761835 - IonMonkey: Assertion failure: (ptrBits & 0x7) == 0, at ../../jsval.h:708 or Crash [@ js::EncapsulatedPtr]

Status: VERIFIED FIXED

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

Attachment: Testcase for shell

The attached testcase asserts on ionmonkey revision 2062cc1c4b06 (run with --ion -n -m --ion-eager).

Comment 1

[Christian Holler (:decoder)]

Crash trace:


Program received signal SIGSEGV, Segmentation fault.
0x0000000000415240 in js::EncapsulatedPtr<js::Shape, unsigned long>::operator js::Shape* (this=0x7fffffffffff) at ../../gc/Barrier.h:172
172         operator T*() const { return value; }
(gdb) bt
#0  0x0000000000415240 in js::EncapsulatedPtr<js::Shape, unsigned long>::operator js::Shape* (this=0x7fffffffffff) at ../../gc/Barrier.h:172
#1  0x0000000000405d5e in js::ObjectImpl::lastProperty (this=0x7fffffffffff) at ../../vm/ObjectImpl.h:1048
#2  0x00000000004072ca in js::ObjectImpl::getClass (this=0x7fffffffffff) at ../../vm/ObjectImpl-inl.h:245
#3  0x00000000004072f0 in js::ObjectImpl::hasClass (this=0x7fffffffffff, c=0xd82800) at ../../vm/ObjectImpl-inl.h:257
#4  0x000000000045dfd4 in JSObject::isQName (this=0x7fffffffffff) at ../jsobjinlines.h:822
#5  0x0000000000632953 in js_GetLocalNameFromFunctionQName (obj=0x7fffffffffff, funidp=0x7fffffffb0e0, cx=0xdc5fd0) at js/src/jsxml.cpp:2862
#6  0x0000000000478296 in js::InternNonIntElementId (cx=0xdc5fd0, obj=0x7ffff09176a0, idval=..., idp=0x7fffffffb0e0, vp=0x7fffffffb0d0) at js/src/jsatom.cpp:512
#7  0x000000000050dbc1 in js::FetchElementId (cx=0xdc5fd0, obj=0x7ffff09176a0, idval=..., idp=0x7fffffffb0e0, vp=0x7fffffffb0d0) at js/src/jsinterpinlines.h:676
#8  0x00000000005294fd in js::SetObjectElement (cx=0xdc5fd0, obj=..., index=..., value=..., strict=0) at js/src/jsinterp.cpp:4224
#9  0x00007ffff7f5057a in ?? ()
#10 0x00007fffffffb150 in ?? ()
#11 0x00007fffffffb130 in ?? ()
#12 0x0000000000db1da0 in js::ion::CodeGenerator::emitArrayPopShift(js::ion::LInstruction*, js::ion::MArrayPopShift const*, js::ion::Register, js::ion::Register, js::ion::Register, js::ion::TypedOrValueRegister)::Info ()
#13 0x00007ffff0916ad8 in ?? ()
[...]
(gdb) x /i $pc
=> 0x415240 <js::EncapsulatedPtr<js::Shape, unsigned long>::operator js::Shape*() const+12>:    mov    (%rax),%rax
(gdb) info reg rax
rax            0x7fffffffffff   140737488355327

Comment 2

[David Anderson [:dvander] - inactive, e-mail if emergency]

Attachment: fix

Only tag the upper bits when boxing an arbitrary int32 value, as some machine instructions sign-extend.

Comment 3

[Sean Stangl [:sstangl]]

Comment on attachment 637282 [details] [diff] [review]
fix

Review of attachment 637282 [details] [diff] [review]:
-----------------------------------------------------------------

::: js/src/ion/CodeGenerator.cpp
@@ +1855,5 @@
>      const LAllocation *index;
>      MIRType valueType;
>      ConstantOrRegister value;
>  
> +    masm.breakpoint();

hm!

::: js/src/ion/x64/MacroAssembler-x64.h
@@ +190,4 @@
>          movq(ImmShiftedTag(tag), dest);
> +
> +        // Integers must be treated specially, since the top 32 bits of the
> +        // register may be filled, we can't clobber the tag bits.

May be useful to explicitly mention sign extension as the cause.

@@ +191,5 @@
> +
> +        // Integers must be treated specially, since the top 32 bits of the
> +        // register may be filled, we can't clobber the tag bits.
> +        if (type == JSVAL_TYPE_INT32)
> +            orl(src, dest);

This can also affect JSVAL_TYPE_BOOLEAN if we mix sign-extending and non-sign-extending instructions on a register that eventually is used to store a boolean. Since our assembler is currently really unclear about when sign extension is performed, it's probably best to be safe.

Comment 4

[David Anderson [:dvander] - inactive, e-mail if emergency]

https://hg.mozilla.org/projects/ionmonkey/rev/ddbd42e67049

Comment 5

[Christian Holler (:decoder)]

JSBugMon: This bug has been automatically verified fixed.