Closed Bug 1483183 Opened 7 years ago Closed 7 years ago

Assertion failure: !JS_IsExceptionPending(cx), at js/src/jsexn.h:130 with stackTest

Categories

(Core :: JavaScript Engine, defect, P1)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla63
Tracking Flags:
Tracking Status
firefox-esr52 --- unaffected
firefox-esr60 --- wontfix
firefox61 --- wontfix
firefox62 --- wontfix
firefox63 --- fixed

People

(Reporter: decoder, Assigned: mgaudet)

References

(Blocks 1 open bug)

Details

(4 keywords, Whiteboard: [jsbugmon:update])

Attachments

(2 files, 1 obsolete file)

Discard pending exception during CCW GetProp IC failure
1.31 KB, patch
tcampbell
: review+
Details | Diff | Splinter Review
Complete covereage with AutoAssertNoPendingException in CacheIR stub attach code
5.30 KB, patch
tcampbell
: review+
Details | Diff | Splinter Review
The following testcase crashes on mozilla-central revision bf79440c1376 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe --baseline-eager): stackTest(new Function(` newGlobal({ sameZoneAs: [] }).frame; `)); Backtrace: received signal SIGSEGV, Segmentation fault. 0x000000000079a4d0 in js::AutoAssertNoPendingException::~AutoAssertNoPendingException (this=<optimized out>, __in_chrg=<optimized out>) at js/src/jsexn.h:130 #0 0x000000000079a4d0 in js::AutoAssertNoPendingException::~AutoAssertNoPendingException (this=<optimized out>, __in_chrg=<optimized out>) at js/src/jsexn.h:130 #1 0x0000000000798c7b in js::jit::GetPropIRGenerator::tryAttachStub (this=this@entry=0x7fffffffb690) at js/src/jit/CacheIR.cpp:166 #2 0x0000000000705e15 in js::jit::DoGetPropFallback (cx=<optimized out>, frame=0x7fffffffb908, stub_=<optimized out>, val=..., res=...) at js/src/jit/BaselineIC.cpp:1522 #3 0x00000c4f40e341a8 in ?? () [...] #24 0x0000000000000000 in ?? () rax 0x0 0 rbx 0x7fffffffb510 140737488336144 rcx 0x7ffff6c1c2dd 140737333281501 rdx 0x0 0 rsi 0x7ffff6eeb770 140737336227696 rdi 0x7ffff6eea540 140737336223040 rbp 0x7fffffffb4d0 140737488336080 rsp 0x7fffffffb4d0 140737488336080 r8 0x7ffff6eeb770 140737336227696 r9 0x7ffff7fe6780 140737354033024 r10 0x58 88 r11 0x7ffff6b927a0 140737332717472 r12 0x7fffffffb540 140737488336192 r13 0xf4d99201 4107899393 r14 0xf4d99201 4107899393 r15 0x7fffffffb690 140737488336528 rip 0x79a4d0 <js::AutoAssertNoPendingException::~AutoAssertNoPendingException()+48> => 0x79a4d0 <js::AutoAssertNoPendingException::~AutoAssertNoPendingException()+48>: movl $0x0,0x0 0x79a4db <js::AutoAssertNoPendingException::~AutoAssertNoPendingException()+59>: ud2
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/6ffbdf27a930 user: Matthew Gaudet date: Mon Apr 23 17:25:38 2018 -0400 summary: Bug 1438556: [Part 1] Use shape guards on the prototype chain for cross-compartment ICs r=tcampbell This iteration took 294.694 seconds to run.
Flags: needinfo?(mgaudet)
To be perfectly frank, I have no idea if this is the right answer. It passes the test case, but all I have really done is hoisted the stack check that exists in Compartment::wrap into tryAttachCrossCompartment wrapper, and replaced with the DontReport variant. (Alternative answers could include changing the check in Compartment::wrap to be a non-reporting version)
Attachment #9001418 - Flags: review?(tcampbell)
Assignee: nobody → mgaudet
Status: NEW → ASSIGNED
Comment on attachment 9001418 [details] [diff] [review] Check stack before attempting to create CCW in GetPropIRGenerator Review of attachment 9001418 [details] [diff] [review]: ----------------------------------------------------------------- So, the issue here is actually that classic SpiderMonkey problem where bool return value can indicate either predicate-false or operation-failed-and-pending-exception set. The problem here is that tryAttach functions return false to indicate a failure to attach, while the wrap() call returns false to indicate an exception. Here is example of what to do: https://searchfox.org/mozilla-central/rev/5dbfd833bbb114afe758db4d4bdbc5b13bcc33ef/js/src/jit/CacheIR.cpp#214-217 (We really need to boil the ocean and use type system to mark return values that indicate pending exceptions)
Attachment #9001418 - Flags: review?(tcampbell) → review-
Attachment #9001418 - Attachment is obsolete: true
Flags: needinfo?(mgaudet)
Thanks for the pointer! That's very helpful.
Attachment #9001449 - Flags: review?(tcampbell)
Comment on attachment 9001449 [details] [diff] [review] Discard pending exception during CCW GetProp IC failure Review of attachment 9001449 [details] [diff] [review]: ----------------------------------------------------------------- Include testcase too.
Attachment #9001449 - Flags: review?(tcampbell) → review+
Can you also make a patch to add AutoAssertNoPendingException to any CacheIR generators that are missing it? (Probably move the CallIC ones to the top tryAttachStub too)
Flags: needinfo?(mgaudet)
Priority: -- → P1
Should we maybe just add a AutoAssertNoPendingException member to the IRGenerator base class?
Attachment #9002330 - Flags: review?(tcampbell)
Flags: needinfo?(mgaudet)
Comment on attachment 9002330 [details] [diff] [review] Complete covereage with AutoAssertNoPendingException in CacheIR stub attach code Review of attachment 9002330 [details] [diff] [review]: ----------------------------------------------------------------- Thanks for doing this. I think the tryAttach methods are probably the right place to do it since we use these to communicate and test that tryAttach (which are main interface boundary from CacheIR.cpp to actual instantiations) mean |return false| as failed-to-attach and not operation-failed-with-exception.
Attachment #9002330 - Flags: review?(tcampbell) → review+
Pushed by mgaudet@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/4e417850332a Discard pending exception during CCW GetProp IC failure r=tcampbell https://hg.mozilla.org/integration/mozilla-inbound/rev/9370dc79ddfc Complete coverage with AutoAssertNoPendingException in CacheIR stub attach code r=tcampbell
Pushed by mgaudet@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/79082cb95664 Discard pending exception during CCW GetProp IC failure r=tcampbell https://hg.mozilla.org/integration/mozilla-inbound/rev/a6c928f38da7 Complete coverage with AutoAssertNoPendingException in CacheIR stub attach code r=tcampbell
Flags: needinfo?(mgaudet)
See Also: → 1484771
https://hg.mozilla.org/mozilla-central/rev/79082cb95664 https://hg.mozilla.org/mozilla-central/rev/a6c928f38da7
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
status-firefox63: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla63
Is there a user impact which justifies backport consideration here or can this ride the trains?
Blocks: 1438556
status-firefox61: --- → wontfix
status-firefox62: --- → affected
status-firefox-esr52: --- → unaffected
status-firefox-esr60: --- → affected
Flags: needinfo?(mgaudet)
Flags: in-testsuite+
Probably isn't worth uplifiting.
status-firefox62: affectedwontfix
status-firefox-esr60: affectedwontfix
Flags: needinfo?(mgaudet)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: