1707422 - Assertion failure: pos == wholeChars + wholeLength, at vm/StringType.cpp:865

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect, P1)

Description

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

x = "a";
x += +"a";
x += +"a";
x += x;
x += x;
var s = x;
x += 0;
y = x += 0;
y += x += "a";
for (let i = 0; i < 12; ++i) {
    try {
        this();
    } catch {}
}

Assertion failure: pos == wholeChars + wholeLength, at /home/yksnegowt/trees/mozilla-central/js/src/vm/StringType.cpp:865

Thread 1 "js-dbg-64-linux" received signal SIGSEGV, Segmentation fault.
JSRope::flattenInternal<(JSRope::UsingBarrier)0, unsigned char> (root=<optimized out>) at /home/yksnegowt/trees/mozilla-central/js/src/vm/StringType.cpp:865
warning: Source file is more recent than executable.
865	  MOZ_ASSERT(pos == wholeChars + wholeLength);
(gdb) bt
#0  JSRope::flattenInternal<(JSRope::UsingBarrier)0, unsigned char> (root=<optimized out>) at /home/yksnegowt/trees/mozilla-central/js/src/vm/StringType.cpp:865
#1  0x0000555556f2ee7c in JSRope::flattenInternal<(JSRope::UsingBarrier)0> (this=0x329556006a0) at /home/yksnegowt/trees/mozilla-central/js/src/vm/StringType.cpp:663
#2  JSRope::flattenInternal (this=0x329556006a0) at /home/yksnegowt/trees/mozilla-central/js/src/vm/StringType.cpp:654
#3  JSRope::flatten (this=0x329556006a0, maybecx=<optimized out>) at /home/yksnegowt/trees/mozilla-central/js/src/vm/StringType.cpp:641
#4  0x0000555556e8bdf4 in JSString::ensureLinear (this=0x329556006a0, cx=0x0) at /home/yksnegowt/trees/mozilla-central/js/src/vm/StringType.h:1851
#5  js::QuoteString (sp=sp@entry=0x7fffffffaa20, str=str@entry=0x329556006a0, quote=34 '"') at /home/yksnegowt/trees/mozilla-central/js/src/vm/Printer.cpp:369
#6  0x0000555556e8bf99 in js::QuoteString (cx=cx@entry=0x7ffff6a26000, str=0x329556006a0, quote=quote@entry=34 '"') at /home/yksnegowt/trees/mozilla-central/js/src/vm/Printer.cpp:386
#7  0x0000555556f5f37e in StringToSource (cx=0x7ffff6a26000, str=0x1) at /home/yksnegowt/trees/mozilla-central/js/src/vm/ToSource.cpp:56
#8  js::ValueToSource (cx=0x7ffff6a26000, v=..., v@entry=...) at /home/yksnegowt/trees/mozilla-central/js/src/vm/ToSource.cpp:132
#9  0x0000555556bb54ff in js::ObjectToSource(JSContext*, JS::Handle<JSObject*>)::$_4::operator()(JS::Handle<JS::PropertyKey>, JS::Handle<JS::Value>, PropertyKind) const (this=0x7fffffffadf0, id=..., val=..., kind=PropertyKind::Normal) at /home/yksnegowt/trees/mozilla-central/js/src/builtin/Object.cpp:331
#10 0x0000555556bb4a47 in js::ObjectToSource (cx=cx@entry=0x7ffff6a26000, obj=obj@entry=...) at /home/yksnegowt/trees/mozilla-central/js/src/builtin/Object.cpp:492
#11 0x0000555556bcce6b in obj_toSource (cx=cx@entry=0x7ffff6a26000, argc=<optimized out>, vp=<optimized out>) at /home/yksnegowt/trees/mozilla-central/js/src/builtin/Object.cpp:158
#12 0x0000555556b126d1 in CallJSNative (cx=cx@entry=0x7ffff6a26000, native=0x555556bcccf0 <obj_toSource(JSContext*, unsigned int, JS::Value*)>, reason=<optimized out>, reason@entry=js::CallReason::Call, args=...) at /home/yksnegowt/trees/mozilla-central/js/src/vm/Interpreter.cpp:437
#13 0x0000555556b0546a in js::InternalCallOrConstruct (cx=cx@entry=0x7ffff6a26000, args=..., construct=construct@entry=js::NO_CONSTRUCT, reason=reason@entry=js::CallReason::Call) at /home/yksnegowt/trees/mozilla-central/js/src/vm/Interpreter.cpp:522
#14 0x0000555556b0618b in InternalCall (cx=cx@entry=0x7ffff6a26000, args=..., reason=reason@entry=js::CallReason::Call) at /home/yksnegowt/trees/mozilla-central/js/src/vm/Interpreter.cpp:582
#15 0x0000555556b063a0 in js::Call (cx=0x7ffff7c4a9a0 <_IO_stdfile_2_lock>, cx@entry=0x7ffff6a26000, fval=fval@entry=..., thisv=thisv@entry=..., args=..., rval=rval@entry=..., reason=js::CallReason::Getter, reason@entry=js::CallReason::Call) at /home/yksnegowt/trees/mozilla-central/js/src/vm/Interpreter.cpp:599
#16 0x0000555556c2d743 in js::Call (cx=0x7ffff6a26000, fval=..., thisObj=<optimized out>, rval=...) at /home/yksnegowt/trees/mozilla-central/js/src/vm/Interpreter.h:99
#17 0x0000555556f5f181 in js::ValueToSource (cx=0x7ffff7c4a9a0 <_IO_stdfile_2_lock>, cx@entry=0x7ffff6a26000, v=...) at /home/yksnegowt/trees/mozilla-central/js/src/vm/ToSource.cpp:173
#18 0x0000555556c9c854 in js::DecompileValueGenerator (cx=<optimized out>, cx@entry=0x7ffff6a26000, spindex=<optimized out>, v=..., fallbackArg=..., skipStackHits=<optimized out>, skipStackHits@entry=0) at /home/yksnegowt/trees/mozilla-central/js/src/vm/BytecodeUtil.cpp:2405
#19 0x0000555556dd4c85 in js::ReportValueError (cx=cx@entry=0x7ffff6a26000, errorNumber=10, spindex=1, spindex@entry=-2, v=..., fallback=..., arg1=arg1@entry=0x0, arg2=0x0) at /home/yksnegowt/trees/mozilla-central/js/src/vm/JSContext.cpp:605
#20 0x0000555556b05360 in js::InternalCallOrConstruct (cx=cx@entry=0x7ffff6a26000, args=..., construct=construct@entry=js::NO_CONSTRUCT, reason=reason@entry=js::CallReason::Call) at /home/yksnegowt/trees/mozilla-central/js/src/vm/Interpreter.cpp:488
#21 0x0000555556b0618b in InternalCall (cx=0x7ffff6a26000, args=..., reason=reason@entry=js::CallReason::Call) at /home/yksnegowt/trees/mozilla-central/js/src/vm/Interpreter.cpp:582
#22 0x0000555556b063a0 in js::Call (cx=0x7ffff7c4a9a0 <_IO_stdfile_2_lock>, fval=fval@entry=..., thisv=thisv@entry=..., args=..., rval=..., reason=js::CallReason::Getter, reason@entry=js::CallReason::Call) at /home/yksnegowt/trees/mozilla-central/js/src/vm/Interpreter.cpp:599
#23 0x00005555575a7d32 in js::jit::InvokeFunction (cx=0x7ffff7c4a9a0 <_IO_stdfile_2_lock>, obj=..., constructing=<optimized out>, ignoresReturnValue=true, argc=<optimized out>, argv=<optimized out>, rval=...) at /home/yksnegowt/trees/mozilla-central/js/src/jit/VMFunctions.cpp:760
#24 0x0000233f5d612038 in ?? ()
#25 0x00007fffffffbd58 in ?? ()
#26 0x00007fffffffbd58 in ?? ()
#27 0x0000000000000000 in ?? ()
(gdb)

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/e668182d6593
user:        Jon Coppeard
date:        Mon Apr 19 16:52:54 2021 +0000
summary:     Bug 1705777 - Move simulated traversal part of algorithm into the main loop r=jandem

Run with --fuzzing-safe --no-threads --ion-eager, compile with AR=ar sh ./configure --enable-debug --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests, tested on m-c rev 5413cedf852d.

Not sure if this is s-s, I'd leave it to Jan/Jon.

Comment 2

[Jon Coppeard (:jonco)]

Attachment: Bug 1707422 - Fix non-inline string data pointer for dependent strings created by rope flattening r?jandem

There is a bug in the string flattening changes that happens when we reuse the
leftmost string as the buffer for the flattened string. In this case the
chacter data pointer for dependent strings converted from ropes is set
incorrectly until we reach the leftmost rope, since we initialize the |pos|
variable to the first character after the contents of the leftmost string. In
the original version of this code we use |str->setNonInlineChars(wholeChars)|
for these. This also results in the lengths of these dependent strings being
wrong since this is caculated based on this pointer. This leads to the
assertion failure.

Comment 4

[BugBot [:suhaib / :marco/ :calixte]]

Set release status flags based on info from the regressing bug 1705777

Comment 5

[Sebastian Hengst [:aryx] (needinfo me if it's about an intermittent or backout)]

Fix non-inline string data pointer for dependent strings created by rope flattening r=jandem
https://hg.mozilla.org/integration/autoland/rev/87457b5402670d2288c4b2dee515a0f397d7b280
https://hg.mozilla.org/mozilla-central/rev/87457b540267

Comment 6

[Daniel Veditz [:dveditz]]

Split bounty with duplicate bug 1707535