Closed Bug 1671762 Opened 4 years ago Closed 4 years ago

Assertion failure: nfixed <= GeneratorObject::FixedSlotLimit, at vm/JSScript.cpp:4517

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
84 Branch
Tracking Flags:
Tracking Status
firefox-esr78 --- unaffected
firefox82 --- unaffected
firefox83 --- wontfix
firefox84 --- verified

People

(Reporter: decoder, Assigned: jorendorff)

References

(Regression)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:update,bisected,confirmed])

Attachments

(2 files)

Testcase
3.28 KB, text/plain
Details
Bug 1671762 - Fix a broken assertion: nfixed <= GeneratorObject::FixedSlotLimit. r=tcampbell
47 bytes, text/x-phabricator-request
Details | Review

The following testcase crashes on mozilla-central revision 20201016-c0f6b814ea1d (debug build, run with --fuzzing-safe --cpu-count=2 --ion-offthread-compile=off):

See attachment.

Backtrace:

received signal SIGSEGV, Segmentation fault.
#0  0x0000555557053011 in js::ImmutableScriptData::new_(JSContext*, unsigned int, ...) ()
#1  0x00005555574fd487 in js::frontend::BytecodeEmitter::createImmutableScriptData(JSContext*) ()
#2  0x00005555574fcdf0 in js::frontend::BytecodeEmitter::intoScriptStencil(js::frontend::ScriptStencil*) ()
#3  0x000055555753415a in js::frontend::FunctionScriptEmitter::intoStencil() ()
#4  0x00005555574fd7d3 in js::frontend::BytecodeEmitter::emitFunctionScript(js::frontend::FunctionNode*, js::frontend::TopLevelFunction) ()
#5  0x0000555557509c54 in js::frontend::BytecodeEmitter::emitFunction(js::frontend::FunctionNode*, bool, js::frontend::ListNode*) ()
#6  0x00005555574f9639 in js::frontend::BytecodeEmitter::emitTree(js::frontend::ParseNode*, js::frontend::ValueUsage, js::frontend::BytecodeEmitter::EmitLineNumberNote, bool) ()
#7  0x00005555575109c4 in js::frontend::BytecodeEmitter::emitCalleeAndThis(js::frontend::ParseNode*, js::frontend::ParseNode*, js::frontend::CallOrNewEmitter&) ()
#8  0x0000555557511f21 in js::frontend::BytecodeEmitter::emitCallOrNew(js::frontend::CallNode*, js::frontend::ValueUsage) ()
#9  0x00005555574f90c9 in js::frontend::BytecodeEmitter::emitTree(js::frontend::ParseNode*, js::frontend::ValueUsage, js::frontend::BytecodeEmitter::EmitLineNumberNote, bool) ()
#10 0x000055555750cc31 in js::frontend::BytecodeEmitter::emitExpressionStatement(js::frontend::UnaryNode*) ()
#11 0x00005555574f9600 in js::frontend::BytecodeEmitter::emitTree(js::frontend::ParseNode*, js::frontend::ValueUsage, js::frontend::BytecodeEmitter::EmitLineNumberNote, bool) ()
#12 0x000055555750cab2 in js::frontend::BytecodeEmitter::emitStatementList(js::frontend::ListNode*) ()
#13 0x00005555574f95d0 in js::frontend::BytecodeEmitter::emitTree(js::frontend::ParseNode*, js::frontend::ValueUsage, js::frontend::BytecodeEmitter::EmitLineNumberNote, bool) ()
#14 0x00005555574fc610 in js::frontend::BytecodeEmitter::emitScript(js::frontend::ParseNode*) ()
#15 0x00005555575211e4 in js::frontend::ScriptCompiler<mozilla::Utf8Unit>::compileScriptToStencil(JSContext*, js::frontend::CompilationInfo&, js::frontend::SharedContext*) ()
#16 0x00005555574ea246 in js::frontend::CompileGlobalScriptToStencil(JSContext*, js::frontend::CompilationInfo&, JS::SourceText<mozilla::Utf8Unit>&, js::ScopeKind) ()
#17 0x00005555574eb902 in js::frontend::CompileGlobalScript(JSContext*, JS::ReadOnlyCompileOptions const&, JS::SourceText<mozilla::Utf8Unit>&, js::ScopeKind) ()
#18 0x0000555556ed16f5 in JS::CompileUtf8File(JSContext*, JS::ReadOnlyCompileOptions const&, _IO_FILE*) ()
[...]
#22 0x0000555556b826dd in main ()
rax	0x555555846e50	93824995323472
rbx	0x7fffffffa1d8	140737488331224
rcx	0x555558549970	93825042520432
rdx	0x0	0
rsi	0x7ffff7105770	140737338431344
rdi	0x7ffff7104540	140737338426688
rbp	0x7fffffffa0c0	140737488330944
rsp	0x7fffffffa040	140737488330816
r8	0x7ffff7105770	140737338431344
r9	0x7ffff7f99e00	140737353719296
r10	0x58	88
r11	0x7ffff6dac7a0	140737334921120
r12	0x7fffffffa1d8	140737488331224
r13	0x1	1
r14	0x101	257
r15	0x21	33
rip	0x555557053011 <js::ImmutableScriptData::new_(JSContext*, unsigned int, ...>)+1233>

Marking s-s because of the range assert.

Attached file Testcase 

    
    

    
  
Bugmon Analysis:

Verified bug as reproducible on mozilla-central 20201016214537-ac431d6e63f0.

The bug appears to have been introduced in the following build range:




Start: 0d70229022a8d4a730d0ea16d3ebebcd937b35e3 (20201015193216)

End: a502debc3c9778319f0f15d37e5b1fadd2b757ad (20201015193414)

Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=0d70229022a8d4a730d0ea16d3ebebcd937b35e3&tochange=a502debc3c9778319f0f15d37e5b1fadd2b757ad




Whiteboard: [bugmon:update,bisect] → [bugmon:update,bisected,confirmed]

    
    

    
  
I think the assertion is wrong, try-finally and table-switch also use resume offsets.


Flags: needinfo?(jorendorff)

    
    

    
  
Yup.


Assignee: nobody → jorendorff

    
    

    
  


  
As Jan pointed out in the bug, the condition for this assertion is too strong.

I assumed that only generators and async functions have resume points, but they

are also used for try-finally and table-switch.


Let's try again rather than lose the assertion entirely. The new assertion is

placed at the point where the two pieces of information (generator-ness and

fixed slot count) come together.



    
  
Group: javascript-core-security

        Attachment #9182725 -
        Attachment description: Bug 1671762 - Fix a broken assertion: nfixed <= GeneratorObject::FixedSlotLimit. r?jandem → Bug 1671762 - Fix a broken assertion: nfixed <= GeneratorObject::FixedSlotLimit. r=jandem

        Attachment #9182725 -
        Attachment description: Bug 1671762 - Fix a broken assertion: nfixed <= GeneratorObject::FixedSlotLimit. r=jandem → Bug 1671762 - Fix a broken assertion: nfixed <= GeneratorObject::FixedSlotLimit. r=tcampbell

    
  
Flags: needinfo?(jorendorff)

    
    

    
  
Pushed by jorendorff@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/8c9b3722eb05
Fix a broken assertion: nfixed <= GeneratorObject::FixedSlotLimit. r=tcampbell

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/8c9b3722eb05


Status: NEW → RESOLVED
Closed: 4 years ago

          status-firefox84:
          --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 84 Branch

    
    

    
  
Bugmon Analysis:

Verified bug as fixed on rev mozilla-central 20201022145409-5684c9b12b5e.

Removing bugmon keyword as no further action possible.

Please review the bug and re-add the keyword for further analysis.


Status: RESOLVED → VERIFIED

          status-firefox84:
          fixedverified
Keywords: bugmon

    
    

    
  
The patch landed in nightly and beta is affected.

:jorendorff, is this bug important enough to require an uplift?

If not please set status_beta to wontfix.

If yes, don't forget to request an uplift for the patches in the regression caused by this fix.


For more information, please visit auto_nag documentation.


Flags: needinfo?(jorendorff)

          status-firefox82:
          --- → unaffected

          status-firefox-esr78:
          --- → unaffected
Flags: in-testsuite+
Regressed by: 1412202

    
  
Has Regression Range: --- → yes

    
    

    
  
I do want to uplift this. Won't forget, but I have one or two other related patches I want to uplift and will request them all at the same time.



    
    

    
  
Sorry, I was in bed with COVID-19 for a solid week.


It would have been nice, but we don't need to uplift this.


Flags: needinfo?(jorendorff)

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: