Closed Bug 1215992 Opened 9 years ago Closed 9 years ago

Crash [@ js::jit::BaselineInspector::commonGetPropFunction] or Assertion failure: curEntry->pcOffset() == pcOffset && curEntry->isForOp(), at jit/BaselineJIT.cpp

Categories

(Core :: JavaScript Engine: JIT, defect)

x86_64
macOS
defect
Not set
critical

Tracking

()

VERIFIED FIXED
mozilla44
Tracking Status
firefox43 --- unaffected
firefox44 --- verified
firefox45 --- verified
firefox-esr38 --- unaffected

People

(Reporter: gkw, Assigned: jandem)

References

Details

(4 keywords, Whiteboard: [fuzzblocker][jsbugmon:update])

Crash Data

Attachments

(3 files)

(function() { const x = "" x = y; x = z; })() asserts js debug shell on m-c changeset e8c7dfe727cd with --fuzzing-safe --no-threads --ion-eager at Assertion failure: curEntry->pcOffset() == pcOffset && curEntry->isForOp(), at jit/BaselineJIT.cpp Configure options: CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --disable-threadsafe --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests python -u ~/funfuzz/js/compileShell.py -b "--enable-debug --enable-more-deterministic" -r e8c7dfe727cd === Treeherder Build Bisection Results by autoBisect === The "good" changeset has the timestamp "20151016163631" and the hash "4690eec6b6583f4fd01b8b60be3ce6867d85ed78". The "bad" changeset has the timestamp "20151016175031" and the hash "97e02e8d43a140b5389bd50acfd0bc33d1cd5aea". Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=4690eec6b6583f4fd01b8b60be3ce6867d85ed78&tochange=97e02e8d43a140b5389bd50acfd0bc33d1cd5aea Shu-yu, is bug 1215341 a likely regressor?
Flags: needinfo?(shu)
Attached file stack
(lldb) bt 5 * thread #1: tid = 0x1978bc, 0x000000010016b934 js-dbg-64-dm-darwin-e8c7dfe727cd`js::jit::BaselineScript::icEntryFromPCOffset(this=<unavailable>, pcOffset=<unavailable>, prevLookedUpEntry=<unavailable>) + 324 at BaselineJIT.cpp:649, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0) * frame #0: 0x000000010016b934 js-dbg-64-dm-darwin-e8c7dfe727cd`js::jit::BaselineScript::icEntryFromPCOffset(this=<unavailable>, pcOffset=<unavailable>, prevLookedUpEntry=<unavailable>) + 324 at BaselineJIT.cpp:649 frame #1: 0x0000000100253ab1 js-dbg-64-dm-darwin-e8c7dfe727cd`js::jit::BaselineInspector::icEntryFromPC(this=0x0000000102cbe100, pc=<unavailable>) + 97 at BaselineInspector.h:75 frame #2: 0x0000000100167f34 js-dbg-64-dm-darwin-e8c7dfe727cd`js::jit::BaselineInspector::commonGetPropFunction(this=<unavailable>, pc=<unavailable>, holder=0x00007fff5fbfde48, holderShape=0x00007fff5fbfde60, commonGetter=0x00007fff5fbfde58, globalShape=0x00007fff5fbfde50, isOwnProperty=<unavailable>, receivers=<unavailable>, convertUnboxedGroups=<unavailable>) + 100 at BaselineInspector.cpp:624 frame #3: 0x000000010020bb8e js-dbg-64-dm-darwin-e8c7dfe727cd`js::jit::IonBuilder::getPropTryCommonGetter(this=0x0000000102cbe1a8, emitted=0x00007fff5fbfdeb7, obj=0x0000000102cbf9c8, name=0x0000000102d00b98, types=0x0000000102cbeaa0) + 270 at IonBuilder.cpp:11455 frame #4: 0x00000001001f7f27 js-dbg-64-dm-darwin-e8c7dfe727cd`js::jit::IonBuilder::jsop_getgname(this=0x0000000102cbe1a8, name=0x0000000102d00b98) + 199 at IonBuilder.cpp:8236 (lldb)
The testcase in comment 0 also crashes js opt shell on m-c changeset e8c7dfe727cd with --fuzzing-safe --no-threads --ion-eager at js::jit::BaselineInspector::commonGetPropFunction Configure options: CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --disable-debug --disable-threadsafe --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests python -u ~/funfuzz/js/compileShell.py -b "--disable-debug --enable-more-deterministic" -r e8c7dfe727cd Setting [fuzzblocker] because this happens really often, and setting s-s on this because it seems to be accessing weird memory addresses: (lldb) dis -p js-64-dm-darwin-e8c7dfe727cd`js::jit::BaselineInspector::commonGetPropFunction: -> 0x1000e3420 <+192>: movzwl 0x12(%rbp), %ecx 0x1000e3424 <+196>: andl $0xfff8, %ecx 0x1000e342a <+202>: xorl %eax, %eax 0x1000e342c <+204>: movswl %cx, %edx (lldb) register read $rbp rbp = 0x0000032900000000 (lldb) register read $ecx ecx = 0x040afbe8 (lldb)
Crash Signature: [@ js::jit::BaselineInspector::commonGetPropFunction]
Keywords: crash
Summary: Assertion failure: curEntry->pcOffset() == pcOffset && curEntry->isForOp(), at jit/BaselineJIT.cpp → Crash [@ js::jit::BaselineInspector::commonGetPropFunction] or Assertion failure: curEntry->pcOffset() == pcOffset && curEntry->isForOp(), at jit/BaselineJIT.cpp
Whiteboard: [jsbugmon:update] → [fuzzblocker][jsbugmon:update]
Attached file stack for opt crash
(lldb) bt 5 * thread #1: tid = 0x198311, 0x00000001000e3420 js-64-dm-darwin-e8c7dfe727cd`js::jit::BaselineInspector::commonGetPropFunction(unsigned char*, JSObject**, js::Shape**, JSFunction**, js::Shape**, bool*, js::Vector<js::ReceiverGuard, 4ul, js::jit::JitAllocPolicy>&, js::Vector<js::ObjectGroup*, 4ul, js::jit::JitAllocPolicy>&) [inlined] js::jit::ICStub::kind(this=<unavailable>) const + 3 at SharedIC.h:575, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x32900000012) * frame #0: 0x00000001000e3420 js-64-dm-darwin-e8c7dfe727cd`js::jit::BaselineInspector::commonGetPropFunction(unsigned char*, JSObject**, js::Shape**, JSFunction**, js::Shape**, bool*, js::Vector<js::ReceiverGuard, 4ul, js::jit::JitAllocPolicy>&, js::Vector<js::ObjectGroup*, 4ul, js::jit::JitAllocPolicy>&) [inlined] js::jit::ICStub::kind(this=<unavailable>) const + 3 at SharedIC.h:575 frame #1: 0x00000001000e341d js-64-dm-darwin-e8c7dfe727cd`js::jit::BaselineInspector::commonGetPropFunction(unsigned char*, JSObject**, js::Shape**, JSFunction**, js::Shape**, bool*, js::Vector<js::ReceiverGuard, 4ul, js::jit::JitAllocPolicy>&, js::Vector<js::ObjectGroup*, 4ul, js::jit::JitAllocPolicy>&) [inlined] js::jit::ICStub::isGetProp_CallScripted(this=<unavailable>) const at SharedIC.h:644 frame #2: 0x00000001000e341d js-64-dm-darwin-e8c7dfe727cd`js::jit::BaselineInspector::commonGetPropFunction(this=<unavailable>, pc=<unavailable>, holder=0x00007fff5fbfe328, holderShape=0x00007fff5fbfe340, commonGetter=0x00007fff5fbfe338, globalShape=0x00007fff5fbfe330, isOwnProperty=0x00007fff5fbfe327, receivers=<unavailable>, convertUnboxedGroups=<unavailable>) + 189 at BaselineInspector.cpp:627 frame #3: 0x0000000100144c75 js-64-dm-darwin-e8c7dfe727cd`js::jit::IonBuilder::getPropTryCommonGetter(this=0x0000000101faf188, emitted=0x00007fff5fbfe397, obj=0x0000000101fb07b0, name=0x0000000104000b98, types=0x0000000101faf8f8) + 277 at IonBuilder.cpp:11455 frame #4: 0x0000000100136d13 js-64-dm-darwin-e8c7dfe727cd`js::jit::IonBuilder::jsop_getgname(this=0x0000000101faf188, name=0x0000000104000b98) + 419 at IonBuilder.cpp:8236 (lldb)
I investigated bug 1216132, which seems to be the same issue. The problem here is that BytecodeFallsThrough returns false for THROWSETCONST/THROWSETALIASEDCONST, and the Baseline compiler skips these unreachable ops. IonBuilder on the other hand doesn't skip these ops, hence the failure. I can take this.
Flags: needinfo?(shu) → needinfo?(jdemooij)
Attached patch PatchSplinter Review
Assignee: nobody → jdemooij
Status: NEW → ASSIGNED
Flags: needinfo?(jdemooij)
Attachment #8675741 - Flags: review?(shu)
Comment on attachment 8675741 [details] [diff] [review] Patch Review of attachment 8675741 [details] [diff] [review]: ----------------------------------------------------------------- Thanks for the patch! Should've known the new ops should've been handled as control flow in IonBuilder.
Attachment #8675741 - Flags: review?(shu) → review+
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla44
Group: javascript-core-security → core-security-release
Status: RESOLVED → VERIFIED
JSBugMon: This bug has been automatically verified fixed. JSBugMon: This bug has been automatically verified fixed on Fx44
Marking 43 as unaffected based on regression window.
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: