1607895 - Assertion failure: !lazy->hasInnerFunctions(), at js/src/vm/JSScript.cpp:325

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect, P1)

Description

[Christian Holler (:decoder)]

The following testcase crashes on mozilla-central revision 20200106-9d401beea71d (build with --enable-debug, run with --fuzzing-safe --no-threads):

function evalWithCache(code) {
  code = cacheEntry(code);
  evaluate(code, { saveIncrementalBytecode: { value: true } });
}
function f() {}
test  = (function () {
  function f() {
    (function () {})
  };
  return "var obj = { x : 2 };" + f.toSource() + "; f()";
})(0, f.length);
evalWithCache(test);

Backtrace:

received signal SIGSEGV, Segmentation fault.
#0  0x0000555555c6984c in mozilla::Result<mozilla::Ok, JS::TranscodeResult> js::XDRScript<(js::XDRMode)0>(js::XDRState<(js::XDRMode)0>*, JS::Handle<js::Scope*>, JS::Handle<js::ScriptSourceObject*>, JS::Handle<JSObject*>, JS::MutableHandle<JSScript*>) ()
#1  0x0000555555c0fc8b in mozilla::Result<mozilla::Ok, JS::TranscodeResult> js::XDRInterpretedFunction<(js::XDRMode)0>(js::XDRState<(js::XDRMode)0>*, JS::Handle<js::Scope*>, JS::Handle<js::ScriptSourceObject*>, JS::MutableHandle<JSFunction*>) ()
#2  0x0000555555e733bf in js::XDRState<(js::XDRMode)0>::codeFunction(JS::MutableHandle<JSFunction*>, JS::Handle<js::ScriptSourceObject*>) ()
#3  0x0000555555c7a9e4 in js::ScriptSource::xdrEncodeFunction(JSContext*, JS::Handle<JSFunction*>, JS::Handle<js::ScriptSourceObject*>) ()
#4  0x0000555555c16ed8 in JSFunction::delazifyLazilyInterpretedFunction(JSContext*, JS::Handle<JSFunction*>) ()
#5  0x00005555557b4e04 in JSFunction::getOrCreateScript(JSContext*, JS::Handle<JSFunction*>) ()
#6  0x0000555555c167c8 in JSFunction::delazifyLazilyInterpretedFunction(JSContext*, JS::Handle<JSFunction*>) ()
#7  0x00005555557b4e04 in JSFunction::getOrCreateScript(JSContext*, JS::Handle<JSFunction*>) ()
#8  0x00005555558e4772 in Interpret(JSContext*, js::RunState&) ()
#9  0x00005555558da371 in js::RunScript(JSContext*, js::RunState&) ()
#10 0x00005555558f2975 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::AbstractFramePtr, JS::Value*) ()
#11 0x00005555558f2fcd in js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) ()
#12 0x0000555555afaad7 in ExecuteScript(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSScript*>, JS::Value*) ()
#13 0x0000555555afaf3e in ExecuteScript(JSContext*, JS::Handle<JS::StackGCVector<JSObject*, js::TempAllocPolicy> >, JS::Handle<JSScript*>, JS::Value*) ()
#14 0x000055555578f81c in Evaluate(JSContext*, unsigned int, JS::Value*) ()
#15 0x00005555558f02e2 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) ()
[...]
#26 0x0000555555772c51 in main ()
rax	0x555556ed2e36	93825018965558
rbx	0x2	2
rcx	0x555557f0e838	93825035987000
rdx	0x0	0
rsi	0x7ffff68b5770	140737329715056
rdi	0x7ffff68b4540	140737329710400
rbp	0x7fffffffaa20	140737488333344
rsp	0x7fffffffa850	140737488332880
r8	0x7ffff68b5770	140737329715056
r9	0x7ffff7fe5d00	140737354030336
r10	0x58	88
r11	0x7ffff655c7a0	140737326204832
r12	0x7ffff58f88a0	140737313212576
r13	0x7fffffffa888	140737488332936
r14	0x7ffff5827000	140737312354304
r15	0x80007ffff5879100	-9223231299542085376
rip	0x555555c6984c <mozilla::Result<mozilla::Ok, JS::TranscodeResult> js::XDRScript<(js::XDRMode)0>(js::XDRState<(js::XDRMode)0>*, JS::Handle<js::Scope*>, JS::Handle<js::ScriptSourceObject*>, JS::Handle<JSObject*>, JS::MutableHandle<JSScript*>)+4028>
=> 0x555555c6984c <_ZN2js9XDRScriptILNS_7XDRModeE0EEEN7mozilla6ResultINS2_2OkEN2JS15TranscodeResultEEEPNS_8XDRStateIXT_EEENS5_6HandleIPNS_5ScopeEEENSB_IPNS_18ScriptSourceObjectEEENSB_IP8JSObjectEENS5_13MutableHandleIP8JSScriptEE+4028>:	movl   $0x145,0x0
   0x555555c69857 <_ZN2js9XDRScriptILNS_7XDRModeE0EEEN7mozilla6ResultINS2_2OkEN2JS15TranscodeResultEEEPNS_8XDRStateIXT_EEENS5_6HandleIPNS_5ScopeEEENSB_IPNS_18ScriptSourceObjectEEENSB_IP8JSObjectEENS5_13MutableHandleIP8JSScriptEE+4039>:	callq  0x5555557f7af2 <abort>

Comment 1

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

autobisectjs shows this is probably related to the following changeset:

The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/9160b2617014
user: Ted Campbell
date: Mon Dec 09 17:16:06 2019 +0000
summary: Bug 1566466 - Clean up relazification conditions. r=jandem

Ted, is bug 1566466 a likely regressor?

Comment 2

[Fuzzing Team]

JSBugMon: Cannot process bug: Error: Failed to isolate original revision for test

Comment 3

[Ted Campbell [:tcampbell]]

Attachment: Bug 1607895 - Update BinAST.yaml file. r?arai

Updates the yaml file so that it generates the currently checked in output
artifacts. These are recent regressions but straightforward to fix.

Comment 4

[Ted Campbell [:tcampbell]]

Attachment: Bug 1607895 - Compute HasInnerFunctions from Parser. r?mgaudet

Since the bytecode emitter may remove inner functions, we can end up with
inconsistent definitions of the flag. Instead compute this in the parser
using the conservative definition.

Depends on D61934

Comment 5

[Pulsebot]

Pushed by tcampbell@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/fecd58af98ac
Update BinAST.yaml file. r=arai
https://hg.mozilla.org/integration/autoland/rev/64f9ecf63927
Compute HasInnerFunctions from Parser. r=mgaudet

Comment 6

[Dorel Luca [:dluca]]

https://hg.mozilla.org/mozilla-central/rev/fecd58af98ac
https://hg.mozilla.org/mozilla-central/rev/64f9ecf63927