Assertion failure: u.scripted.s.script_, at vm/JSFunction.h:448
Categories
(Core :: JavaScript Engine, defect, P2)
Tracking
()
Tracking | Status | |
---|---|---|
firefox-esr78 | --- | unaffected |
firefox-esr91 | --- | unaffected |
firefox90 | --- | unaffected |
firefox91 | --- | unaffected |
firefox92 | --- | fixed |
People
(Reporter: gkw, Assigned: tcampbell)
References
(Regression)
Details
(Keywords: regression, testcase)
Attachments
(1 file)
(function (y) {
function e() {
y;
}
})(this);
x = {
z: function () {
[].push;
}
};
x.z();
x.z();
x.z();
x.z();
x.z();
x.z();
x.z();
x.z();
x.z();
x.z();
x.z();
for (let i = 0; i < 10; ++i) {
(function () {})();
}
oomTest((function () {
return {
f: (function () {}),
g: (function () {}).bind(),
};
}), {
keepFailing: true
})
Assertion failure: u.scripted.s.script_, at /home/yksnegowt/trees/mozilla-central/js/src/vm/JSFunction.h:448
Thread 1 "js-dbg-64-linux" received signal SIGSEGV, Segmentation fault.
0x0000555556e7a00b in NewFunctionClone (cx=<optimized out>, cx@entry=0x7ffff6a19000, fun=fun@entry=..., newKind=js::GenericObject, allocKind=js::gc::AllocKind::FUNCTION_EXTENDED, proto=..., proto@entry=...) at /home/yksnegowt/shell-cache/js-dbg-64-linux-x86_64-c59236b26192/objdir-js/dist/include/js/RootingAPI.h:1183
1183 MOZ_ASSERT(GCPolicy<T>::isValid(ptr));
(gdb) bt
#0 0x0000555556e7a00b in NewFunctionClone (cx=<optimized out>, cx@entry=0x7ffff6a19000, fun=fun@entry=..., newKind=js::GenericObject, allocKind=js::gc::AllocKind::FUNCTION_EXTENDED, proto=..., proto@entry=...) at /home/yksnegowt/shell-cache/js-dbg-64-linux-x86_64-c59236b26192/objdir-js/dist/include/js/RootingAPI.h:1183
#1 0x0000555556e797eb in js::CloneFunctionReuseScript (cx=0x7ffff6a19000, cx@entry=0xffff800000000000, fun=..., fun@entry=..., enclosingEnv=..., enclosingEnv@entry=..., allocKind=js::gc::AllocKind::FUNCTION_EXTENDED, proto=..., proto@entry=...) at /home/yksnegowt/trees/mozilla-central/js/src/vm/JSFunction.cpp:2074
#2 0x0000555556b88e48 in js::CloneFunctionObject (cx=<optimized out>, cx@entry=0x7ffff6a19000, fun=..., fun@entry=..., enclosingEnv=..., proto=...) at /home/yksnegowt/trees/mozilla-central/js/src/vm/JSFunction-inl.h:42
#3 0x0000555556b7fe79 in js::Lambda (cx=0x7ffff6a19000, fun=fun@entry=..., parent=...) at /home/yksnegowt/trees/mozilla-central/js/src/vm/Interpreter.cpp:4555
#4 0x0000555556b73a06 in Interpret (cx=0x7ffff7c0e9a0 <_IO_stdfile_2_lock>, cx@entry=0x7ffff6a19000, state=...) at /home/yksnegowt/trees/mozilla-central/js/src/vm/Interpreter.cpp:3685
#5 0x0000555556b67911 in js::RunScript (cx=0x7ffff6a19000, state=...) at /home/yksnegowt/trees/mozilla-central/js/src/vm/Interpreter.cpp:371
#6 0x0000555556b7ab4b in js::InternalCallOrConstruct (cx=0x7ffff7c0e9a0 <_IO_stdfile_2_lock>, cx@entry=0x7ffff6a19000, args=..., construct=<optimized out>, construct@entry=js::NO_CONSTRUCT, reason=<optimized out>, reason@entry=js::CallReason::Call) at /home/yksnegowt/trees/mozilla-central/js/src/vm/Interpreter.cpp:519
#7 0x0000555556b7b73b in InternalCall (cx=0x7ffff6a19000, args=..., reason=reason@entry=js::CallReason::Call) at /home/yksnegowt/trees/mozilla-central/js/src/vm/Interpreter.cpp:547
#8 0x0000555556b7b960 in js::Call (cx=0x7ffff7c0e9a0 <_IO_stdfile_2_lock>, fval=fval@entry=..., thisv=thisv@entry=..., args=..., rval=..., reason=js::CallReason::Getter, reason@entry=js::CallReason::Call) at /home/yksnegowt/trees/mozilla-central/js/src/vm/Interpreter.cpp:564
#9 0x0000555557661992 in js::jit::InvokeFunction (cx=0x7ffff7c0e9a0 <_IO_stdfile_2_lock>, obj=..., obj@entry=..., constructing=false, ignoresReturnValue=false, argc=<optimized out>, argc@entry=0, argv=<optimized out>, argv@entry=0x7fffffffa8d0, rval=...) at /home/yksnegowt/trees/mozilla-central/js/src/jit/VMFunctions.cpp:761
#10 0x0000555557662150 in js::jit::InvokeFromInterpreterStub (cx=0x7ffff7c0e9a0 <_IO_stdfile_2_lock>, frame=<optimized out>) at /home/yksnegowt/trees/mozilla-central/js/src/jit/VMFunctions.cpp:785
#11 0x000018d623949e7f in ?? ()
#12 0x00007ffff6a19018 in ?? ()
#13 0x00007fffffffa8a8 in ?? ()
#14 0x000038eb56f01870 in ?? ()
#15 0x00000000000000fc in ?? ()
#16 0x000018d623947815 in ?? ()
#17 0x0000000000002044 in ?? ()
#18 0x00002b4ea4046040 in ?? ()
#19 0x0000000000000000 in ?? ()
(gdb)
The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/25bc16451830
user: Ted Campbell
date: Thu Jul 29 01:53:34 2021 +0000
summary: Bug 1688794 - Delazify self-hosted functions directly from the stencil. r=jandem,arai
Run with --fuzzing-safe --no-threads --no-baseline --no-ion
, compile with AR=ar sh ./configure --enable-debug --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests
, tested on m-c rev c59236b26192.
Not sure if this is s-s, I'd leave it to Ted/Jan/Arai.
Updated•3 years ago
|
Assignee | ||
Comment 1•3 years ago
|
||
Thanks, Gary. Looks like when I combined two steps of the stencil code, it was not actually equivalent as I had thought. In effect I reversed Phase 4 and 5
What is happening is that we have a function with inner functions that we are delazifying as a cluster. There is then an OOM while allocating the script data for the inner function. This oom-failure does not roll-back the outer function, leaving things in an incomplete state. This looks to be reliably a null-deref, but I'll confirm tomorrow whether there are security concerns.
The naive fix is to ensure inner functions happen before outer functions. Will investigate further.
Comment 2•3 years ago
|
||
Set release status flags based on info from the regressing bug 1688794
Assignee | ||
Comment 3•3 years ago
•
|
||
When I run with --no-blinterp
to disable all JITs, the test case reduces to:
oomTest(() => Object.bind())
The FunctionFlags
are always correct here and they are what most things rely on. The result is a reliable (near) null-ptr deref when trying to access that BaseScript
later. Therefore opening this bug up. Various cleanups over the years to make this sort of thing more robust seem to be helping to keep these crashes from being scary which is nice to see.
Assignee | ||
Comment 4•3 years ago
|
||
The CompilationStencil::delazifySelfHostedFunction
code erroneously delazified
the outer script before its full set of inner functions. This can result in a
nullptr deref under some conditions. Instead, instantaiate inner functions first
which is also consistent with the normal Stencil instantiation flow.
Updated•3 years ago
|
Pushed by tcampbell@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/edef3a5b61d0 Fix OOM during self-hosting delazification. r=arai
Comment 6•3 years ago
|
||
Backed out changeset edef3a5b61d0 (Bug 1723601) for causing mass failures CLOSED TREE
Log: https://treeherder.mozilla.org/logviewer?job_id=347272912&repo=autoland&lineNumber=2339
Backout: https://hg.mozilla.org/integration/autoland/rev/ff220475fee8b11104548853a74b021a1718f47e
Updated•3 years ago
|
Assignee | ||
Comment 7•3 years ago
|
||
I rebased after the other backouts and try looks to be passing so the failures seem to have been other patches / infra.
Pushed by tcampbell@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/d1c37768bb3a Fix OOM during self-hosting delazification. r=arai
Comment 9•3 years ago
|
||
bugherder |
Updated•3 years ago
|
Updated•3 years ago
|
Updated•3 years ago
|
Updated•3 years ago
|
Description
•