1209019 - Assertion failure: scratch != InvalidReg, at js/src/jit/MacroAssembler.cpp:156

Status: RESOLVED DUPLICATE of bug 1207943

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

The following testcase crashes on mozilla-central revision 6256ec9113c1 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe --thread-count=2 --ion-extra-checks --ion-eager --ion-check-range-analysis --baseline-eager --ion-offthread-compile=off):

function withJitOptions(opts, fn) {
  for (var k in opts)
    setJitCompilerOption(k, opts[k]);
}
var Opts_Ion2NoOffthreadCompilation = {
      'ion.warmup.trigger': 2,
      'baseline.warmup.trigger': 1,
    };
withJitOptions(Opts_Ion2NoOffthreadCompilation, function () {});
var MyMath = {
  random: function() {
    return (this.seed & 0xfffffff) / 0x10000000;
  },
};
var kSplayTreeSize = 8000;
var kSplayTreePayloadDepth = 5;
function GeneratePayloadTree(depth, key) {}
function GenerateKey() {
  return MyMath.random();
}
function InsertNewNode() {
  do {
    key = GenerateKey();
  } while (splayTree.find(key) != null);
  splayTree.insert(key, GeneratePayloadTree(kSplayTreePayloadDepth, key));
}
splayTree = new SplayTree();
for (var i = 0; i < kSplayTreeSize; i++) 
  InsertNewNode();
function SplayTree() {
  SplayTree.prototype.root_ = null;
  SplayTree.prototype.isEmpty = function() {
    return !this.root_;
};
SplayTree.prototype.insert = function(key, value) {
  if (this.isEmpty())
    this.root_ = new SplayTree.Node(key, value);
  if (key > this.root_.key)
    this.root_.left = null;
};
SplayTree.prototype.find = function(key) {
  this.isEmpty()
};
SplayTree.Node = function(key, value) {
  eval("for(l in[0,0,0]){}",0)};
};



Backtrace:

Program received signal SIGSEGV, Segmentation fault.
0x00000000009fbe83 in js::jit::MacroAssembler::guardObjectType (this=0x7ffff69b6058, obj=..., obj@entry=..., types=0x7ffff69aebb0, scratch=..., scratch@entry=..., miss=miss@entry=0x7fffffffc500) at js/src/jit/MacroAssembler.cpp:156
#0  0x00000000009fbe83 in js::jit::MacroAssembler::guardObjectType (this=0x7ffff69b6058, obj=..., obj@entry=..., types=0x7ffff69aebb0, scratch=..., scratch@entry=..., miss=miss@entry=0x7fffffffc500) at js/src/jit/MacroAssembler.cpp:156
#1  0x0000000000936fef in js::jit::CodeGenerator::visitTypeBarrierO (this=0x7ffff69b6000, lir=0x7ffff69b98b0) at js/src/jit/CodeGenerator.cpp:2737
#2  0x0000000000991946 in js::jit::CodeGenerator::generateBody (this=this@entry=0x7ffff69b6000) at js/src/jit/CodeGenerator.cpp:4149
#3  0x000000000099207a in js::jit::CodeGenerator::generate (this=this@entry=0x7ffff69b6000) at js/src/jit/CodeGenerator.cpp:7859
#4  0x0000000000992291 in js::jit::GenerateCode (mir=mir@entry=0x7ffff69ae258, lir=0x7ffff69b5088) at js/src/jit/Ion.cpp:1954
#5  0x0000000000992385 in js::jit::CompileBackEnd (mir=mir@entry=0x7ffff69ae258) at js/src/jit/Ion.cpp:1976
#6  0x0000000000993dd6 in js::jit::IonCompile (cx=cx@entry=0x7ffff6907000, script=script@entry=0x7ffff7e648b0, baselineFrame=baselineFrame@entry=0x7fffffffcc18, osrPc=<optimized out>, constructing=<optimized out>, recompile=<optimized out>, optimizationLevel=optimizationLevel@entry=js::jit::Optimization_Normal) at js/src/jit/Ion.cpp:2237
#7  0x000000000099432a in js::jit::Compile (cx=cx@entry=0x7ffff6907000, script=..., script@entry=..., osrFrame=osrFrame@entry=0x7fffffffcc18, osrPc=osrPc@entry=0x0, constructing=<optimized out>, forceRecompile=forceRecompile@entry=false) at js/src/jit/Ion.cpp:2404
#8  0x0000000000994af0 in js::jit::CompileFunctionForBaseline (cx=cx@entry=0x7ffff6907000, script=script@entry=..., frame=frame@entry=0x7fffffffcc18) at js/src/jit/Ion.cpp:2595
#9  0x000000000087f612 in EnsureCanEnterIon (stub=<optimized out>, jitcodePtr=<synthetic pointer>, pc=0x7ffff6984389 "A\f\270", script=..., frame=0x7fffffffcc18, cx=0x7ffff6907000) at js/src/jit/BaselineIC.cpp:107
#10 js::jit::DoWarmUpCounterFallback (cx=0x7ffff6907000, frame=0x7fffffffcc18, stub=<optimized out>, infoPtr=0x7fffffffcbf0) at js/src/jit/BaselineIC.cpp:268
#11 0x00007ffff7feffd9 in ?? ()
#12 0x0000000000000000 in ?? ()
rax	0x0	0
rbx	0x7ffff69b98b0	140737330780336
rcx	0x7ffff6ca53cd	140737333842893
rdx	0x0	0
rsi	0x7ffff6f7a9d0	140737336814032
rdi	0x7ffff6f791c0	140737336807872
rbp	0x7fffffffc4e0	140737488340192
rsp	0x7fffffffc430	140737488340016
r8	0x7ffff7fe0780	140737354008448
r9	0x6372732f736a2f6c	7165916604736876396
r10	0x7fffffffc1f0	140737488339440
r11	0x7ffff6c27960	140737333328224
r12	0x7ffff69aebb0	140737330736048
r13	0x0	0
r14	0x10	16
r15	0x7fffffffc500	140737488340224
rip	0x9fbe83 <js::jit::MacroAssembler::guardObjectType(js::jit::Register, js::TypeSet const*, js::jit::Register, js::jit::Label*)+995>
=> 0x9fbe83 <js::jit::MacroAssembler::guardObjectType(js::jit::Register, js::TypeSet const*, js::jit::Register, js::jit::Label*)+995>:	movl   $0x9c,0x0
   0x9fbe8e <js::jit::MacroAssembler::guardObjectType(js::jit::Register, js::TypeSet const*, js::jit::Register, js::jit::Label*)+1006>:	callq  0x4974e0 <abort()>


Marking s-s because this looks like an assertion about register allocation which can potentially lead to a security problem.

Comment 1

[Fuzzing Team]

JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/9383690a4acd
parent:      263819:40f004f4651b
user:        Jan de Mooij
date:        Tue Sep 22 20:11:31 2015 +0200
summary:     Bug 1207210 - Fix MTypeBarrier::alwaysBails to handle ObjectOrNull inputs correctly. r=h4writer

This iteration took 204.386 seconds to run.

Comment 2

[Jan de Mooij [:jandem]]

It's a bogus assert; a fix landed in bug 1207943.