Closed
Bug 1215992
Opened 9 years ago
Closed 9 years ago
Crash [@ js::jit::BaselineInspector::commonGetPropFunction] or Assertion failure: curEntry->pcOffset() == pcOffset && curEntry->isForOp(), at jit/BaselineJIT.cpp
Categories
(Core :: JavaScript Engine: JIT, defect)
Tracking
()
VERIFIED
FIXED
mozilla44
Tracking | Status | |
---|---|---|
firefox43 | --- | unaffected |
firefox44 | --- | verified |
firefox45 | --- | verified |
firefox-esr38 | --- | unaffected |
People
(Reporter: gkw, Assigned: jandem)
References
Details
(4 keywords, Whiteboard: [fuzzblocker][jsbugmon:update])
Crash Data
Attachments
(3 files)
(function() {
const x = ""
x = y;
x = z;
})()
asserts js debug shell on m-c changeset e8c7dfe727cd with --fuzzing-safe --no-threads --ion-eager at Assertion failure: curEntry->pcOffset() == pcOffset && curEntry->isForOp(), at jit/BaselineJIT.cpp
Configure options:
CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --disable-threadsafe --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests
python -u ~/funfuzz/js/compileShell.py -b "--enable-debug --enable-more-deterministic" -r e8c7dfe727cd
=== Treeherder Build Bisection Results by autoBisect ===
The "good" changeset has the timestamp "20151016163631" and the hash "4690eec6b6583f4fd01b8b60be3ce6867d85ed78".
The "bad" changeset has the timestamp "20151016175031" and the hash "97e02e8d43a140b5389bd50acfd0bc33d1cd5aea".
Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=4690eec6b6583f4fd01b8b60be3ce6867d85ed78&tochange=97e02e8d43a140b5389bd50acfd0bc33d1cd5aea
Shu-yu, is bug 1215341 a likely regressor?
Flags: needinfo?(shu)
Reporter | ||
Comment 1•9 years ago
|
||
(lldb) bt 5
* thread #1: tid = 0x1978bc, 0x000000010016b934 js-dbg-64-dm-darwin-e8c7dfe727cd`js::jit::BaselineScript::icEntryFromPCOffset(this=<unavailable>, pcOffset=<unavailable>, prevLookedUpEntry=<unavailable>) + 324 at BaselineJIT.cpp:649, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
* frame #0: 0x000000010016b934 js-dbg-64-dm-darwin-e8c7dfe727cd`js::jit::BaselineScript::icEntryFromPCOffset(this=<unavailable>, pcOffset=<unavailable>, prevLookedUpEntry=<unavailable>) + 324 at BaselineJIT.cpp:649
frame #1: 0x0000000100253ab1 js-dbg-64-dm-darwin-e8c7dfe727cd`js::jit::BaselineInspector::icEntryFromPC(this=0x0000000102cbe100, pc=<unavailable>) + 97 at BaselineInspector.h:75
frame #2: 0x0000000100167f34 js-dbg-64-dm-darwin-e8c7dfe727cd`js::jit::BaselineInspector::commonGetPropFunction(this=<unavailable>, pc=<unavailable>, holder=0x00007fff5fbfde48, holderShape=0x00007fff5fbfde60, commonGetter=0x00007fff5fbfde58, globalShape=0x00007fff5fbfde50, isOwnProperty=<unavailable>, receivers=<unavailable>, convertUnboxedGroups=<unavailable>) + 100 at BaselineInspector.cpp:624
frame #3: 0x000000010020bb8e js-dbg-64-dm-darwin-e8c7dfe727cd`js::jit::IonBuilder::getPropTryCommonGetter(this=0x0000000102cbe1a8, emitted=0x00007fff5fbfdeb7, obj=0x0000000102cbf9c8, name=0x0000000102d00b98, types=0x0000000102cbeaa0) + 270 at IonBuilder.cpp:11455
frame #4: 0x00000001001f7f27 js-dbg-64-dm-darwin-e8c7dfe727cd`js::jit::IonBuilder::jsop_getgname(this=0x0000000102cbe1a8, name=0x0000000102d00b98) + 199 at IonBuilder.cpp:8236
(lldb)
Reporter | ||
Comment 2•9 years ago
|
||
The testcase in comment 0 also crashes js opt shell on m-c changeset e8c7dfe727cd with --fuzzing-safe --no-threads --ion-eager at js::jit::BaselineInspector::commonGetPropFunction
Configure options:
CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --disable-debug --disable-threadsafe --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests
python -u ~/funfuzz/js/compileShell.py -b "--disable-debug --enable-more-deterministic" -r e8c7dfe727cd
Setting [fuzzblocker] because this happens really often, and setting s-s on this because it seems to be accessing weird memory addresses:
(lldb) dis -p
js-64-dm-darwin-e8c7dfe727cd`js::jit::BaselineInspector::commonGetPropFunction:
-> 0x1000e3420 <+192>: movzwl 0x12(%rbp), %ecx
0x1000e3424 <+196>: andl $0xfff8, %ecx
0x1000e342a <+202>: xorl %eax, %eax
0x1000e342c <+204>: movswl %cx, %edx
(lldb) register read $rbp
rbp = 0x0000032900000000
(lldb) register read $ecx
ecx = 0x040afbe8
(lldb)
Crash Signature: [@ js::jit::BaselineInspector::commonGetPropFunction]
Keywords: crash
Summary: Assertion failure: curEntry->pcOffset() == pcOffset && curEntry->isForOp(), at jit/BaselineJIT.cpp → Crash [@ js::jit::BaselineInspector::commonGetPropFunction] or Assertion failure: curEntry->pcOffset() == pcOffset && curEntry->isForOp(), at jit/BaselineJIT.cpp
Whiteboard: [jsbugmon:update] → [fuzzblocker][jsbugmon:update]
Reporter | ||
Comment 3•9 years ago
|
||
(lldb) bt 5
* thread #1: tid = 0x198311, 0x00000001000e3420 js-64-dm-darwin-e8c7dfe727cd`js::jit::BaselineInspector::commonGetPropFunction(unsigned char*, JSObject**, js::Shape**, JSFunction**, js::Shape**, bool*, js::Vector<js::ReceiverGuard, 4ul, js::jit::JitAllocPolicy>&, js::Vector<js::ObjectGroup*, 4ul, js::jit::JitAllocPolicy>&) [inlined] js::jit::ICStub::kind(this=<unavailable>) const + 3 at SharedIC.h:575, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x32900000012)
* frame #0: 0x00000001000e3420 js-64-dm-darwin-e8c7dfe727cd`js::jit::BaselineInspector::commonGetPropFunction(unsigned char*, JSObject**, js::Shape**, JSFunction**, js::Shape**, bool*, js::Vector<js::ReceiverGuard, 4ul, js::jit::JitAllocPolicy>&, js::Vector<js::ObjectGroup*, 4ul, js::jit::JitAllocPolicy>&) [inlined] js::jit::ICStub::kind(this=<unavailable>) const + 3 at SharedIC.h:575
frame #1: 0x00000001000e341d js-64-dm-darwin-e8c7dfe727cd`js::jit::BaselineInspector::commonGetPropFunction(unsigned char*, JSObject**, js::Shape**, JSFunction**, js::Shape**, bool*, js::Vector<js::ReceiverGuard, 4ul, js::jit::JitAllocPolicy>&, js::Vector<js::ObjectGroup*, 4ul, js::jit::JitAllocPolicy>&) [inlined] js::jit::ICStub::isGetProp_CallScripted(this=<unavailable>) const at SharedIC.h:644
frame #2: 0x00000001000e341d js-64-dm-darwin-e8c7dfe727cd`js::jit::BaselineInspector::commonGetPropFunction(this=<unavailable>, pc=<unavailable>, holder=0x00007fff5fbfe328, holderShape=0x00007fff5fbfe340, commonGetter=0x00007fff5fbfe338, globalShape=0x00007fff5fbfe330, isOwnProperty=0x00007fff5fbfe327, receivers=<unavailable>, convertUnboxedGroups=<unavailable>) + 189 at BaselineInspector.cpp:627
frame #3: 0x0000000100144c75 js-64-dm-darwin-e8c7dfe727cd`js::jit::IonBuilder::getPropTryCommonGetter(this=0x0000000101faf188, emitted=0x00007fff5fbfe397, obj=0x0000000101fb07b0, name=0x0000000104000b98, types=0x0000000101faf8f8) + 277 at IonBuilder.cpp:11455
frame #4: 0x0000000100136d13 js-64-dm-darwin-e8c7dfe727cd`js::jit::IonBuilder::jsop_getgname(this=0x0000000101faf188, name=0x0000000104000b98) + 419 at IonBuilder.cpp:8236
(lldb)
Assignee | ||
Comment 4•9 years ago
|
||
I investigated bug 1216132, which seems to be the same issue.
The problem here is that BytecodeFallsThrough returns false for THROWSETCONST/THROWSETALIASEDCONST, and the Baseline compiler skips these unreachable ops. IonBuilder on the other hand doesn't skip these ops, hence the failure.
I can take this.
Flags: needinfo?(shu) → needinfo?(jdemooij)
Assignee | ||
Comment 6•9 years ago
|
||
Assignee: nobody → jdemooij
Status: NEW → ASSIGNED
Flags: needinfo?(jdemooij)
Attachment #8675741 -
Flags: review?(shu)
Comment 7•9 years ago
|
||
Comment on attachment 8675741 [details] [diff] [review]
Patch
Review of attachment 8675741 [details] [diff] [review]:
-----------------------------------------------------------------
Thanks for the patch! Should've known the new ops should've been handled as control flow in IonBuilder.
Attachment #8675741 -
Flags: review?(shu) → review+
Assignee | ||
Comment 8•9 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/d1e0b2e1b8ea
No sec-approval because recent regression.
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla44
Updated•9 years ago
|
Group: javascript-core-security → core-security-release
Updated•9 years ago
|
Comment 11•9 years ago
|
||
JSBugMon: This bug has been automatically verified fixed.
JSBugMon: This bug has been automatically verified fixed on Fx44
Comment 12•9 years ago
|
||
Marking 43 as unaffected based on regression window.
status-firefox43:
--- → unaffected
Updated•9 years ago
|
Group: core-security-release
status-firefox-esr38:
--- → unaffected
You need to log in
before you can comment on or make changes to this bug.
Description
•