Assertion failure: fun->hasBaseScript(), at vm/FrameIter.cpp:824
Categories
(Core :: JavaScript Engine: JIT, defect, P1)
Tracking
()
Tracking | Status | |
---|---|---|
firefox-esr68 | --- | unaffected |
firefox74 | --- | unaffected |
firefox75 | --- | wontfix |
firefox76 | --- | verified |
People
(Reporter: decoder, Assigned: tcampbell)
References
(Regression)
Details
(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:update,bisected,confirmed])
Attachments
(2 files)
The following testcase crashes on mozilla-central revision 20200310-c7766d0b4a12 (build with (buildFlags not available), run with --fuzzing-safe --cpu-count=2 --ion-offthread-compile=off --disable-oom-functions):
See attachment.
Backtrace:
received signal SIGSEGV, Segmentation fault.
#0 0x0000555555b3d112 in js::FrameIter::matchCallee(JSContext*, JS::Handle<JSFunction*>) const ()
#1 0x0000555555c10a98 in AdvanceToActiveCallLinear(JSContext*, js::NonBuiltinScriptFrameIter&, JS::Handle<JSFunction*>) ()
#2 0x0000555555c105b3 in ArgumentsGetterImpl(JSContext*, JS::CallArgs const&) ()
#3 0x0000555555c724f7 in ArgumentsGetter(JSContext*, unsigned int, JS::Value*) ()
#4 0x00005555558e4522 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) ()
#5 0x00005555558e3e3f in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) ()
#6 0x00005555558e62a6 in js::CallGetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) ()
#7 0x0000555555ca9c89 in bool GetExistingProperty<(js::AllowGC)1>(JSContext*, js::MaybeRooted<JS::Value, (js::AllowGC)1>::HandleType, js::MaybeRooted<js::NativeObject*, (js::AllowGC)1>::HandleType, js::MaybeRooted<js::Shape*, (js::AllowGC)1>::HandleType, js::MaybeRooted<JS::Value, (js::AllowGC)1>::MutableHandleType) ()
#8 0x0000555555caac3e in bool NativeGetPropertyInline<(js::AllowGC)1>(JSContext*, js::MaybeRooted<js::NativeObject*, (js::AllowGC)1>::HandleType, js::MaybeRooted<JS::Value, (js::AllowGC)1>::HandleType, js::MaybeRooted<JS::PropertyKey, (js::AllowGC)1>::HandleType, IsNameLookup, js::MaybeRooted<JS::Value, (js::AllowGC)1>::MutableHandleType) ()
#9 0x000055555639d5b5 in js::GetObjectElementOperation ()
#10 0x000055555639bcb7 in js::jit::DoGetElemFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICGetElem_Fallback*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) ()
#11 0x000009bcbf261863 in ?? ()
[...]
#31 0x0000000000000000 in ?? ()
rax 0x555556e88429 93825018659881
rbx 0x1b826c6a3920 30246978599200
rcx 0x555557efe850 93825035921488
rdx 0x0 0
rsi 0x7ffff6efd770 140737336301424
rdi 0x7ffff6efc540 140737336296768
rbp 0x7fffffff9f50 140737488330576
rsp 0x7fffffff9ee0 140737488330464
r8 0x7ffff6efd770 140737336301424
r9 0x7ffff7f9cd00 140737353731328
r10 0x58 88
r11 0x7ffff6ba47a0 140737332791200
r12 0x7ffff5e27000 140737318645760
r13 0x7ffff5e27018 140737318645784
r14 0x7fffffff9fc0 140737488330688
r15 0x7fffffff9fd8 140737488330712
rip 0x555555b3d112 <js::FrameIter::matchCallee(JSContext*, JS::Handle<JSFunction*>) const+770>
=> 0x555555b3d112 <_ZNK2js9FrameIter11matchCalleeEP9JSContextN2JS6HandleIP10JSFunctionEE+770>: movl $0x338,0x0
0x555555b3d11d <_ZNK2js9FrameIter11matchCalleeEP9JSContextN2JS6HandleIP10JSFunctionEE+781>: callq 0x5555557eef2e <abort>
JIT problem with a complex test that won't reduce further easily, marking s-s until triaged/investigated.
Reporter | ||
Comment 1•5 years ago
|
||
Reporter | ||
Updated•5 years ago
|
Assignee | ||
Comment 2•5 years ago
|
||
I have it captured in RR now. Investigating..
Assignee | ||
Comment 3•5 years ago
|
||
This specific issue is a regression from Bug 1591600. The reasoning I used in [1] isn't valid in the presence of sloppy asm.js functions due to [2].
Minimal test:
function asm_dummy() {
"use asm";
function mtd() {}
return { mtd: mtd }
}
(function() {
return asm_dummy.arguments;
})();
[1] https://searchfox.org/mozilla-central/rev/7d0c94a0e9a9fe1f83553f49b10128567d21709d/js/src/vm/FrameIter.cpp#822-824
[2] https://searchfox.org/mozilla-central/rev/7d0c94a0e9a9fe1f83553f49b10128567d21709d/js/src/vm/JSFunction.cpp#151
Updated•5 years ago
|
Assignee | ||
Comment 4•5 years ago
|
||
I'm not sure why we had so much trouble reducing. The criteria we need is not that complex:
- Have any well-formed asm.js module
- Be inside any function context
- Run
asm_dummy.arguments
Comment 5•5 years ago
|
||
Ted, could this be a consequence of the Observable/Recoverable flags changes?
Assignee | ||
Comment 6•5 years ago
|
||
Unhiding. This was a recent assertion, and there isn't really anything you can do with this. I'll have a patch up soon.
Assignee | ||
Comment 7•5 years ago
|
||
Comment 9•5 years ago
|
||
Backed out changeset 760434af5ead (bug 1621956) for SM failures at tests/arguments/function_dot_caller_restrictions.js
Backout: https://hg.mozilla.org/integration/autoland/rev/2ad9f32509a81296a3758d9f1dac6b191f6e225b
Failure push: https://treeherder.mozilla.org/#/jobs?repo=autoland&revision=760434af5ead326cfa5f784e2c443feadfc4da52
Failure log: https://treeherder.mozilla.org/logviewer.html#/jobs?job_id=293042688&repo=autoland&lineNumber=9836
[task 2020-03-13T14:07:04.796Z] TEST-PASS | js/src/jit-test/tests/arguments/dynamicBindings.js | Success (code 0, args "--no-blinterp --no-baseline --no-ion --more-compartments") [0.0 s]
[task 2020-03-13T14:07:04.797Z] /builds/worker/workspace/build/src/js/src/jit-test/tests/arguments/function_dot_caller_restrictions.js:64:9 Error: Assertion failed: got true, expected false
[task 2020-03-13T14:07:04.797Z] Stack:
[task 2020-03-13T14:07:04.797Z] @/builds/worker/workspace/build/src/js/src/jit-test/tests/arguments/function_dot_caller_restrictions.js:64:9
[task 2020-03-13T14:07:04.797Z] Exit code: 3
[task 2020-03-13T14:07:04.797Z] FAIL - arguments/function_dot_caller_restrictions.js
[task 2020-03-13T14:07:04.797Z] TEST-UNEXPECTED-FAIL | js/src/jit-test/tests/arguments/function_dot_caller_restrictions.js | /builds/worker/workspace/build/src/js/src/jit-test/tests/arguments/function_dot_caller_restrictions.js:64:9 Error: Assertion failed: got true, expected false (code 3, args "") [0.0 s]
[task 2020-03-13T14:07:04.797Z] INFO exit-status : 3
[task 2020-03-13T14:07:04.797Z] INFO timed-out : False
[task 2020-03-13T14:07:04.797Z] INFO stderr 2> /builds/worker/workspace/build/src/js/src/jit-test/tests/arguments/function_dot_caller_restrictions.js:64:9 Error: Assertion failed: got true, expected false
[task 2020-03-13T14:07:04.797Z] INFO stderr 2> Stack:
[task 2020-03-13T14:07:04.797Z] INFO stderr 2> @/builds/worker/workspace/build/src/js/src/jit-test/tests/arguments/function_dot_caller_restrictions.js:64:9
[task 2020-03-13T14:07:04.798Z] /builds/worker/workspace/build/src/js/src/jit-test/tests/arguments/function_dot_caller_restrictions.js:64:9 Error: Assertion failed: got true, expected false
[task 2020-03-13T14:07:04.798Z] Stack:
[task 2020-03-13T14:07:04.798Z] @/builds/worker/workspace/build/src/js/src/jit-test/tests/arguments/function_dot_caller_restrictions.js:64:9
[task 2020-03-13T14:07:04.798Z] Exit code: 3
[task 2020-03-13T14:07:04.798Z] FAIL - arguments/function_dot_caller_restrictions.js
Comment 10•5 years ago
|
||
In theory we want asm.js to be unobservable. Is there no other way to fix this?
Assignee | ||
Comment 11•5 years ago
|
||
Running these non-standard features on things that opted in to asm.js explicitly seemed silly, but letting the frame-iterator just trigger the bailout seems reasonable for asm.js since only malicious code would be trying it.
Updated•5 years ago
|
Assignee | ||
Comment 12•5 years ago
|
||
Updated patching awaiting try-run and reviews. I've restored the asm.js support and instead fixed the FrameIter
Updated•5 years ago
|
Comment 13•5 years ago
|
||
Comment hidden (Intermittent Failures Robot) |
Comment 15•5 years ago
|
||
Comment 16•5 years ago
|
||
bugherder |
Updated•5 years ago
|
Comment 17•5 years ago
|
||
The patch landed in nightly and beta is affected.
:tcampbell, is this bug important enough to require an uplift?
If not please set status_beta
to wontfix
.
For more information, please visit auto_nag documentation.
Assignee | ||
Comment 18•5 years ago
|
||
This variant was reported by fuzzing and seems to be an over-zealous assert so not a good candidate for uplift.
Updated•5 years ago
|
Comment 19•5 years ago
|
||
Description
•