Closed Bug 1657817 Opened 5 years ago Closed 5 years ago

Assertion failure: slot < MAX_FIXED_SLOTS, at vm/NativeObject.h:1542

Categories

(Core :: JavaScript Engine: JIT, defect, P3)

x86_64
Linux
defect

Tracking

()

VERIFIED FIXED
81 Branch
Tracking Status
firefox-esr68 --- unaffected
firefox-esr78 --- unaffected
firefox79 --- wontfix
firefox80 --- wontfix
firefox81 --- verified

People

(Reporter: decoder, Assigned: tcampbell)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:update,bisected,confirmed])

Attachments

(2 files)

The following testcase crashes on mozilla-central revision 20200807-d51942b1e2d8 (debug build, run with --fuzzing-safe --ion-offthread-compile=off --baseline-eager --ion-full-warmup-threshold=0):

function test({
    [ ++set ]: a39
  } = (description) => () => (function() {
    with(e9) return f44();
  })
  , b58, c83, d75, e9, f44, g85
  , h10, i15, j74, k90, x83, y11, z7
) {}
test();

Backtrace:

received signal SIGSEGV, Segmentation fault.
#0  0x0000555557be89a2 in js::jit::MacroAssembler::initGCSlots(js::jit::Register, js::jit::Register, js::jit::NativeTemplateObject const&, bool) ()
#1  0x0000555557be6a61 in js::jit::MacroAssembler::initGCThing(js::jit::Register, js::jit::Register, js::jit::TemplateObject const&, bool) ()
#2  0x00005555579f6b68 in js::jit::CodeGenerator::visitNewCallObject(js::jit::LNewCallObject*) ()
#3  0x00005555579f4585 in js::jit::CodeGenerator::generateBody() ()
#4  0x0000555557a2e329 in js::jit::CodeGenerator::generate() ()
#5  0x0000555557a87b63 in js::jit::GenerateCode(js::jit::MIRGenerator*, js::jit::LIRGraph*) ()
#6  0x0000555557a87dfa in js::jit::CompileBackEnd(js::jit::MIRGenerator*, js::jit::WarpSnapshot*) ()
#7  0x0000555557a9a9a4 in js::jit::IonCompile(JSContext*, JS::Handle<JSScript*>, js::jit::BaselineFrame*, unsigned int, unsigned char*, bool, js::jit::OptimizationLevel) ()
#8  0x0000555557a89273 in js::jit::Compile(JSContext*, JS::Handle<JSScript*>, js::jit::BaselineFrame*, unsigned int, unsigned char*, bool) ()
#9  0x0000555557a88882 in js::jit::CanEnterIon(JSContext*, js::RunState&) ()
#10 0x0000555557b21930 in js::jit::MaybeEnterJit(JSContext*, js::RunState&) ()
#11 0x0000555556c9eb01 in js::RunScript(JSContext*, js::RunState&) ()
#12 0x0000555556cb3936 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) ()
#13 0x0000555556cb51ac in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) ()
#14 0x000055555773ae91 in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICCall_Fallback*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) ()
#15 0x0000386cf8002093 in ?? ()
[...]
#24 0x0000000000000000 in ?? ()
rax	0x55555588edb9	93824995618233
rbx	0x10	16
rcx	0x55555847fa80	93825041693312
rdx	0x0	0
rsi	0x7ffff7105770	140737338431344
rdi	0x7ffff7104540	140737338426688
rbp	0x7fffffffaab0	140737488333488
rsp	0x7fffffffaa40	140737488333376
r8	0x7ffff7105770	140737338431344
r9	0x7ffff7f9ddc0	140737353735616
r10	0x58	88
r11	0x7ffff6dac7a0	140737334921120
r12	0x0	0
r13	0x10	16
r14	0x2	2
r15	0x7ffff6076040	140737321066560
rip	0x555557be89a2 <js::jit::MacroAssembler::initGCSlots(js::jit::Register, js::jit::Register, js::jit::NativeTemplateObject const&, bool)+1602>
=> 0x555557be89a2 <_ZN2js3jit14MacroAssembler11initGCSlotsENS0_8RegisterES2_RKNS0_20NativeTemplateObjectEb+1602>:	movl   $0x606,0x0
   0x555557be89ad <_ZN2js3jit14MacroAssembler11initGCSlotsENS0_8RegisterES2_RKNS0_20NativeTemplateObjectEb+1613>:	callq  0x555556bba7ae <abort>
Attached file Testcase

Ted, could this be from recent Stencil changes related to Scope/EnvironmentObject?

Flags: needinfo?(tcampbell)

Good thought, but this seems to still reproduce even before Bug 1653248. Hopefully the bisection tells us more.

Flags: needinfo?(tcampbell)

I can reproduce this on beta and release.

The assert was added in https://hg.mozilla.org/mozilla-central/rev/4d321c1702bc but this may be an older issue...

If I put the assert into older builds I can even reproduce in esr60.

The initGCSlots code looks a little sloppy and gets caught up by these asserts. I'm reasonably sure that ([1])[https://searchfox.org/mozilla-central/rev/26b13464c2beb26e0d864d561c30e817a85c348a/js/src/jit/MacroAssembler.cpp#947] is saving us. Will confirm, but chances are good that this is benign.

[1] https://searchfox.org/mozilla-central/rev/26b13464c2beb26e0d864d561c30e817a85c348a/js/src/jit/MacroAssembler.cpp#947

Check that we will actually need to fill slots before calling
getFixedSlotOffset. This fixes some sanity check asserts, but the issue is
benign in optimized builds because the invalid offset is not used if there
are not slots to fill.

Assignee: nobody → tcampbell
Status: NEW → ASSIGNED

This is a debug-only assert. In release we generate a bogus offset but do not consume it in that case.

Group: javascript-core-security
Severity: -- → S4
Priority: -- → P3
Whiteboard: [bugmon:update,bisect] → [bugmon:update,bisected,confirmed]
Bugmon Analysis: Verified bug as reproducible on mozilla-central 20200807152823-5860b7b7c7a4. The bug appears to have been introduced in the following build range: > Start: 6500c049e562946cac1a46407ea6e7a5f61dc01c (20200610175624) > End: fdbfb24491c8bb340137ba1a0c5c584c92386701 (20200610175824) > Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=6500c049e562946cac1a46407ea6e7a5f61dc01c&tochange=fdbfb24491c8bb340137ba1a0c5c584c92386701
Pushed by tcampbell@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/bdfffd302949 Fix initGCThing for functions with many TDZ arguments. r=jandem
Status: ASSIGNED → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → 81 Branch
Status: RESOLVED → VERIFIED
Keywords: bugmon
Bugmon Analysis: Verified bug as fixed on rev mozilla-central 20200808093545-fa0dbdf15f29. Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: