Closed Bug 929280 Opened 12 years ago Closed 12 years ago

Assertion failure: efs->argCount == args.length() - 1, at vm/SelfHosting.cpp

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla28
Tracking Flags:
Tracking Status
firefox25 --- unaffected
firefox26 --- unaffected
firefox27 --- verified
firefox28 --- disabled
firefox-esr17 --- unaffected
firefox-esr24 --- unaffected

People

(Reporter: gkw, Assigned: pnkfelix)

References

Details

(Keywords: assertion, regression, testcase, Whiteboard: [fuzzblocker] [jsbugmon:update])

Attachments

(3 files)

stack without symbols
854 bytes, text/plain
Details
[crash-signature] Machine-readable crash signature
441 bytes, text/plain
Details
patch A v1: fix-throwerror-invocation-arities
1.12 KB, patch
shu
: review+
Details | Diff | Splinter Review
Attached file stack without symbols
x = ParallelArray() Array.prototype.shift.call(x.shape) x.scatter(function() {}) asserts js debug shell on m-c changeset 177bf37a49f5 without any CLI arguments at Assertion failure: efs->argCount == args.length() - 1, at vm/SelfHosting.cpp Tested with: https://ftp.mozilla.org/pub/mozilla.org/firefox/tinderbox-builds/mozilla-central-macosx64-debug/1382402028/jsshell-mac64.zip which I presume is a 64-bit debug non-deterministic threadsafe build. Guessing this is ParallelArray-related, setting needinfo for Shu-yu. This is also flooding jsfunfuzz results and seems to be fairly recent, setting fuzzblocker.
Flags: needinfo?(shu)
I think Felix touched this last, setting needinfo to him. Probably a case where his new assert caught a bug in existing PJS code.
Flags: needinfo?(shu) → needinfo?(pnkfelix)
Assert was introduced by Bug 928029. This is almost certainly an incorrect ThrowError invocation; I will look at it in a bit.
Flags: needinfo?(pnkfelix)
(In reply to Felix S. Klock II [:pnkfelix, :fklock] from comment #3) > Assert was introduced by Bug 928029. > > This is almost certainly an incorrect ThrowError invocation; I will look at > it in a bit. Assigning to Felix as per comment 3.
Assignee: general → pnkfelix
Status: NEW → ASSIGNED
Whiteboard: [fuzzblocker][jsbugmon:update,bisect] → [fuzzblocker] [jsbugmon:update]
JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: http://hg.mozilla.org/mozilla-central/rev/651ea35bfb0b user: Felix S. Klock II date: Mon Oct 21 10:08:01 2013 -0400 summary: Bug 928029: SelfHosting: check ThrowError argument count (r=till). This iteration took 423.710 seconds to run.
(In reply to Christian Holler (:decoder) from comment #5) > JSBugMon: Bisection requested, result: > autoBisect shows this is probably related to the following changeset: > > The first bad revision is: > changeset: http://hg.mozilla.org/mozilla-central/rev/651ea35bfb0b > user: Felix S. Klock II > date: Mon Oct 21 10:08:01 2013 -0400 > summary: Bug 928029: SelfHosting: check ThrowError argument count > (r=till). > > This iteration took 423.710 seconds to run. The aforementioned changeset is related only in the sense that shu mentioned above: it adds an assert to catch a bug that was previously not being caught (and the failure to catch it yields undefined behavior). Sorry I've let this sit for so long, I was traveling and then distracted.
Oddly enough, my own debug shell of mozilla-inbound did not duplicate the problem. (But I *do* see the assertion fire when I download the copy of jsshell-mac64.zip that gkw linked.) At this point I am assuming this is due to some build host configuration issue. Is there an easy way for me to see the configure invocation (or mach invocation?) that was used to build the shell in question?
Since gkw is still on PTO, I can only guess, but did you build a threadsafe shell? What configuration flags, platform and OS did you try?
Mac OS X. 64-bit (at least, I think that's the default, since it can create both 32- and 64-bit binaries). Configure invocations I have tried: /Users/fklock/Dev/Mozilla/mozilla-inbound/js/src/configure --enable-debug --disable-optimize --with-ccache --enable-threadsafe --with-system-nspr --with-nspr-prefix=/Users/fklock/opt/nspr-dbg --prefix=~/opt/js-dbg-nopt /Users/fklock/Dev/Mozilla/mozilla-inbound/js/src/configure --enable-debug --enable-optimize --with-ccache --enable-threadsafe --with-system-nspr --with-nspr-prefix=/Users/fklock/opt/nspr-dbg --prefix=~/opt/js-dbg i.e. I've been using --enable-debug, and I tried toggling between enable/disable optimize. (The rest of the invocation is boilerplate I've acquired, e.g. I always do --enable-threadsafe since I'm usually doing PJS development when I'm working in the shell.)
(I am now attempting to build off of mozilla-central at the revision that gkw pointed at, in order to eliminate the possibility that the bug has been somehow fixed on mozilla-inbound in the meantime... but it would be good to know what command invocation the auto-builder is using.)
Okay, I can reproduce on mozilla-central. Odd, I didn't think any of the relevant argument checking code in PJS had changed in mozilla-inbound recently, but maybe I'm wrong.
(mystery solved: it didn't reproduce on my copy of mozilla-inbound because I was working with an out-of-date copy.) The bug is easy to fix, will post patch shortly.
Fix the bug. Before my assert was added from 928029, the test case in question would print the exception: RangeError: invalid array length Which I'm guessing was a bogus message for someone who is familiar with what the above is supposed to mean (versus what it meant in this context). Then my assert landed, and while attempting to construct an exception like the above, it would hit the assert, and thus you'd get: Assertion failure: efs->argCount == args.length() - 1, at [...] Now with this patch, you get: RangeError: invalid ParallelArray.prototype.scatter length argument Its using the already-overloaded JSMSG_PAR_ARRAY_BAD_ARG to get this effect. (Also, I'm deliberately attempting to leave it ambiguous as to whether `length` above refers to the length of the receiving parallel-array or the length argument for the target scatter output.) Fine-tuning all this is probably wasted effort since ParallelArray should go away in the near future (and replaced with Array for the 1-d cases and TypedObjects for the N-d cases).
Attachment #823115 - Flags: review?(shu)
Attachment #823115 - Flags: review?(shu) → review+
https://hg.mozilla.org/mozilla-central/rev/75ea7b7bb293
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla28
Do you mind nominating for aurora landing please?
status-firefox25: --- → unaffected
status-firefox26: --- → unaffected
status-firefox27: --- → affected
status-firefox28: --- → fixed
status-firefox-esr17: --- → unaffected
status-firefox-esr24: --- → unaffected
Flags: needinfo?(pnkfelix)
FYI this is the try run from my push to inbound: https://tbpl.mozilla.org/?tree=Try&rev=6251e5b164a4
Flags: needinfo?(pnkfelix)
Comment on attachment 823115 [details] [diff] [review] patch A v1: fix-throwerror-invocation-arities [Approval Request Comment] Bug caused by (feature/regressing bug #): Bug 928029 added a strict check in Debug builds of argument count on ThrowError invocations. But there was a pre-existing ThrowError invocation that passed an extra (ignored) argument; it causes the check to fire, so we get assertion failures on Debug builds. Fix here is to switch to using an error code with a matching argument count. User impact if declined: Fuzz testing on Debug builds for Aurora will be cluttered with the assert check failures noted above. (gkw has requested this fix go into Aurora.) Testing completed (on m-c, etc.): JSRefTest debug/opt on moz-inbound Risk to taking this patch (and alternatives if risky): low risk, IMO. (There is an alternative of loosening the debug assert to only require that the actual arg count be >= expected arg count. But I do not think that is worth the effort; better to fix the erroneous ThrowError calls.) String or IDL/UUID changes made by this patch: none AFAIK.
Attachment #823115 - Flags: approval-mozilla-aurora?
ParallelArray isn't enabled on Aurora builds, so it shouldn't be necessary to land this to aurora I don't think.
Comment on attachment 823115 [details] [diff] [review] patch A v1: fix-throwerror-invocation-arities (removing aurora landing request after discussion with nmatsakis since PJS code should be ifdef'ed out on Aurora, and thus this bug and the patch should not have any effect there.)
Attachment #823115 - Flags: approval-mozilla-aurora?
(In reply to Felix S. Klock II [:pnkfelix, :fklock] from comment #20) > Comment on attachment 823115 [details] [diff] [review] > patch A v1: fix-throwerror-invocation-arities > > (removing aurora landing request after discussion with nmatsakis since PJS > code should be ifdef'ed out on Aurora, and thus this bug and the patch > should not have any effect there.) Thanks for the clarification!
status-firefox27: affectedunaffected
Keywords: verifyme
Reproducible with the 10/25 Nightly JS shell on Mac OS X 10.9: Assertion failure: efs->argCount == args.length() - 1, at ../../../js/src/vm/SelfHosting.cpp:87 Segmentation fault: 11 The 02/04 Beta shell and the 02/05 Nightly shell both give this: ReferenceError: ParallelArray is not defined No assertion failures here though.
Status: RESOLVED → VERIFIED
Keywords: verifyme
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: