1889035 - Crash [@ js::LiveSavedFrameCache::find] or Assertion failure: !frames->empty(), at vm/SavedStacks.cpp:143

Status: RESOLVED DUPLICATE of bug 1888746

(Core :: JavaScript Engine: JIT, defect)

Description

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Attachment: debug stack

s = newGlobal();
try {
  evalcx("\
    function f(){};\
    var z = new Array(f); new Array().reduce.toString=function(){ z.sort(f); };\
    Object.defineProperty(z, 8, { value: 0 });f.toString = function (){ f(); };\
    z.reduce.toString();\
  ", s);
} catch (e) {}
evalcx('\
  function f(y){var x = parseModule(""); moduleLink(x); moduleEvaluate(x); return y;}\
  f();\
  z.reduce.toString();\
', s);

143         MOZ_RELEASE_ASSERT(!frames->empty());
(gdb) bt
#0  js::LiveSavedFrameCache::find (this=this@entry=0x7fffffffb850, cx=cx@entry=0x7ffff6639100, framePtr=..., pc=0x7ffff6623a4c "v\001", frame=frame@entry=...) at /home/ubumain/trees/mozilla-central/js/src/vm/SavedStacks.cpp:143
#1  0x0000555557670fef in js::SavedStacks::insertFrames (this=this@entry=0x7ffff657eb68, cx=cx@entry=0x7ffff6639100, frame=frame@entry=..., capture=...) at /home/ubumain/trees/mozilla-central/js/src/vm/SavedStacks.cpp:1502
#2  0x00005555576707be in js::SavedStacks::saveCurrentStack (this=0x7ffff657eb68, cx=0x7ffff6639100, frame=..., capture=...) at /home/ubumain/trees/mozilla-central/js/src/vm/SavedStacks.cpp:1326
#3  0x00005555578fb998 in JS::CaptureCurrentStack (cx=cx@entry=0x7ffff6639100, stackp=stackp@entry=..., capture=...) at /home/ubumain/trees/mozilla-central/js/src/jsapi.cpp:4936
#4  0x000055555762cae4 in PromiseDebugInfo::create (cx=0x7ffff6639100, promise=promise@entry=...) at /home/ubumain/trees/mozilla-central/js/src/builtin/Promise.cpp:414
#5  0x00005555575e634b in CreatePromiseObjectInternal (cx=0x7ffff6639100, proto=..., protoIsWrapped=false, informDebugger=true) at /home/ubumain/trees/mozilla-central/js/src/builtin/Promise.cpp:2690
/snip

Run with --fuzzing-safe --no-threads --ion-eager, compile with AR=ar sh ../configure --enable-debug --enable-debug-symbols --with-ccache --enable-nspr-build --enable-ctypes --enable-gczeal --enable-rust-simd --disable-tests, tested on m-c rev 26157b52a8c3.

An ASan optimized build shows the same stack:

[33077] Assertion failure: !frames->empty(), at /home/ubumain/trees/mozilla-central/js/src/vm/SavedStacks.cpp:143
#01: ???[/home/ubumain/shell-cache/js-64-asan-linux-x86_64-26157b52a8c3/js-64-asan-linux-x86_64-26157b52a8c3 +0x311e301]
#02: ???[/home/ubumain/shell-cache/js-64-asan-linux-x86_64-26157b52a8c3/js-64-asan-linux-x86_64-26157b52a8c3 +0x312d557]
#03: ???[/home/ubumain/shell-cache/js-64-asan-linux-x86_64-26157b52a8c3/js-64-asan-linux-x86_64-26157b52a8c3 +0x312c39d]
#04: _ZN2JS19CaptureCurrentStackEP9JSContextNS_13MutableHandleIP8JSObjectEEON7mozilla7VariantIJNS_9AllFramesENS_9MaxFramesENS_18FirstSubsumedFrameEEEE[/home/ubumain/shell-cache/js-64-asan-linux-x86_64-26157b52a8c3/js-64-asan-linux-x86_64-26157b52a8c3 +0x34fb2d7]
#05: ???[/home/ubumain/shell-cache/js-64-asan-linux-x86_64-26157b52a8c3/js-64-asan-linux-x86_64-26157b52a8c3 +0x30c9b13]
#06: ???[/home/ubumain/shell-cache/js-64-asan-linux-x86_64-26157b52a8c3/js-64-asan-linux-x86_64-26157b52a8c3 +0x304b9e0]
#07: ???[/home/ubumain/shell-cache/js-64-asan-linux-x86_64-26157b52a8c3/js-64-asan-linux-x86_64-26157b52a8c3 +0x3056e68]
#08: ???[/home/ubumain/shell-cache/js-64-asan-linux-x86_64-26157b52a8c3/js-64-asan-linux-x86_64-26157b52a8c3 +0x2beef88]
#09: ???[/home/ubumain/shell-cache/js-64-asan-linux-x86_64-26157b52a8c3/js-64-asan-linux-x86_64-26157b52a8c3 +0x2fab802]
#10: ???[/home/ubumain/shell-cache/js-64-asan-linux-x86_64-26157b52a8c3/js-64-asan-linux-x86_64-26157b52a8c3 +0x27e7b14]
#11: ??? (???:???)
AddressSanitizer:DEADLYSIGNAL
=================================================================
==33077==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000001 (pc 0x5cb21eb8f336 bp 0x7ffe5356b250 sp 0x7ffe5356b180 T0)
==33077==The signal is caused by a WRITE memory access.
==33077==Hint: address points to the zero page.
/usr/bin/llvm-symbolizer: error: '[anon:js-executable-memory]': No such file or directory
    #0 0x5cb21eb8f336 in js::LiveSavedFrameCache::find(JSContext*, js::LiveSavedFrameCache::FramePtr&, unsigned char const*, JS::MutableHandle<js::SavedFrame*>) const /home/ubumain/trees/mozilla-central/js/src/vm/SavedStacks.cpp:143:5
    #1 0x5cb21eb9e556 in js::SavedStacks::insertFrames(JSContext*, JS::MutableHandle<js::SavedFrame*>, mozilla::Variant<JS::AllFrames, JS::MaxFrames, JS::FirstSubsumedFrame>&&) /home/ubumain/trees/mozilla-central/js/src/vm/SavedStacks.cpp:1502:14
    #2 0x5cb21eb9d39c in js::SavedStacks::saveCurrentStack(JSContext*, JS::MutableHandle<js::SavedFrame*>, mozilla::Variant<JS::AllFrames, JS::MaxFrames, JS::FirstSubsumedFrame>&&) /home/ubumain/trees/mozilla-central/js/src/vm/SavedStacks.cpp:1326:10
    #3 0x5cb21ef6c2d6 in JS::CaptureCurrentStack(JSContext*, JS::MutableHandle<JSObject*>, mozilla::Variant<JS::AllFrames, JS::MaxFrames, JS::FirstSubsumedFrame>&&) /home/ubumain/trees/mozilla-central/js/src/jsapi.cpp:4936:29
    #4 0x5cb21eb3ab12 in PromiseDebugInfo::create(JSContext*, JS::Handle<js::PromiseObject*>) /home/ubumain/trees/mozilla-central/js/src/builtin/Promise.cpp:414:10
    #5 0x5cb21eabc9df in CreatePromiseObjectInternal(JSContext*, JS::Handle<JSObject*>, bool, bool) /home/ubumain/trees/mozilla-central/js/src/builtin/Promise.cpp:2690:33
    #6 0x5cb21eabc9df in CreatePromiseObjectWithoutResolutionFunctions(JSContext*) /home/ubumain/trees/mozilla-central/js/src/builtin/Promise.cpp:1726:28
    #7 0x5cb21eac7e67 in js::CreatePromiseObjectForAsync(JSContext*) /home/ubumain/trees/mozilla-central/js/src/builtin/Promise.cpp:5422:28
    #8 0x5cb21e65ff87 in js::ModuleObject::createTopLevelCapability(JSContext*, JS::Handle<js::ModuleObject*>) /home/ubumain/trees/mozilla-central/js/src/builtin/ModuleObject.cpp:1208:44
    #9 0x5cb21ea1c801 in js::ModuleEvaluate(JSContext*, JS::Handle<js::ModuleObject*>, JS::MutableHandle<JS::Value>) /home/ubumain/trees/mozilla-central/js/src/vm/Modules.cpp:1458:11
    #10 0x5cb21e258b13 in ModuleEvaluate(JSContext*, unsigned int, JS::Value*) /home/ubumain/trees/mozilla-central/js/src/shell/js.cpp:5488:10
    #11 0x36da274c5781  ([anon:js-executable-memory]+0x3781)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/ubumain/trees/mozilla-central/js/src/vm/SavedStacks.cpp:143:5 in js::LiveSavedFrameCache::find(JSContext*, js::LiveSavedFrameCache::FramePtr&, unsigned char const*, JS::MutableHandle<js::SavedFrame*>) const
==33077==ABORTING

ASan build parameters: AR=ar sh ../configure --enable-address-sanitizer --enable-fuzzing --disable-jemalloc --disable-stdcxx-compat --without-sysroot --enable-undefined-sanitizer --with-ccache --enable-nspr-build --enable-ctypes --enable-gczeal --enable-rust-simd --disable-tests

Putting in the JIT component as --ion-eager seems needed.

Comment 1

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/b743977afb83
user:        Jan de Mooij
date:        Wed Mar 27 11:18:34 2024 +0000
summary:     Bug 1884360 part 4 - Reimplement Array.prototype.sort with a JIT trampoline. r=iain

Jan, is bug 1884360 a likely regressor?

Comment 2

[BugBot [:suhaib / :marco/ :calixte]]

Set release status flags based on info from the regressing bug 1884360

Comment 4

[Daniel Veditz [:dveditz]]

Duplicate of Lukas's bug, but that one isn't getting a bounty so there's nothing to split