1714026 - Assertion failure: ca == JS::SymbolCode::InSymbolRegistry || ca == JS::SymbolCode::UniqueSymbol, at vm/Iteration.cpp:424 with --differential-testing

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

The following testcase crashes on mozilla-central revision 1514fcbf80a0 ((buildtype not available) build, run with --fuzzing-safe --differential-testing --more-compartments):

var g = newGlobal({ newCompartment: true });
var dbg = Debugger();
var gobj = dbg.addDebuggee(g);
g.eval(`
class MyClass {
    constructor() {
        this.publicProperty = 1;
        this.publicSymbol = Symbol("public");
        this[this.publicSymbol] = 2;
        this.#privateProperty1 = 3;
        this.#privateProperty2 = 4;
    }
    static #privateStatic1
    static #privateStatic2
    #privateProperty1
    #privateProperty2
    #privateMethod() {}
    publicMethod(){}
}
obj = new MyClass();
klass = MyClass`);
var privatePropertiesSymbolsDescriptions = gobj
  .getOwnPropertyDescriptor("obj")
  .value.getOwnPrivateProperties()
  .map(sym => sym.description);
assertEq(
  JSON.stringify(privatePropertiesSymbolsDescriptions),
  JSON.stringify([`#privateProperty1`, `#privateProperty2`])
);
var classPrivatePropertiesSymbolsDescriptions = gobj
  .getOwnPropertyDescriptor("klass")
  .value.getOwnPrivateProperties()
  .map(sym => sym.description);
assertEq(
  JSON.stringify(classPrivatePropertiesSymbolsDescriptions),
  JSON.stringify([`#privateStatic1`, `#privateStatic2`])
);

This is an unreduced copy of jit-test/tests/debug/Object-getOwnPrivateProperties.js that only fails when run with --differential-testing only.

Backtrace:

received signal SIGSEGV, Segmentation fault.
#0  0x0000aaaaaafd8b4c in SortComparatorIds::operator() (this=this@entry=0xffffffffc9c0, aArg=..., bArg=..., lessOrEqualp=<optimized out>, lessOrEqualp@entry=0xffffffffc9bc) at mozilla/Assertions.h:39
#1  0x0000aaaaaafd741c in js::MergeSort<JS::PropertyKey, SortComparatorIds> (array=array@entry=0xffffffffcd20, nelems=nelems@entry=4, scratch=<optimized out>, c=...) at ds/Sort.h:105
#2  0x0000aaaaaafc7f9c in Snapshot (cx=cx@entry=0xfffff6c1c000, pobj_=..., pobj_@entry=..., flags=<optimized out>, props=..., props@entry=...) at vm/Iteration.cpp:552
#3  0x0000aaaaaafc7574 in js::GetPropertyKeys (cx=0x0, cx@entry=0xfffff6c1c000, obj=..., obj@entry=..., flags=<optimized out>, props=..., props@entry=...) at vm/Iteration.cpp:564
#4  0x0000aaaaab3979b8 in GetSymbolPropertyKeys (cx=cx@entry=0xfffff6c1c000, object=..., props=props@entry=..., includePrivate=true) at debugger/Object.cpp:2083
#5  0x0000aaaaab38ceec in js::DebuggerObject::getOwnPrivateProperties (cx=0xfffff6c1c000, object=..., result=...) at debugger/Object.cpp:2112
#6  0x0000aaaaab38cc9c in js::DebuggerObject::CallData::getOwnPrivatePropertiesMethod (this=<optimized out>, this@entry=0xffffffffcf10) at debugger/Object.cpp:806
#7  0x0000aaaaab3a8f90 in js::DebuggerObject::CallData::ToNative<&js::DebuggerObject::CallData::getOwnPrivatePropertiesMethod> (cx=cx@entry=0xfffff6c1c000, argc=<optimized out>, vp=<optimized out>) at debugger/Object.cpp:245
#8  0x0000aaaaaad69b30 in CallJSNative (cx=cx@entry=0xfffff6c1c000, native=0xaaaaab3a8e90 <js::DebuggerObject::CallData::ToNative<&js::DebuggerObject::CallData::getOwnPrivatePropertiesMethod>(JSContext*, unsigned int, JS::Value*)>, reason=<optimized out>, reason@entry=js::CallReason::Call, args=...) at vm/Interpreter.cpp:427
[...]
#22 0x0000aaaaaac82060 in main (argc=<optimized out>, argv=<optimized out>) at shell/js.cpp:12644
x0	0x0	0
x1	0x0	0
x2	0x1	1
x3	0x0	0
x4	0x0	0
x5	0x0	0
x6	0x0	0
x7	0x64	100
x8	0x0	0
x9	0xad34fcb8	187650027093176
x10	0xac12c628	187650008073768
x11	0x0	0
x12	0x20	32
x13	0x0	0
x14	0xf7ba5308	281474837926664
x15	0xf7b97e08	281474837872136
x16	0xf7bf5d98	281474838257048
x17	0xad34a028	187650027069480
x18	0x2a8	680
x19	0x1a8	424
x20	0xffffc9c0	281474976696768
x21	0x58a2d144	49853172470084
x22	0xaa	170
x23	0xffffcd20	281474976697632
x24	0x3	3
x25	0x1	1
x26	0x3	3
x27	0xad2c9f58	187650026544984
x28	0xffffcd20	281474976697632
x29	0xffffc960	281474976696672
x30	0xaafd8b34	187649989905204
sp	0xffffc8d0	281474976696528
pc	0xaaaaaafd8b4c <SortComparatorIds::operator()(JS::PropertyKey, JS::PropertyKey, bool*)+1468>
cpsr	[ EL=0 C Z ]
fpcsr	void
fpcr	0x0	0
=> 0xaaaaaafd8b4c <SortComparatorIds::operator()(JS::PropertyKey, JS::PropertyKey, bool*)+1468>:	str	w19, [x8]
   0xaaaaaafd8b50 <SortComparatorIds::operator()(JS::PropertyKey, JS::PropertyKey, bool*)+1472>:	bl	0xaaaaaacf0480 <abort()>

Would be great to get this fixed for differential testing in jsfunfuzz.

Comment 1

[Christian Holler (:decoder)]

Attachment: Testcase

Comment 2

[Bugmon [:jkratzer for issues]]

Bugmon Analysis:
Removing bugmon keyword as no further action possible.
Please review the bug and re-add the keyword for further analysis.

Comment 3

[Steven DeTar [:sdetar]]

:mgaudet, would it make sense for you to investigate this bug?

Comment 4

[Matthew Gaudet (he/him) [:mgaudet]]

Attachment: Bug 1714026 - Update assertion in SortComparatorIds r?yulia

Comment 5

[Pulsebot]

Pushed by mgaudet@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/91a8fc76976e
Update assertion in SortComparatorIds r=yulia

Comment 6

[Cristian Brindusan [:cbrindusan]]

https://hg.mozilla.org/mozilla-central/rev/91a8fc76976e

Comment 7

[BugBot [:suhaib / :marco/ :calixte]]

The patch landed in nightly and beta is affected.
:mgaudet, is this bug important enough to require an uplift?
If not please set status_beta to wontfix.

For more information, please visit auto_nag documentation.

Comment 8

[Matthew Gaudet (he/him) [:mgaudet]]

I don't think this is worth uplift; I believe the code path is only shell accessible, and only under the --differential-testing flag.