Assertion failure: slotInRange(slot), at js/src/vm/NativeObject.h:839

[classilla]

This crash is in the JS VM, not in the JIT.

Assertion failure: slotInRange(slot), at /Volumes/BruceDeuce/src/tenfourfox/js/src/vm/NativeObject.h:839

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_PROTECTION_FAILURE at address: 0x00000000
0x0d0175d0 in js::NativeObject::setDenseInitializedLength () at NativeObject.h:1097
1097            MOZ_ASSERT(length <= getDenseCapacity());

#0  0x0d0175d0 in js::NativeObject::setDenseInitializedLength () at NativeObject.h:1097
#1  0x0c6960c8 in js::ScopeObject::aliasedVar (this=0x49b79240) at MathAlgorithms.h:476
#2  0x0c6b6f34 in Interpret (cx=0x41362bf0, state=@0xefff3b58) at Interpreter.cpp:3137
#3  0x0c6c1350 in js::RunScript (cx=0x41362bf0, state=@0xefff3b58) at Interpreter.cpp:391
#4  0x0c6c177c in js::Invoke (cx=0x41362bf0, args=@0xefff3be8, construct=NO_CONSTRUCT) at Interpreter.cpp:462
#5  0x0c6c24d0 in js::Invoke (cx=0x41362bf0, thisv=@0xefff3e20, fval=@0xefff3e30, argc=1, argv=0xefff4190, rval=<value temporarily unavailable, due to optimizations>) at Interpreter.cpp:496

bt full fails.
backtrace.txt

[classilla]

This is sufficient to wallpaper the crash, but obviously LinkedIn doesn't work.

wallpaper.txt

[classilla]

The final script appears to either contain or enable the bad code.
https://hg.mozilla.org/mozilla-central/rev/884a64b0fba2 doesn't fix it.

[classilla]

The issue is something about aliased variables. The interpreter is running JSOP_GETALIASEDVAR at the time of crash. I'm not sure if frame 0 is legit, but 1 and 2 seem to be.

[classilla]

I think the actual assertion is in NativeObject.h in getSlot(uint32_t slot) (line 838), since ::aliasedVar( in ScopeObject.h simply calls straight into it. It's possible we don't have enough slots.

[classilla]

I think the interpreter is calling ::aliasedVar( in vm/ScopeObject.h at line 1371, so the backtrace should go

(slotInRange NativeObject.cpp line 224)
getSlot NativeObject.h line 839
aliasedVar ScopeObject.h line 1374
Interpret Interpreter.cpp line 3137

[classilla]

With a little extra debugging in slotInRange(), we see the slot index being requested isn't nuts. There just are very few slots. The backtrace is also a little clearer, though frame 0 is still bogus.

assert imminent: slot 5 f 2 d 0
Assertion failure: slotInRange(slot), at /Volumes/BruceDeuce/src/tenfourfox/js/src/vm/NativeObject.h:839

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_PROTECTION_FAILURE at address: 0x00000000
0x0d01a5e8 in ReentrancyGuard<js::gc::StoreBuffer> () at ReentrancyGuard.h:39
39          MOZ_ASSERT(!mEntered);
(gdb) bt 5
#0  0x0d01a5e8 in ReentrancyGuard<js::gc::StoreBuffer> () at ReentrancyGuard.h:39
#1  0x0c6a01ec in js::ScopeObject::aliasedVar (this=<value temporarily unavailable, due to optimizations>) at ScopeObject.h:1375
#2  0x0c6ba3c4 in Interpret (cx=0x39360ed0, state=@0xefff4208) at Interpreter.cpp:3137
#3  0x0c6c3da0 in js::RunScript (cx=0x39360ed0, state=@0xefff4208) at Interpreter.cpp:391
#4  0x0c6c41cc in js::Invoke (cx=0x39360ed0, args=@0xefff4298, construct=NO_CONSTRUCT) at Interpreter.cpp:462
(More stack frames follow...)

[classilla]

Two fixed slots. numFixedSlots() is in vm/Shape.h line 875.
No dynamic slots. numDynamicSlots() is in vm/NativeObject.h line 718.

[classilla]

growSlots() in vm/NativeObject.cpp can increase the number of slots.
This is called by updateSlotsForSpan() in the same file.

[classilla]

How did the shape get created with so few slots? Is it the slot request, or the shape construction?

[classilla]

Crash confirmed to also occur on Intel, so this is not a PPC-specific issue.

[classilla]

(wallpaper didn't hold, script URLs change. any block will have to be at the hostname level)

[bzbarsky]

If you can reproduce this on Intel hardware, getting a trace into pernosco might be a good start to getting someone familiar with the JS engine to look at it...

[classilla]

I'll see if they can generate something. Thank you for the suggestion.

[classilla]

The offending code is

define("extended/services/m3-schema",["exports","ember-cli-pemberly-m3","extended/utils/static-schema","extended/config/environment","deco-recipes/recipes"],function(e,t,n,r,i){Object.defineProperty(e,"__esModule",{value:!0})
e.computeAttributes=o
e.default=void 0
const a=Object.freeze((0,t.normalizeKeys)(n.default))
function o(e){return e.map(e=>"*"===e[0]?e.substring(1):e)}e.default=class extends t.PemberlyM3Schema{init(){this.models=Object.create(a)
super.init.apply(this,arguments)}computeAttributes(e){return o(e)}fetchMicroSchema(e){if(this.isMicroSchemaRegistered(e))return Ember.RSVP.resolve()
const t=`/${r.default.namespace}/deco/schema?decorationId=${i.default[e]}`
return this.store.adapterFor("-ember-m3").ajax(t).then(t=>this.registerMicroSchema(e,t))}setAttribute(e,t,n,r){const i=Ember.PromiseProxyMixin.detect(n)?n.content:n
return super.setAttribute(e,t,i,r)}}})

However, this test case doesn't seem to trigger anything:

e = new Object();
Object.defineProperty(e,"__esModule",{value:!0})
e.computeAttributes=o
e.default=void 0
//const a=Object.freeze((0,t.normalizeKeys)(n.default))
function o(e){return e.map(e=>"*"===e[0]?e.substring(1):e)}
e.default=class extends Array{init(){this.models=Object.create(a)
super.init.apply(this,arguments)}computeAttributes(e){return o(e)}fetchMicroSchema(e){if(this.isMicroSchemaRegistered(e))return Ember.RSVP.resolve()
const t=`/${r.default.namespace}/deco/schema?decorationId=${i.default[e]}`
return this.store.adapterFor("-ember-m3").ajax(t).then(t=>this.registerMicroSchema(e,t))}setAttribute(e,t,n,r){const i=Ember.PromiseProxyMixin.detect(n)?n.content:n
return super.setAttribute(e,t,i,r)}}
e.computeAttributes([]);

[classilla]

Now reproducing on Apple Discussions: https://discussions.apple.com/thread/250091731

https://tenfourfox.tenderapp.com/discussions/problems/9083-crash-on-discussionsapplecom-page

[classilla]

De-minified code from Apple.
tldr-demini-js.txt

[classilla]

Looking at isGenerator in the bytecode emitter. Maybe this has something to do with our stub async await implementation.

[classilla]

Giving up this cycle, but posting work so far.
failed621-diff.txt