Closed Bug 1212298 Opened 4 years ago Closed 4 years ago

Assertion failure: containsPC(pc), at js/src/jsscript.cpp:3815 (bailout Ion -> baseline)

Categories

(Core :: JavaScript Engine: JIT, defect, critical)

Other Branch
x86
Linux
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla46
Tracking Status
firefox44 --- fixed
firefox45 --- fixed
firefox46 --- fixed
b2g-v2.5 --- fixed

People

(Reporter: decoder, Assigned: jandem)

References

(Blocks 2 open bugs)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:ignore])

Attachments

(1 file)

The following testcase crashes on mozilla-central-oom (https://github.com/nbp/gecko-dev/tree/oom) revision c119c16978b4f08f5e0c1269b52b9fdd9085be5f (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --target=i686-pc-linux-gnu --disable-tests --enable-debug, run with --fuzzing-safe --thread-count=2 --ion-offthread-compile=off --baseline-eager):

for (var e = 1; e < 10000; e++) {
    new(function(arguments, message, get) {
        eval("var y");
    });
}


Backtrace:

Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x0884e3d8 in JSScript::getStaticBlockScope (this=0xf3e750d0, pc=pc@entry=0xf4080868 "{") at js/src/jsscript.cpp:3815
#1  0x0884e799 in innermostStaticScopeInScript (pc=0xf4080868 "{", pc@entry=0x0, this=0xf3e750d0) at js/src/jsscript.cpp:3867
#2  JSScript::innermostStaticScope (this=0xf3e750d0, pc=pc@entry=0xf4080868 "{") at js/src/jsscript.cpp:3877
#3  0x082080fe in js::DirectEvalStringFromIon (cx=0xf7277020, scopeobj=..., callerScript=..., thisValue=..., newTargetValue=..., str=..., pc=0xf4080868 "{", vp=...) at js/src/builtin/Eval.cpp:397
#4  0xf746d086 in ?? ()
eax	0x0	0
ebx	0x97a3434	159003700
ecx	0xf762488c	-144553844
edx	0x0	0
esi	0xf4080868	-200800152
edi	0xffbf57f0	-4237328
ebp	0xffbf5748	4290729800
esp	0xffbf5710	4290729744
eip	0x884e3d8 <JSScript::getStaticBlockScope(unsigned char*)+200>
=> 0x884e3d8 <JSScript::getStaticBlockScope(unsigned char*)+200>:	movl   $0xee7,0x0
   0x884e3e2 <JSScript::getStaticBlockScope(unsigned char*)+210>:	call   0x80f1660 <abort()>
Wohoo, I get another assert on Mac OS X (release-debug build):

Assertion failure: v.isUndefined() || v.isMagic(JS_OPTIMIZED_OUT), at js/src/jit/BaselineBailouts.cpp:691
Segmentation fault: 11
Also on debug.

Value appears to be garbage:
(JS::Value) $0 = {
  data = {
    asBits = 18158514807639138304
    debugView = (payload47 = 1110081298432, tag = -2048)
    s = {
      payload = (i32 = 1979736064, u32 = 1979736064, why = 1979736064)
    }
    asDouble = -1.9495432220209402E+289
    asPtr = 0xfc00010276006000
    asWord = 18158514807639138304
    asUIntPtr = 18158514807639138304
  }
}
This is a simpler test case - no confusing argument names, no eval - that fails reliably with e=1098 on my system (debug build):

  for (var e = 1; e < 10000; e++) {
    print(e);
    var z = function(a, b, c) {}
    new z;
  }

To fail, there must be a "new z" and z must be created within the loop.

There's no evidence yet that the GC is running, for example.  Not sure about interrupts, say.

This looks like a generic JIT bailout bug, not OOM related.
Component: JavaScript Engine → JavaScript Engine: JIT
Summary: Assertion failure: containsPC(pc), at js/src/jsscript.cpp:3815 with OOM → Assertion failure: containsPC(pc), at js/src/jsscript.cpp:3815 (bailout Ion -> baseline)
Whiteboard: [jsbugmon:ignore][js-oom2015] → [jsbugmon:ignore]
(In reply to Lars T Hansen [:lth] from comment #3)
> This looks like a generic JIT bailout bug, not OOM related.

Setting needinfo? from Jan, please feel free to forward this to someone else as deemed suitable.
Flags: needinfo?(jdemooij)
Attached patch PatchSplinter Review
This is an older bug with direct eval calls inside an inlined function in Ion, but it was likely exposed by bug 1199143. Since that bug, we inline heavyweight functions in Ion (all functions containing eval are heavyweight).
Assignee: nobody → jdemooij
Status: NEW → ASSIGNED
Flags: needinfo?(jdemooij)
Attachment #8702946 - Flags: review?(shu)
Comment on attachment 8702946 [details] [diff] [review]
Patch

Review of attachment 8702946 [details] [diff] [review]:
-----------------------------------------------------------------

::: js/src/jit/CodeGenerator.cpp
@@ +3690,5 @@
>  
>      pushArg(ImmPtr(lir->mir()->pc()));
>      pushArg(string);
>      pushArg(ToValue(lir, LCallDirectEval::NewTarget));
> +    pushArg(ImmGCPtr(current->mir()->info().script()));

Doh, nice catch fuzzers.
Attachment #8702946 - Flags: review?(shu) → review+
https://hg.mozilla.org/mozilla-central/rev/09ba8930629d
Status: ASSIGNED → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla46
Comment on attachment 8702946 [details] [diff] [review]
Patch

Approval Request Comment
[Feature/regressing bug #]: Bug 1199143.
[User impact if declined]: Crashes.
[Describe test coverage new/current, TreeHerder]: Adds a test that was fixed.
[Risks and why]: Very low risk. The patch is a safe and simple one-liner, I think we should just take it on aurora/beta.
[String/UUID change made/needed]: None.
Attachment #8702946 - Flags: approval-mozilla-beta?
Attachment #8702946 - Flags: approval-mozilla-aurora?
Comment on attachment 8702946 [details] [diff] [review]
Patch

Fixes a crash and has an automated test, beta44+, aurora45+
Attachment #8702946 - Flags: approval-mozilla-beta?
Attachment #8702946 - Flags: approval-mozilla-beta+
Attachment #8702946 - Flags: approval-mozilla-aurora?
Attachment #8702946 - Flags: approval-mozilla-aurora+
You need to log in before you can comment on or make changes to this bug.