Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Assertion failure: slotInRange(slot), at js/src/vm/NativeObject.h:839 #621

Open
classilla opened this issue Sep 8, 2020 · 18 comments
Open

Comments

@classilla
Copy link
Owner

This crash is in the JS VM, not in the JIT.

Assertion failure: slotInRange(slot), at /Volumes/BruceDeuce/src/tenfourfox/js/src/vm/NativeObject.h:839

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_PROTECTION_FAILURE at address: 0x00000000
0x0d0175d0 in js::NativeObject::setDenseInitializedLength () at NativeObject.h:1097
1097            MOZ_ASSERT(length <= getDenseCapacity());

#0  0x0d0175d0 in js::NativeObject::setDenseInitializedLength () at NativeObject.h:1097
#1  0x0c6960c8 in js::ScopeObject::aliasedVar (this=0x49b79240) at MathAlgorithms.h:476
#2  0x0c6b6f34 in Interpret (cx=0x41362bf0, state=@0xefff3b58) at Interpreter.cpp:3137
#3  0x0c6c1350 in js::RunScript (cx=0x41362bf0, state=@0xefff3b58) at Interpreter.cpp:391
#4  0x0c6c177c in js::Invoke (cx=0x41362bf0, args=@0xefff3be8, construct=NO_CONSTRUCT) at Interpreter.cpp:462
#5  0x0c6c24d0 in js::Invoke (cx=0x41362bf0, thisv=@0xefff3e20, fval=@0xefff3e30, argc=1, argv=0xefff4190, rval=<value temporarily unavailable, due to optimizations>) at Interpreter.cpp:496

bt full fails.
backtrace.txt

@classilla classilla changed the title Crash on LinkedIn Crash logging into LinkedIn Sep 8, 2020
@classilla
Copy link
Owner Author

This is sufficient to wallpaper the crash, but obviously LinkedIn doesn't work.

wallpaper.txt

@classilla
Copy link
Owner Author

The final script appears to either contain or enable the bad code.
https://hg.mozilla.org/mozilla-central/rev/884a64b0fba2 doesn't fix it.

@classilla
Copy link
Owner Author

The issue is something about aliased variables. The interpreter is running JSOP_GETALIASEDVAR at the time of crash. I'm not sure if frame 0 is legit, but 1 and 2 seem to be.

@classilla
Copy link
Owner Author

I think the actual assertion is in NativeObject.h in getSlot(uint32_t slot) (line 838), since ::aliasedVar( in ScopeObject.h simply calls straight into it. It's possible we don't have enough slots.

@classilla
Copy link
Owner Author

classilla commented Sep 8, 2020

I think the interpreter is calling ::aliasedVar( in vm/ScopeObject.h at line 1371, so the backtrace should go

(slotInRange NativeObject.cpp line 224)
getSlot NativeObject.h line 839
aliasedVar ScopeObject.h line 1374
Interpret Interpreter.cpp line 3137

@classilla
Copy link
Owner Author

With a little extra debugging in slotInRange(), we see the slot index being requested isn't nuts. There just are very few slots. The backtrace is also a little clearer, though frame 0 is still bogus.

assert imminent: slot 5 f 2 d 0
Assertion failure: slotInRange(slot), at /Volumes/BruceDeuce/src/tenfourfox/js/src/vm/NativeObject.h:839

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_PROTECTION_FAILURE at address: 0x00000000
0x0d01a5e8 in ReentrancyGuard<js::gc::StoreBuffer> () at ReentrancyGuard.h:39
39          MOZ_ASSERT(!mEntered);
(gdb) bt 5
#0  0x0d01a5e8 in ReentrancyGuard<js::gc::StoreBuffer> () at ReentrancyGuard.h:39
#1  0x0c6a01ec in js::ScopeObject::aliasedVar (this=<value temporarily unavailable, due to optimizations>) at ScopeObject.h:1375
#2  0x0c6ba3c4 in Interpret (cx=0x39360ed0, state=@0xefff4208) at Interpreter.cpp:3137
#3  0x0c6c3da0 in js::RunScript (cx=0x39360ed0, state=@0xefff4208) at Interpreter.cpp:391
#4  0x0c6c41cc in js::Invoke (cx=0x39360ed0, args=@0xefff4298, construct=NO_CONSTRUCT) at Interpreter.cpp:462
(More stack frames follow...)

@classilla
Copy link
Owner Author

Two fixed slots. numFixedSlots() is in vm/Shape.h line 875.
No dynamic slots. numDynamicSlots() is in vm/NativeObject.h line 718.

@classilla
Copy link
Owner Author

growSlots() in vm/NativeObject.cpp can increase the number of slots.
This is called by updateSlotsForSpan() in the same file.

@classilla
Copy link
Owner Author

How did the shape get created with so few slots? Is it the slot request, or the shape construction?

@classilla
Copy link
Owner Author

Crash confirmed to also occur on Intel, so this is not a PPC-specific issue.

@classilla
Copy link
Owner Author

(wallpaper didn't hold, script URLs change. any block will have to be at the hostname level)

@bzbarsky
Copy link

If you can reproduce this on Intel hardware, getting a trace into pernosco might be a good start to getting someone familiar with the JS engine to look at it...

@classilla
Copy link
Owner Author

I'll see if they can generate something. Thank you for the suggestion.

@classilla
Copy link
Owner Author

The offending code is

define("extended/services/m3-schema",["exports","ember-cli-pemberly-m3","extended/utils/static-schema","extended/config/environment","deco-recipes/recipes"],function(e,t,n,r,i){Object.defineProperty(e,"__esModule",{value:!0})
e.computeAttributes=o
e.default=void 0
const a=Object.freeze((0,t.normalizeKeys)(n.default))
function o(e){return e.map(e=>"*"===e[0]?e.substring(1):e)}e.default=class extends t.PemberlyM3Schema{init(){this.models=Object.create(a)
super.init.apply(this,arguments)}computeAttributes(e){return o(e)}fetchMicroSchema(e){if(this.isMicroSchemaRegistered(e))return Ember.RSVP.resolve()
const t=`/${r.default.namespace}/deco/schema?decorationId=${i.default[e]}`
return this.store.adapterFor("-ember-m3").ajax(t).then(t=>this.registerMicroSchema(e,t))}setAttribute(e,t,n,r){const i=Ember.PromiseProxyMixin.detect(n)?n.content:n
return super.setAttribute(e,t,i,r)}}})

However, this test case doesn't seem to trigger anything:

e = new Object();
Object.defineProperty(e,"__esModule",{value:!0})
e.computeAttributes=o
e.default=void 0
//const a=Object.freeze((0,t.normalizeKeys)(n.default))
function o(e){return e.map(e=>"*"===e[0]?e.substring(1):e)}
e.default=class extends Array{init(){this.models=Object.create(a)
super.init.apply(this,arguments)}computeAttributes(e){return o(e)}fetchMicroSchema(e){if(this.isMicroSchemaRegistered(e))return Ember.RSVP.resolve()
const t=`/${r.default.namespace}/deco/schema?decorationId=${i.default[e]}`
return this.store.adapterFor("-ember-m3").ajax(t).then(t=>this.registerMicroSchema(e,t))}setAttribute(e,t,n,r){const i=Ember.PromiseProxyMixin.detect(n)?n.content:n
return super.setAttribute(e,t,i,r)}}
e.computeAttributes([]);

@classilla classilla changed the title Crash logging into LinkedIn Assertion failure: slotInRange(slot), at /Volumes/BruceDeuce/src/tenfourfox/js/src/vm/NativeObject.h:839 Jan 20, 2021
@classilla
Copy link
Owner Author

@classilla classilla changed the title Assertion failure: slotInRange(slot), at /Volumes/BruceDeuce/src/tenfourfox/js/src/vm/NativeObject.h:839 Assertion failure: slotInRange(slot), at js/src/vm/NativeObject.h:839 Jan 20, 2021
classilla added a commit that referenced this issue Jan 24, 2021
@classilla
Copy link
Owner Author

De-minified code from Apple.
tldr-demini-js.txt

@classilla
Copy link
Owner Author

Looking at isGenerator in the bytecode emitter. Maybe this has something to do with our stub async await implementation.

@classilla
Copy link
Owner Author

Giving up this cycle, but posting work so far.
failed621-diff.txt

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants