1662113 - Crash [@ js::frontend::BytecodeEmitter::intoScriptStencil] or Assertion failure: aIndex < mLength, at mozilla/Vector.h:481 with dumpStencil

Status: VERIFIED FIXED

(Core :: JavaScript Engine, defect, P2)

Description

[Christian Holler (:decoder)]

The following testcase crashes on mozilla-central revision 20200831-b4055ac79297 (opt build, run with --fuzzing-safe --ion-offthread-compile=off):

var g66 = newGlobal({newCompartment: true});
g66.dumpStencil("x");

Backtrace:

received signal SIGSEGV, Segmentation fault.
#0  js::frontend::BytecodeEmitter::intoScriptStencil (this=0x7fffffffae80, script=0x60) at js/src/frontend/BytecodeEmitter.cpp:11250
#1  0x0000555556257e04 in js::frontend::BytecodeEmitter::emitScript (this=0x7fffffffae80, body=0x7ffff6068020) at js/src/frontend/BytecodeEmitter.cpp:2488
#2  0x00005555560b2657 in FrontendTest<mozilla::Utf8Unit> (cx=0x7ffff6023000, options=..., units=<optimized out>, length=1, compilationInfo=..., compilationState=..., goal=<optimized out>, dumpType=DumpType::Stencil) at js/src/shell/js.cpp:5195
#3  FrontendTest (cx=0x7ffff6023000, argc=<optimized out>, vp=<optimized out>, funcName=<optimized out>, dumpType=DumpType::Stencil) at js/src/shell/js.cpp:5439
#4  0x0000555555d3bf41 in CallJSNative (cx=0x7ffff6023000, native=<optimized out>, reason=<optimized out>, args=...) at js/src/vm/Interpreter.cpp:507
#5  js::InternalCallOrConstruct (cx=0x7ffff6023000, args=..., construct=<optimized out>, reason=<optimized out>) at js/src/vm/Interpreter.cpp:599
#6  0x0000555555d40942 in InternalCall (cx=<optimized out>, args=..., reason=<optimized out>) at js/src/vm/Interpreter.cpp:664
#7  js::Call (cx=0x7ffff6023000, fval=..., thisv=..., args=..., rval=..., reason=js::CallReason::Call) at js/src/vm/Interpreter.cpp:681
#8  0x00005555561343b4 in js::ForwardingProxyHandler::call (this=<optimized out>, cx=0x7ffff6023000, proxy=..., args=...) at js/src/proxy/Wrapper.cpp:163
#9  0x000055555612d0d6 in js::CrossCompartmentWrapper::call (this=0x555557781750 <js::CrossCompartmentWrapper::singleton>, cx=0x7ffff6023000, wrapper=..., args=...) at js/src/proxy/CrossCompartmentWrapper.cpp:239
#10 0x000055555612ff01 in js::Proxy::call (cx=0x7ffff6023000, proxy=..., args=...) at js/src/proxy/Proxy.cpp:641
#11 0x0000555555d3be3e in js::InternalCallOrConstruct (cx=0x0, args=..., construct=<optimized out>, reason=<optimized out>) at js/src/vm/Interpreter.cpp:573
#12 0x0000555555d217ce in InternalCall (cx=0x7ffff6023000, args=..., reason=js::CallReason::Call) at js/src/vm/Interpreter.cpp:664
#13 js::CallFromStack (cx=0x7ffff6023000, args=...) at js/src/vm/Interpreter.cpp:668
#14 Interpret (cx=<optimized out>, state=...) at js/src/vm/Interpreter.cpp:3336
#15 0x00005555560f056f in js::RunScript (cx=0x7ffff6023000, state=...) at js/src/vm/Interpreter.cpp:468
#16 js::ExecuteKernel (cx=0x7ffff6023000, script=..., envChainArg=..., newTargetValue=..., evalInFrame=..., result=...) at js/src/vm/Interpreter.cpp:856
#17 0x000055555572d39d in JS_ExecuteScript (cx=0x0, scriptArg=...) at js/src/vm/CompilationAndEvaluation.cpp:422
#18 0x00005555560b9a94 in RunFile (cx=0x7ffff6023000, filename=0x7fffffffdfad "test.js", file=<optimized out>, compileMethod=<optimized out>, compileOnly=false) at js/src/shell/js.cpp:963
#19 0x00005555560b95c0 in Process (cx=0x7ffff6023000, filename=0x7fffffffdfad "test.js", forceTTY=<optimized out>, kind=FileScript) at js/src/shell/js.cpp:1493
#20 0x00005555560922ac in ProcessArgs (cx=<optimized out>, op=0x7fffffffc9a8) at js/src/shell/js.cpp:10172
#21 Shell (cx=<optimized out>, op=0x7fffffffc9a8, envp=<optimized out>) at js/src/shell/js.cpp:10857
#22 main (argc=-167741440, argv=0x7ffff6025170, envp=<optimized out>) at js/src/shell/js.cpp:11599
rax	0x7fffffffb010	140737488334864
rbx	0x7fffffffae01	140737488334337
rcx	0x7ffff4a234f0	140737297659120
rdx	0x0	0
rsi	0x7fffffffa780	140737488332672
rdi	0x0	0
rbp	0x7fffffffa830	140737488332848
rsp	0x7fffffffa720	140737488332576
r8	0x0	0
r9	0x7ffff4a234f0	140737297659120
r10	0x1	1
r11	0x0	0
r12	0x0	0
r13	0x7fffffffae80	140737488334464
r14	0x60	96
r15	0x7ffff4a66680	140737297933952
rip	0x555555eb666f <js::frontend::BytecodeEmitter::intoScriptStencil(js::frontend::ScriptStencil*)+623>
=> 0x555555eb666f <js::frontend::BytecodeEmitter::intoScriptStencil(js::frontend::ScriptStencil*)+623>:	mov    0x10(%r14),%r12
   0x555555eb6673 <js::frontend::BytecodeEmitter::intoScriptStencil(js::frontend::ScriptStencil*)+627>:	mov    0x18(%r14),%rax

Likely a shell-only problem with dumpStencil.

Comment 1

[Christian Holler (:decoder)]

Attachment: Testcase

Comment 2

[Jason Kratzer [:jkratzer]]

Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20200831091558-b4055ac79297.
The bug appears to have been introduced in the following build range:
> Start: ae59b435ba7e86aca38535e07e7b12609bb9a9b1 (20200827225009)
> End: 0ae2362c2288c83b8cf0c41670288911f4ada69e (20200827225530)
> Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=ae59b435ba7e86aca38535e07e7b12609bb9a9b1&tochange=0ae2362c2288c83b8cf0c41670288911f4ada69e

Comment 3

[Ted Campbell [:tcampbell]]

Attachment: Bug 1662113 - The `dumpStencil` shell function must emplace top stencil. r?arai

Since the dumpStencil duplicates part of the BytecodeCompiler code, we must
explicitly instantiate the top-level stencil before parse is run. Also add a
test case for this.

Comment 4

[Pulsebot]

Pushed by tcampbell@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/ec66ca239374
The `dumpStencil` shell function must emplace top stencil. r=arai

Comment 5

[Cristian Brindusan [:cbrindusan]]

https://hg.mozilla.org/mozilla-central/rev/ec66ca239374

Comment 6

[Jason Kratzer [:jkratzer]]

Bugmon Analysis:
Verified bug as fixed on rev mozilla-central 20200901032054-30a8286a26ed.
Removing bugmon keyword as no further action possible.
Please review the bug and re-add the keyword for further analysis.