1621956 - Assertion failure: fun->hasBaseScript(), at vm/FrameIter.cpp:824

Status: VERIFIED FIXED

(Core :: JavaScript Engine: JIT, defect, P1)

Description

[Christian Holler (:decoder)]

The following testcase crashes on mozilla-central revision 20200310-c7766d0b4a12 (build with (buildFlags not available), run with --fuzzing-safe --cpu-count=2 --ion-offthread-compile=off --disable-oom-functions):

See attachment.

Backtrace:

received signal SIGSEGV, Segmentation fault.
#0  0x0000555555b3d112 in js::FrameIter::matchCallee(JSContext*, JS::Handle<JSFunction*>) const ()
#1  0x0000555555c10a98 in AdvanceToActiveCallLinear(JSContext*, js::NonBuiltinScriptFrameIter&, JS::Handle<JSFunction*>) ()
#2  0x0000555555c105b3 in ArgumentsGetterImpl(JSContext*, JS::CallArgs const&) ()
#3  0x0000555555c724f7 in ArgumentsGetter(JSContext*, unsigned int, JS::Value*) ()
#4  0x00005555558e4522 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) ()
#5  0x00005555558e3e3f in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) ()
#6  0x00005555558e62a6 in js::CallGetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) ()
#7  0x0000555555ca9c89 in bool GetExistingProperty<(js::AllowGC)1>(JSContext*, js::MaybeRooted<JS::Value, (js::AllowGC)1>::HandleType, js::MaybeRooted<js::NativeObject*, (js::AllowGC)1>::HandleType, js::MaybeRooted<js::Shape*, (js::AllowGC)1>::HandleType, js::MaybeRooted<JS::Value, (js::AllowGC)1>::MutableHandleType) ()
#8  0x0000555555caac3e in bool NativeGetPropertyInline<(js::AllowGC)1>(JSContext*, js::MaybeRooted<js::NativeObject*, (js::AllowGC)1>::HandleType, js::MaybeRooted<JS::Value, (js::AllowGC)1>::HandleType, js::MaybeRooted<JS::PropertyKey, (js::AllowGC)1>::HandleType, IsNameLookup, js::MaybeRooted<JS::Value, (js::AllowGC)1>::MutableHandleType) ()
#9  0x000055555639d5b5 in js::GetObjectElementOperation ()
#10 0x000055555639bcb7 in js::jit::DoGetElemFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICGetElem_Fallback*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) ()
#11 0x000009bcbf261863 in ?? ()
[...]
#31 0x0000000000000000 in ?? ()
rax	0x555556e88429	93825018659881
rbx	0x1b826c6a3920	30246978599200
rcx	0x555557efe850	93825035921488
rdx	0x0	0
rsi	0x7ffff6efd770	140737336301424
rdi	0x7ffff6efc540	140737336296768
rbp	0x7fffffff9f50	140737488330576
rsp	0x7fffffff9ee0	140737488330464
r8	0x7ffff6efd770	140737336301424
r9	0x7ffff7f9cd00	140737353731328
r10	0x58	88
r11	0x7ffff6ba47a0	140737332791200
r12	0x7ffff5e27000	140737318645760
r13	0x7ffff5e27018	140737318645784
r14	0x7fffffff9fc0	140737488330688
r15	0x7fffffff9fd8	140737488330712
rip	0x555555b3d112 <js::FrameIter::matchCallee(JSContext*, JS::Handle<JSFunction*>) const+770>
=> 0x555555b3d112 <_ZNK2js9FrameIter11matchCalleeEP9JSContextN2JS6HandleIP10JSFunctionEE+770>:	movl   $0x338,0x0
   0x555555b3d11d <_ZNK2js9FrameIter11matchCalleeEP9JSContextN2JS6HandleIP10JSFunctionEE+781>:	callq  0x5555557eef2e <abort>

JIT problem with a complex test that won't reduce further easily, marking s-s until triaged/investigated.

Comment 1

[Christian Holler (:decoder)]

Attachment: Testcase

Comment 2

[Ted Campbell [:tcampbell]]

I have it captured in RR now. Investigating..

Comment 3

[Ted Campbell [:tcampbell]]

This specific issue is a regression from Bug 1591600. The reasoning I used in [1] isn't valid in the presence of sloppy asm.js functions due to [2].

Minimal test:

function asm_dummy() {
    "use asm";
    function mtd() {}
    return { mtd: mtd }
}

(function() {
    return asm_dummy.arguments;
})();

[1] https://searchfox.org/mozilla-central/rev/7d0c94a0e9a9fe1f83553f49b10128567d21709d/js/src/vm/FrameIter.cpp#822-824
[2] https://searchfox.org/mozilla-central/rev/7d0c94a0e9a9fe1f83553f49b10128567d21709d/js/src/vm/JSFunction.cpp#151

Comment 4

[Ted Campbell [:tcampbell]]

I'm not sure why we had so much trouble reducing. The criteria we need is not that complex:

• Have any well-formed asm.js module
• Be inside any function context
• Run asm_dummy.arguments

Comment 5

[Nicolas B. Pierron [:nbp]]

Ted, could this be a consequence of the Observable/Recoverable flags changes?

Comment 6

[Ted Campbell [:tcampbell]]

Unhiding. This was a recent assertion, and there isn't really anything you can do with this. I'll have a patch up soon.

Comment 7

[Ted Campbell [:tcampbell]]

Attachment: Bug 1621956 - Handle asm.js in FrameIter::matchCallee. r?jandem

Comment 8

[Pulsebot]

Pushed by tcampbell@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/760434af5ead
Disallow fun.caller on asm.js methods. r=jandem

Comment 9

[Cristina Coroiu [:ccoroiu]]

Backed out changeset 760434af5ead (bug 1621956) for SM failures at tests/arguments/function_dot_caller_restrictions.js

Backout: https://hg.mozilla.org/integration/autoland/rev/2ad9f32509a81296a3758d9f1dac6b191f6e225b

Failure push: https://treeherder.mozilla.org/#/jobs?repo=autoland&revision=760434af5ead326cfa5f784e2c443feadfc4da52

Failure log: https://treeherder.mozilla.org/logviewer.html#/jobs?job_id=293042688&repo=autoland&lineNumber=9836

[task 2020-03-13T14:07:04.796Z] TEST-PASS | js/src/jit-test/tests/arguments/dynamicBindings.js | Success (code 0, args "--no-blinterp --no-baseline --no-ion --more-compartments") [0.0 s]
[task 2020-03-13T14:07:04.797Z] /builds/worker/workspace/build/src/js/src/jit-test/tests/arguments/function_dot_caller_restrictions.js:64:9 Error: Assertion failed: got true, expected false
[task 2020-03-13T14:07:04.797Z] Stack:
[task 2020-03-13T14:07:04.797Z] @/builds/worker/workspace/build/src/js/src/jit-test/tests/arguments/function_dot_caller_restrictions.js:64:9
[task 2020-03-13T14:07:04.797Z] Exit code: 3
[task 2020-03-13T14:07:04.797Z] FAIL - arguments/function_dot_caller_restrictions.js
[task 2020-03-13T14:07:04.797Z] TEST-UNEXPECTED-FAIL | js/src/jit-test/tests/arguments/function_dot_caller_restrictions.js | /builds/worker/workspace/build/src/js/src/jit-test/tests/arguments/function_dot_caller_restrictions.js:64:9 Error: Assertion failed: got true, expected false (code 3, args "") [0.0 s]
[task 2020-03-13T14:07:04.797Z] INFO exit-status : 3
[task 2020-03-13T14:07:04.797Z] INFO timed-out : False
[task 2020-03-13T14:07:04.797Z] INFO stderr 2> /builds/worker/workspace/build/src/js/src/jit-test/tests/arguments/function_dot_caller_restrictions.js:64:9 Error: Assertion failed: got true, expected false
[task 2020-03-13T14:07:04.797Z] INFO stderr 2> Stack:
[task 2020-03-13T14:07:04.797Z] INFO stderr 2> @/builds/worker/workspace/build/src/js/src/jit-test/tests/arguments/function_dot_caller_restrictions.js:64:9
[task 2020-03-13T14:07:04.798Z] /builds/worker/workspace/build/src/js/src/jit-test/tests/arguments/function_dot_caller_restrictions.js:64:9 Error: Assertion failed: got true, expected false
[task 2020-03-13T14:07:04.798Z] Stack:
[task 2020-03-13T14:07:04.798Z] @/builds/worker/workspace/build/src/js/src/jit-test/tests/arguments/function_dot_caller_restrictions.js:64:9
[task 2020-03-13T14:07:04.798Z] Exit code: 3
[task 2020-03-13T14:07:04.798Z] FAIL - arguments/function_dot_caller_restrictions.js

Comment 10

[Tom S [:evilpie]]

In theory we want asm.js to be unobservable. Is there no other way to fix this?

Comment 11

[Ted Campbell [:tcampbell]]

Running these non-standard features on things that opted in to asm.js explicitly seemed silly, but letting the frame-iterator just trigger the bailout seems reasonable for asm.js since only malicious code would be trying it.

Comment 12

[Ted Campbell [:tcampbell]]

Updated patching awaiting try-run and reviews. I've restored the asm.js support and instead fixed the FrameIter

Comment 13

[Jason Kratzer [:jkratzer]]

Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20200313163649-87ab9a88abce.
The bug appears to have been introduced in the following build range:
> Start: bf8af9af80475880154922cf2465dc0b0ecd27fd (20200303214128)
> End: 5c3cd1d623f1551407c338563550f1a34e189406 (20200304034350)
> Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=bf8af9af80475880154922cf2465dc0b0ecd27fd&tochange=5c3cd1d623f1551407c338563550f1a34e189406

Comment 14

[Intermittent Failures Robot]

10 failures in 5336 pushes (0.002 failures/push) were associated with this bug in the last 7 days.

Repository breakdown:

• autoland: 9
• mozilla-central: 1

Platform breakdown:

• windows2012-64: 8
• linux64: 2

For more details, see:
https://treeherder.mozilla.org/intermittent-failures.html#/bugdetails?bug=1621956&startday=2020-03-09&endday=2020-03-15&tree=all

Comment 15

[Pulsebot]

Pushed by tcampbell@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/7945f95e6ac3
Handle asm.js in FrameIter::matchCallee. r=jandem

Comment 16

[Arthur Iakab [arthur_iakab]]

https://hg.mozilla.org/mozilla-central/rev/7945f95e6ac3

Comment 17

[BugBot [:suhaib / :marco/ :calixte]]

The patch landed in nightly and beta is affected.
:tcampbell, is this bug important enough to require an uplift?
If not please set status_beta to wontfix.

For more information, please visit auto_nag documentation.

Comment 18

[Ted Campbell [:tcampbell]]

This variant was reported by fuzzing and seems to be an over-zealous assert so not a good candidate for uplift.

Comment 19

[Jason Kratzer [:jkratzer]]

Bugmon Analysis:
Verified bug as fixed on rev mozilla-central 20200422214848-17aa41e3cb7c.
Removing bugmon keyword as no further action possible.
Please review the bug and re-add the keyword for further analysis.