Closed Bug 1215992 Opened 4 years ago Closed 4 years ago

Crash [@ js::jit::BaselineInspector::commonGetPropFunction] or Assertion failure: curEntry->pcOffset() == pcOffset && curEntry->isForOp(), at jit/BaselineJIT.cpp

Categories

(Core :: JavaScript Engine: JIT, defect, critical)

x86_64
macOS
defect
Not set
critical

Tracking

()

VERIFIED FIXED
mozilla44
Tracking Status
firefox43 --- unaffected
firefox44 --- verified
firefox45 --- verified
firefox-esr38 --- unaffected

People

(Reporter: gkw, Assigned: jandem)

References

(Blocks 1 open bug)

Details

(4 keywords, Whiteboard: [fuzzblocker][jsbugmon:update])

Crash Data

Attachments

(3 files)

(function() {
    const x = ""
    x = y;
    x = z;
})()

asserts js debug shell on m-c changeset e8c7dfe727cd with --fuzzing-safe --no-threads --ion-eager at Assertion failure: curEntry->pcOffset() == pcOffset && curEntry->isForOp(), at jit/BaselineJIT.cpp

Configure options:

CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --disable-threadsafe --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests

python -u ~/funfuzz/js/compileShell.py -b "--enable-debug --enable-more-deterministic" -r e8c7dfe727cd

=== Treeherder Build Bisection Results by autoBisect ===

The "good" changeset has the timestamp "20151016163631" and the hash "4690eec6b6583f4fd01b8b60be3ce6867d85ed78".
The "bad" changeset has the timestamp "20151016175031" and the hash "97e02e8d43a140b5389bd50acfd0bc33d1cd5aea".

Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=4690eec6b6583f4fd01b8b60be3ce6867d85ed78&tochange=97e02e8d43a140b5389bd50acfd0bc33d1cd5aea

Shu-yu, is bug 1215341 a likely regressor?
Flags: needinfo?(shu)
Attached file stack
(lldb) bt 5
* thread #1: tid = 0x1978bc, 0x000000010016b934 js-dbg-64-dm-darwin-e8c7dfe727cd`js::jit::BaselineScript::icEntryFromPCOffset(this=<unavailable>, pcOffset=<unavailable>, prevLookedUpEntry=<unavailable>) + 324 at BaselineJIT.cpp:649, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
  * frame #0: 0x000000010016b934 js-dbg-64-dm-darwin-e8c7dfe727cd`js::jit::BaselineScript::icEntryFromPCOffset(this=<unavailable>, pcOffset=<unavailable>, prevLookedUpEntry=<unavailable>) + 324 at BaselineJIT.cpp:649
    frame #1: 0x0000000100253ab1 js-dbg-64-dm-darwin-e8c7dfe727cd`js::jit::BaselineInspector::icEntryFromPC(this=0x0000000102cbe100, pc=<unavailable>) + 97 at BaselineInspector.h:75
    frame #2: 0x0000000100167f34 js-dbg-64-dm-darwin-e8c7dfe727cd`js::jit::BaselineInspector::commonGetPropFunction(this=<unavailable>, pc=<unavailable>, holder=0x00007fff5fbfde48, holderShape=0x00007fff5fbfde60, commonGetter=0x00007fff5fbfde58, globalShape=0x00007fff5fbfde50, isOwnProperty=<unavailable>, receivers=<unavailable>, convertUnboxedGroups=<unavailable>) + 100 at BaselineInspector.cpp:624
    frame #3: 0x000000010020bb8e js-dbg-64-dm-darwin-e8c7dfe727cd`js::jit::IonBuilder::getPropTryCommonGetter(this=0x0000000102cbe1a8, emitted=0x00007fff5fbfdeb7, obj=0x0000000102cbf9c8, name=0x0000000102d00b98, types=0x0000000102cbeaa0) + 270 at IonBuilder.cpp:11455
    frame #4: 0x00000001001f7f27 js-dbg-64-dm-darwin-e8c7dfe727cd`js::jit::IonBuilder::jsop_getgname(this=0x0000000102cbe1a8, name=0x0000000102d00b98) + 199 at IonBuilder.cpp:8236
(lldb)
The testcase in comment 0 also crashes js opt shell on m-c changeset e8c7dfe727cd with --fuzzing-safe --no-threads --ion-eager at js::jit::BaselineInspector::commonGetPropFunction

Configure options:

CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --disable-debug --disable-threadsafe --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests

python -u ~/funfuzz/js/compileShell.py -b "--disable-debug --enable-more-deterministic" -r e8c7dfe727cd

Setting [fuzzblocker] because this happens really often, and setting s-s on this because it seems to be accessing weird memory addresses:

(lldb) dis -p
js-64-dm-darwin-e8c7dfe727cd`js::jit::BaselineInspector::commonGetPropFunction:
->  0x1000e3420 <+192>: movzwl 0x12(%rbp), %ecx
    0x1000e3424 <+196>: andl   $0xfff8, %ecx
    0x1000e342a <+202>: xorl   %eax, %eax
    0x1000e342c <+204>: movswl %cx, %edx
(lldb) register read $rbp
     rbp = 0x0000032900000000
(lldb) register read $ecx
     ecx = 0x040afbe8
(lldb)
Crash Signature: [@ js::jit::BaselineInspector::commonGetPropFunction]
Keywords: crash
Summary: Assertion failure: curEntry->pcOffset() == pcOffset && curEntry->isForOp(), at jit/BaselineJIT.cpp → Crash [@ js::jit::BaselineInspector::commonGetPropFunction] or Assertion failure: curEntry->pcOffset() == pcOffset && curEntry->isForOp(), at jit/BaselineJIT.cpp
Whiteboard: [jsbugmon:update] → [fuzzblocker][jsbugmon:update]
Attached file stack for opt crash
(lldb) bt 5
* thread #1: tid = 0x198311, 0x00000001000e3420 js-64-dm-darwin-e8c7dfe727cd`js::jit::BaselineInspector::commonGetPropFunction(unsigned char*, JSObject**, js::Shape**, JSFunction**, js::Shape**, bool*, js::Vector<js::ReceiverGuard, 4ul, js::jit::JitAllocPolicy>&, js::Vector<js::ObjectGroup*, 4ul, js::jit::JitAllocPolicy>&) [inlined] js::jit::ICStub::kind(this=<unavailable>) const + 3 at SharedIC.h:575, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x32900000012)
  * frame #0: 0x00000001000e3420 js-64-dm-darwin-e8c7dfe727cd`js::jit::BaselineInspector::commonGetPropFunction(unsigned char*, JSObject**, js::Shape**, JSFunction**, js::Shape**, bool*, js::Vector<js::ReceiverGuard, 4ul, js::jit::JitAllocPolicy>&, js::Vector<js::ObjectGroup*, 4ul, js::jit::JitAllocPolicy>&) [inlined] js::jit::ICStub::kind(this=<unavailable>) const + 3 at SharedIC.h:575
    frame #1: 0x00000001000e341d js-64-dm-darwin-e8c7dfe727cd`js::jit::BaselineInspector::commonGetPropFunction(unsigned char*, JSObject**, js::Shape**, JSFunction**, js::Shape**, bool*, js::Vector<js::ReceiverGuard, 4ul, js::jit::JitAllocPolicy>&, js::Vector<js::ObjectGroup*, 4ul, js::jit::JitAllocPolicy>&) [inlined] js::jit::ICStub::isGetProp_CallScripted(this=<unavailable>) const at SharedIC.h:644
    frame #2: 0x00000001000e341d js-64-dm-darwin-e8c7dfe727cd`js::jit::BaselineInspector::commonGetPropFunction(this=<unavailable>, pc=<unavailable>, holder=0x00007fff5fbfe328, holderShape=0x00007fff5fbfe340, commonGetter=0x00007fff5fbfe338, globalShape=0x00007fff5fbfe330, isOwnProperty=0x00007fff5fbfe327, receivers=<unavailable>, convertUnboxedGroups=<unavailable>) + 189 at BaselineInspector.cpp:627
    frame #3: 0x0000000100144c75 js-64-dm-darwin-e8c7dfe727cd`js::jit::IonBuilder::getPropTryCommonGetter(this=0x0000000101faf188, emitted=0x00007fff5fbfe397, obj=0x0000000101fb07b0, name=0x0000000104000b98, types=0x0000000101faf8f8) + 277 at IonBuilder.cpp:11455
    frame #4: 0x0000000100136d13 js-64-dm-darwin-e8c7dfe727cd`js::jit::IonBuilder::jsop_getgname(this=0x0000000101faf188, name=0x0000000104000b98) + 419 at IonBuilder.cpp:8236
(lldb)
I investigated bug 1216132, which seems to be the same issue.

The problem here is that BytecodeFallsThrough returns false for THROWSETCONST/THROWSETALIASEDCONST, and the Baseline compiler skips these unreachable ops. IonBuilder on the other hand doesn't skip these ops, hence the failure.

I can take this.
Flags: needinfo?(shu) → needinfo?(jdemooij)
Duplicate of this bug: 1216132
Attached patch PatchSplinter Review
Assignee: nobody → jdemooij
Status: NEW → ASSIGNED
Flags: needinfo?(jdemooij)
Attachment #8675741 - Flags: review?(shu)
Comment on attachment 8675741 [details] [diff] [review]
Patch

Review of attachment 8675741 [details] [diff] [review]:
-----------------------------------------------------------------

Thanks for the patch! Should've known the new ops should've been handled as control flow in IonBuilder.
Attachment #8675741 - Flags: review?(shu) → review+
https://hg.mozilla.org/integration/mozilla-inbound/rev/d1e0b2e1b8ea

No sec-approval because recent regression.
https://hg.mozilla.org/mozilla-central/rev/d1e0b2e1b8ea
Status: ASSIGNED → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla44
Group: javascript-core-security → core-security-release
Depends on: 1218065
Depends on: 1218196
Duplicate of this bug: 1216126
Status: RESOLVED → VERIFIED
JSBugMon: This bug has been automatically verified fixed.
JSBugMon: This bug has been automatically verified fixed on Fx44
Marking 43 as unaffected based on regression window.
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.