794494 - Crash [@ js::shadow::Object::numFixedSlots] or "Assertion failure: (l.asBits & 0x8000000000000000LL) == 0," or "Assertion failure: slot < numFixedSlots(),"

Status: VERIFIED FIXED

(Core :: JavaScript Engine, defect)

Description

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Attachment: stack

gc();
(function() {
  Object.defineProperty(this, "x", {
	get: function() {
	  return y.subarray();
	}
  });
  y = new Uint8ClampedArray;
  w = new Set;
  w.add(x);
  gcslice(48);
}());
x
gc()
with({
  z: gcslice(2580)
}) {
  x
}
gc()

crashes js debug shell on m-c changeset df69d95f636c without any CLI arguments at js::shadow::Object::numFixedSlots

s-s because this involves gc and Uint8ClampedArray.

Comment 1

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

This is flooding the fuzzers so badly, setting [fuzzblocker].

Comment 2

[Steve Fink [:sfink] [:s:]]

I've only been able to whittle this down slightly to

gc();
y = new Int8Array;
Object.defineProperty(this, "x", {
    get: function() {
	return y.subarray();
    }
});
w = new Set;
w.add(x);
gcslice(48);
y.subarray();
gc();
gcslice(2580);
y.subarray();
gc();

Comment 3

[Steve Fink [:sfink] [:s:]]

I should note that this is definitely mine, from bug 789295.

Comment 5

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

> I should note that this is definitely mine, from bug 789295.

(providing confirmation)

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   108046:9382a5a45acb
user:        Steve Fink
date:        Tue Sep 18 09:58:36 2012 -0700
summary:     Bug 789295 - Add special multi-view array buffer sweep pass to eliminate finalizers and thus allow background sweeping. r=billm

Comment 6

[Andrew McCreight [:mccr8] (PTO until 12-2)]

This sounds scary and easy to find, marking sec-critical.

Comment 7

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Attachment: stack

function g() {
    switch (1) {
        default: primarySandbox = newGlobal();
    }
    return function(code) {
        try {
            evalcx(code, primarySandbox)
        } catch (e) {}
    }
}
function h(code) {
    f(code);
}
f = g(1);
h("var r=/(?!{)/;s=\"\";s.split(r);t2=new Uint8ClampedArray")
gc()
h("Object.defineProperty(this,\"v1\",{e:true,get:function(){t1}});");
h("\
    t=Uint8Array(t2.buffer);\
    Object.defineProperty(this,\"t1\",{\
        get:function(){return t.subarray()}\
    })\
")
verifyprebarriers()
h("v1")
gc()
gc()
h("Object(t1)")
gc()


Here's another testcase that asserts at Assertion failure: slot < numFixedSlots(),

Comment 8

[Bill McCloskey [inactive unless it's an emergency] (:billm)]

This might be causing some orange:
https://tbpl.mozilla.org/php/getParsedLog.php?id=15554002&tree=Mozilla-Inbound#error2
The line number in the topmost frame is for numFixedSlots.

Comment 9

[Steve Fink [:sfink] [:s:]]

Attachment: Clear the right buffer link when pruning and reversing the list of ArrayBufferViews

When I sweep through ArrayBuffers to filter out their dead views (reversing the list in the process), I was clearing the multiview buffer link field on the old first view instead of the new first view. This caused the tracing code to erroneously think that the buffer had already been added to the multiview buffer list, and so the buffer didn't get swept. This could result in dead views lingering in its view list.

Comment 10

[Steve Fink [:sfink] [:s:]]

http://hg.mozilla.org/integration/mozilla-inbound/rev/0f0a5a9919ae

Comment 11

[Ed Morley [:emorley]]

https://hg.mozilla.org/mozilla-central/rev/0f0a5a9919ae

Comment 12

[Steve Fink [:sfink] [:s:]]

I don't think this needs to be tracking-firefox18. It was introduced with bug 789295, so it was only in the tree for a day or two. But it depends on how you manage these things.

Comment 13

[Andrew McCreight [:mccr8] (PTO until 12-2)]

Tracking- means it isn't being tracked. :)

Comment 14

[Christian Holler (:decoder)]

JSBugMon: This bug has been automatically verified fixed.