch

This fixes the issue. The choiceSet was already false since the target wasn't a JSFunction. Now we forcefully want to remove it from a set it isn't in. We can just assume that any non-JSFunction won't be in the entries list.

Comment 3

[Hannes Verschore [:h4writer]]

Opening. We are comparing a pointer that we assume is "JSFunction", but not inspecting the inners. The comparison for non-JSFunctions will never match either. As a result this is not ss.

Comment 4

[Jan de Mooij [:jandem]]

Comment on attachment 8855275 [details] [diff] [review]
Patch

Review of attachment 8855275 [details] [diff] [review]:
-----------------------------------------------------------------

LGTM. Can we add the testcase?

Comment 5

[Pulsebot]

Pushed by hv1989@gmail.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/c3623c29dc71
IonMonkey - Only trim out JSFunctions from the inline property table, r=jandem

Comment 6

[Iris Hsiao [:ihsiao]]

https://hg.mozilla.org/mozilla-central/rev/c3623c29dc71

Comment 7

[Ryan VanderMeulen [:RyanVM]]

Should we consider this for backport or can it ride the trains?

Comment 8

[Hannes Verschore [:h4writer]]

No need to ride the train. It does the correct thing in release builds