1604530 - Assertion failure: isDouble(), at dist/include/js/Value.h:808 with Debugger

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect, P1)

Description

[Christian Holler (:decoder)]

The following testcase crashes on mozilla-central revision 20191216-27d0d6cc2131 (build with --enable-debug, run with --fuzzing-safe --ion-offthread-compile=off --ion-warmup-threshold=0 --baseline-eager):

var lfLogBuffer = `
function IsASCIIAlphaString_CharCodeAt(s93) {
    for (var i74 = 0; gczeal(9,2); i74++) {}
}
function main() {
    function compareTwoByte() {
        var strings = ["abcabcabc"];
        var str = strings[i74 & 1];
        var resultCharCodeAt = IsASCIIAlphaString_CharCodeAt(str);
    }
    compareTwoByte();
}
for (var i74 = 0; i74 < 15; ++i74)
    main();
const root = newGlobal({newCompartment: true});
const dbg = new Debugger();
dbg.memory.trackingAllocationSites = true;
var g62 = newGlobal({ newCompartment: true });
var gdbg = dbg.addDebuggee(g62);
function assertThrows(fn, text) {
  try {
    fn();
  } catch (e56) {  }
}
assertThrows(() => gdbg.setInstrumentation(undefined, []), "");
assertThrows(() => gdbg.setInstrumentation(gdbg.makeDebuggeeValue({}), ["foo"]), "");
assertThrows(() => {}, "");
gdbg.setInstrumentation(gdbg.makeDebuggeeValue({}), ["main"]);
`;
evaluate("evaluate(`" + lfLogBuffer + "`)");

Backtrace:

received signal SIGSEGV, Segmentation fault.
0x0000555555c02131 in js::RealmInstrumentation::holderTrace(JSTracer*, JSObject*) ()
#0  0x0000555555c02131 in js::RealmInstrumentation::holderTrace(JSTracer*, JSObject*) ()
#1  0x00005555562c9eea in js::GCMarker::processMarkStackTop(js::SliceBudget&) ()
#2  0x00005555562ca7e5 in js::GCMarker::markUntilBudgetExhausted(js::SliceBudget&) ()
#3  0x00005555562769fd in js::gc::GCRuntime::markUntilBudgetExhausted(js::SliceBudget&, js::gcstats::PhaseKind) ()
#4  0x00005555562822f1 in js::gc::GCRuntime::incrementalSlice(js::SliceBudget&, mozilla::Maybe<JSGCInvocationKind> const&, JS::GCReason, js::gc::AutoGCSession&) ()
#5  0x0000555556285218 in js::gc::GCRuntime::gcCycle(bool, js::SliceBudget, mozilla::Maybe<JSGCInvocationKind> const&, JS::GCReason) ()
#6  0x0000555556286e2e in js::gc::GCRuntime::collect(bool, js::SliceBudget, mozilla::Maybe<JSGCInvocationKind> const&, JS::GCReason) ()
#7  0x0000555556244b71 in js::gc::GCRuntime::runDebugGC() ()
#8  0x00005555562445f4 in js::gc::GCRuntime::gcIfNeededAtAllocation(JSContext*) ()
#9  0x000055555623fba4 in bool js::gc::GCRuntime::checkAllocatorState<(js::AllowGC)1>(JSContext*, js::gc::AllocKind) ()
#10 0x0000555556242062 in js::BaseShape* js::Allocate<js::BaseShape, (js::AllowGC)1>(JSContext*) ()
#11 0x0000555555d3c39b in js::BaseShape::getUnowned(JSContext*, js::StackBaseShape&) ()
#12 0x0000555555d40e41 in js::EmptyShape::getInitialShape(JSContext*, JSClass const*, js::TaggedProto, unsigned long, unsigned int) ()
#13 0x0000555555c58fad in NewObject(JSContext*, JS::Handle<js::ObjectGroup*>, js::gc::AllocKind, js::NewObjectKind, unsigned int) ()
#14 0x0000555555c588a0 in js::NewObjectWithGivenTaggedProto(JSContext*, JSClass const*, JS::Handle<js::TaggedProto>, js::gc::AllocKind, js::NewObjectKind, unsigned int) ()
#15 0x0000555555d186ae in js::SavedFrame::create(JSContext*) ()
#16 0x0000555555d21cd5 in js::SavedStacks::createFrameFromLookup(JSContext*, JS::Handle<js::SavedFrame::Lookup>) ()
#17 0x0000555555d217cf in js::SavedStacks::getOrCreateSavedFrame(JSContext*, JS::Handle<js::SavedFrame::Lookup>) ()
#18 0x0000555555d1e864 in js::SavedStacks::insertFrames(JSContext*, JS::MutableHandle<js::SavedFrame*>, mozilla::Variant<JS::AllFrames, JS::MaxFrames, JS::FirstSubsumedFrame>&&) ()
#19 0x0000555555d1d901 in js::SavedStacks::saveCurrentStack(JSContext*, JS::MutableHandle<js::SavedFrame*>, mozilla::Variant<JS::AllFrames, JS::MaxFrames, JS::FirstSubsumedFrame>&&) ()
#20 0x0000555555d22574 in js::SavedStacks::MetadataBuilder::build(JSContext*, JS::Handle<JSObject*>, js::AutoEnterOOMUnsafeRegion&) const ()
#21 0x0000555555cfa452 in JS::Realm::setNewObjectMetadata(JSContext*, JS::Handle<JSObject*>) ()
#22 0x0000555555aaedbc in js::NativeObject::create(JSContext*, js::gc::AllocKind, js::gc::InitialHeap, JS::Handle<js::Shape*>, JS::Handle<js::ObjectGroup*>) ()
#23 0x0000555555c59083 in NewObject(JSContext*, JS::Handle<js::ObjectGroup*>, js::gc::AllocKind, js::NewObjectKind, unsigned int) ()
#24 0x0000555555c5968a in js::NewObjectWithClassProtoCommon(JSContext*, JSClass const*, JS::Handle<JSObject*>, js::gc::AllocKind, js::NewObjectKind) ()
#25 0x0000555555c028c6 in js::RealmInstrumentation::install(JSContext*, JS::Handle<js::GlobalObject*>, JS::Handle<JSObject*>, JS::Handle<JSObject*>, JS::Handle<JS::GCVector<JSString*, 0ul, js::TempAllocPolicy> >) ()
#26 0x00005555560587ea in js::DebuggerObject::CallData::setInstrumentationMethod() ()
#27 0x0000555556064f61 in bool js::DebuggerObject::CallData::ToNative<&js::DebuggerObject::CallData::setInstrumentationMethod>(JSContext*, unsigned int, JS::Value*) ()
#28 0x00005555558ff702 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) ()
#29 0x00005555558fef08 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) ()
#30 0x00005555563ab87d in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICCall_Fallback*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) ()
#31 0x00002aa26b73b263 in ?? ()
[...]
#59 0x0000000000000000 in ?? ()
rax	0x555556e3dd2b	93825018354987
rbx	0xfff9800000000000	-1829587348619264
rcx	0x555557f0d838	93825035982904
rdx	0x0	0
rsi	0x7ffff6efd770	140737336301424
rdi	0x7ffff6efc540	140737336296768
rbp	0x7fffffff7c80	140737488321664
rsp	0x7fffffff7c70	140737488321648
r8	0x7ffff6efd770	140737336301424
r9	0x7ffff7f98d00	140737353714944
r10	0x58	88
r11	0x7ffff6ba47a0	140737332791200
r12	0x7ffff5e2a7a8	140737318660008
r13	0x3f538c1f3040	69628065689664
r14	0x7ffff5e2a7a8	140737318660008
r15	0x7ffff5e7f000	140737319006208
rip	0x555555c02131 <js::RealmInstrumentation::holderTrace(JSTracer*, JSObject*)+145>
=> 0x555555c02131 <_ZN2js20RealmInstrumentation11holderTraceEP8JSTracerP8JSObject+145>:	movl   $0x328,0x0
   0x555555c0213c <_ZN2js20RealmInstrumentation11holderTraceEP8JSTracerP8JSObject+156>:	callq  0x55555580747e <abort>

Comment 1

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

autobisectjs shows this is probably related to the following changeset:

The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/883e6437a6ea
user: Steve Fink
date: Wed Aug 21 10:16:26 2019 +0000
summary: Bug 1574986 - Report count of GC slices r=jonco

Steve, is bug 1574986 a likely regressor?

Comment 2

[Steve Fink [:sfink] [:s:]]

Attachment: Bug 1604530 - Handle GC with uninitialized Instrumentation Holder

Comment 3

[Steve Fink [:sfink] [:s:]]

(In reply to Gary Kwong [:gkw] [:nth10sd] from comment #1)

Steve, is bug 1574986 a likely regressor?

It doesn't look like it. What is happening is we're allocating an object with clasp InstrumentationHolderClass, clearing out its slots to undefined, then GC'ing before they are set up. During its trace callback, it expects a slot to contain a private pointer, which has not yet been assigned.

Comment 4

[Pulsebot]

Pushed by sfink@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/0f937f06f717
Handle GC with uninitialized Instrumentation Holder r=bhackett

Comment 5

[Bogdan Tara[:bogdan_tara | bogdant]]

https://hg.mozilla.org/mozilla-central/rev/0f937f06f717