1657817 - Assertion failure: slot < MAX_FIXED_SLOTS, at vm/NativeObject.h:1542

Status: VERIFIED FIXED

(Core :: JavaScript Engine: JIT, defect, P3)

Description

[Christian Holler (:decoder)]

The following testcase crashes on mozilla-central revision 20200807-d51942b1e2d8 (debug build, run with --fuzzing-safe --ion-offthread-compile=off --baseline-eager --ion-full-warmup-threshold=0):

function test({
    [ ++set ]: a39
  } = (description) => () => (function() {
    with(e9) return f44();
  })
  , b58, c83, d75, e9, f44, g85
  , h10, i15, j74, k90, x83, y11, z7
) {}
test();

Backtrace:

received signal SIGSEGV, Segmentation fault.
#0  0x0000555557be89a2 in js::jit::MacroAssembler::initGCSlots(js::jit::Register, js::jit::Register, js::jit::NativeTemplateObject const&, bool) ()
#1  0x0000555557be6a61 in js::jit::MacroAssembler::initGCThing(js::jit::Register, js::jit::Register, js::jit::TemplateObject const&, bool) ()
#2  0x00005555579f6b68 in js::jit::CodeGenerator::visitNewCallObject(js::jit::LNewCallObject*) ()
#3  0x00005555579f4585 in js::jit::CodeGenerator::generateBody() ()
#4  0x0000555557a2e329 in js::jit::CodeGenerator::generate() ()
#5  0x0000555557a87b63 in js::jit::GenerateCode(js::jit::MIRGenerator*, js::jit::LIRGraph*) ()
#6  0x0000555557a87dfa in js::jit::CompileBackEnd(js::jit::MIRGenerator*, js::jit::WarpSnapshot*) ()
#7  0x0000555557a9a9a4 in js::jit::IonCompile(JSContext*, JS::Handle<JSScript*>, js::jit::BaselineFrame*, unsigned int, unsigned char*, bool, js::jit::OptimizationLevel) ()
#8  0x0000555557a89273 in js::jit::Compile(JSContext*, JS::Handle<JSScript*>, js::jit::BaselineFrame*, unsigned int, unsigned char*, bool) ()
#9  0x0000555557a88882 in js::jit::CanEnterIon(JSContext*, js::RunState&) ()
#10 0x0000555557b21930 in js::jit::MaybeEnterJit(JSContext*, js::RunState&) ()
#11 0x0000555556c9eb01 in js::RunScript(JSContext*, js::RunState&) ()
#12 0x0000555556cb3936 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) ()
#13 0x0000555556cb51ac in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) ()
#14 0x000055555773ae91 in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICCall_Fallback*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) ()
#15 0x0000386cf8002093 in ?? ()
[...]
#24 0x0000000000000000 in ?? ()
rax	0x55555588edb9	93824995618233
rbx	0x10	16
rcx	0x55555847fa80	93825041693312
rdx	0x0	0
rsi	0x7ffff7105770	140737338431344
rdi	0x7ffff7104540	140737338426688
rbp	0x7fffffffaab0	140737488333488
rsp	0x7fffffffaa40	140737488333376
r8	0x7ffff7105770	140737338431344
r9	0x7ffff7f9ddc0	140737353735616
r10	0x58	88
r11	0x7ffff6dac7a0	140737334921120
r12	0x0	0
r13	0x10	16
r14	0x2	2
r15	0x7ffff6076040	140737321066560
rip	0x555557be89a2 <js::jit::MacroAssembler::initGCSlots(js::jit::Register, js::jit::Register, js::jit::NativeTemplateObject const&, bool)+1602>
=> 0x555557be89a2 <_ZN2js3jit14MacroAssembler11initGCSlotsENS0_8RegisterES2_RKNS0_20NativeTemplateObjectEb+1602>:	movl   $0x606,0x0
   0x555557be89ad <_ZN2js3jit14MacroAssembler11initGCSlotsENS0_8RegisterES2_RKNS0_20NativeTemplateObjectEb+1613>:	callq  0x555556bba7ae <abort>

Comment 1

[Christian Holler (:decoder)]

Attachment: Testcase

Comment 2

[Jan de Mooij [:jandem]]

Ted, could this be from recent Stencil changes related to Scope/EnvironmentObject?

Comment 3

[Ted Campbell [:tcampbell]]

Good thought, but this seems to still reproduce even before Bug 1653248. Hopefully the bisection tells us more.

Comment 4

[Ted Campbell [:tcampbell]]

I can reproduce this on beta and release.

Comment 5

[Ted Campbell [:tcampbell]]

The assert was added in https://hg.mozilla.org/mozilla-central/rev/4d321c1702bc but this may be an older issue...

Comment 6

[Ted Campbell [:tcampbell]]

If I put the assert into older builds I can even reproduce in esr60.

Comment 7

[Ted Campbell [:tcampbell]]

The initGCSlots code looks a little sloppy and gets caught up by these asserts. I'm reasonably sure that ([1])[https://searchfox.org/mozilla-central/rev/26b13464c2beb26e0d864d561c30e817a85c348a/js/src/jit/MacroAssembler.cpp#947] is saving us. Will confirm, but chances are good that this is benign.

[1] https://searchfox.org/mozilla-central/rev/26b13464c2beb26e0d864d561c30e817a85c348a/js/src/jit/MacroAssembler.cpp#947

Comment 8

[Ted Campbell [:tcampbell]]

Attachment: Bug 1657817 - Fix initGCThing for functions with many TDZ arguments. r?jandem

Check that we will actually need to fill slots before calling
getFixedSlotOffset. This fixes some sanity check asserts, but the issue is
benign in optimized builds because the invalid offset is not used if there
are not slots to fill.

Comment 9

[Ted Campbell [:tcampbell]]

This is a debug-only assert. In release we generate a bogus offset but do not consume it in that case.

Comment 10

[Jason Kratzer [:jkratzer]]

Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20200807152823-5860b7b7c7a4.
The bug appears to have been introduced in the following build range:
> Start: 6500c049e562946cac1a46407ea6e7a5f61dc01c (20200610175624)
> End: fdbfb24491c8bb340137ba1a0c5c584c92386701 (20200610175824)
> Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=6500c049e562946cac1a46407ea6e7a5f61dc01c&tochange=fdbfb24491c8bb340137ba1a0c5c584c92386701

Comment 11

[Pulsebot]

Pushed by tcampbell@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/bdfffd302949
Fix initGCThing for functions with many TDZ arguments. r=jandem

Comment 12

[Cristina Coroiu [:ccoroiu]]

https://hg.mozilla.org/mozilla-central/rev/bdfffd302949

Comment 13

[Jason Kratzer [:jkratzer]]

Bugmon Analysis:
Verified bug as fixed on rev mozilla-central 20200808093545-fa0dbdf15f29.
Removing bugmon keyword as no further action possible.
Please review the bug and re-add the keyword for further analysis.