Closed Bug 1218065 Opened 9 years ago Closed 9 years ago

Crash [@ js::GetSrcNoteOffset] or Assertion failure: current, at jit/IonBuilder.cpp

Categories

(Core :: JavaScript Engine: JIT, defect)

Product:
Core
Component:
JavaScript Engine: JIT
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla44
Tracking Flags:
Tracking Status
firefox44 --- fixed

People

(Reporter: gkw, Assigned: jandem)

References

Details

(4 keywords, Whiteboard: [jsbugmon:update][fuzzblocker])

Crash Data

Attachments

(3 files)

stack
4.19 KB, text/plain
Details
Opt stack
4.41 KB, text/plain
Details
Patch
5.29 KB, patch
shu
: review+
Details | Diff | Splinter Review 
{
    const b = 0;
    switch (1) {
        case b = 0:
    }
}

asserts js debug shell on m-c changeset 76bd0c01d72e with --fuzzing-safe --no-threads --ion-eager at Assertion failure: current, at jit/IonBuilder.cpp

Configure options:

CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --disable-threadsafe --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests

python -u ~/funfuzz/js/compileShell.py -b "--enable-debug --enable-more-deterministic" -r 76bd0c01d72e

=== Treeherder Build Bisection Results by autoBisect ===

The "good" changeset has the timestamp "20151021005222" and the hash "a286c89173e5352fc8831015d7e286fb513fc427".
The "bad" changeset has the timestamp "20151021011502" and the hash "d1e0b2e1b8ea2e241eebc747c9f2ca85858642f3".

Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=a286c89173e5352fc8831015d7e286fb513fc427&tochange=d1e0b2e1b8ea2e241eebc747c9f2ca85858642f3

Jan, is bug 1215992 or bug 1216151 a likely regressor?
Flags: needinfo?(jdemooij)
Attached file stack 
(lldb) bt 5
* thread #1: tid = 0x6ad29, 0x0000000100201b64 js-dbg-64-dm-darwin-76bd0c01d72e`js::jit::IonBuilder::processCondSwitchCase(this=<unavailable>, state=<unavailable>) + 1988 at IonBuilder.cpp:4040, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
  * frame #0: 0x0000000100201b64 js-dbg-64-dm-darwin-76bd0c01d72e`js::jit::IonBuilder::processCondSwitchCase(this=<unavailable>, state=<unavailable>) + 1988 at IonBuilder.cpp:4040
    frame #1: 0x00000001001f3789 js-dbg-64-dm-darwin-76bd0c01d72e`js::jit::IonBuilder::processCfgStack(this=0x0000000102dbe1a8) + 41 at IonBuilder.cpp:2142
    frame #2: 0x00000001001f1722 js-dbg-64-dm-darwin-76bd0c01d72e`js::jit::IonBuilder::traverseBytecode(this=0x0000000102dbe1a8) + 306 at IonBuilder.cpp:1484
    frame #3: 0x00000001001ed204 js-dbg-64-dm-darwin-76bd0c01d72e`js::jit::IonBuilder::build(this=0x0000000102dbe1a8) + 1476 at IonBuilder.cpp:913
    frame #4: 0x00000001001e5914 js-dbg-64-dm-darwin-76bd0c01d72e`js::jit::Compile(JSContext*, JS::Handle<JSScript*>, js::jit::BaselineFrame*, unsigned char*, bool, bool) + 2150 at Ion.cpp:2177
(lldb)
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/d1e0b2e1b8ea
user:        Jan de Mooij
date:        Wed Oct 21 10:09:40 2015 +0200
summary:     Bug 1215992 - Terminate control flow for THROWSETCONST/THROWSETALIASEDCONST in IonBuilder. r=shu

Jan, is bug 1215992 a more likely regressor?
Blocks: 1215992
The testcase in comment 0 also causes a null-deref at js::GetSrcNoteOffset on js opt shells (tested on m-c rev d53a52b39a95):

(lldb) dis -p
js-64-dm-darwin-d53a52b39a95`js::jit::MBasicBlock::pop:
->  0x1001c8bc0 <+0>:  movl   0x88(%rdi), %eax
    0x1001c8bc6 <+6>:  decl   %eax
    0x1001c8bc8 <+8>:  movl   %eax, 0x88(%rdi)
    0x1001c8bce <+14>: movq   0x78(%rdi), %rcx
(lldb) register read $rdi
     rdi = 0x0000000000000000
(lldb) register read $eax
     eax = 0x0013d380
(lldb)

Opt shell configure parameters:

CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --disable-debug --disable-threadsafe --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests
No longer blocks: 930414
Crash Signature: [@ js::GetSrcNoteOffset]
Keywords: crash
Summary: Assertion failure: current, at jit/IonBuilder.cpp → Crash [@ js::GetSrcNoteOffset] or Assertion failure: current, at jit/IonBuilder.cpp
Attached file Opt stack 
(lldb) bt 5
* thread #1: tid = 0xc797e, 0x0000000100515b80 js-64-dm-darwin-d53a52b39a95`js::GetSrcNoteOffset(sn=0x0000000000000000, which=<unavailable>) at BytecodeEmitter.cpp:8524, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x1)
  * frame #0: 0x0000000100515b80 js-64-dm-darwin-d53a52b39a95`js::GetSrcNoteOffset(sn=0x0000000000000000, which=<unavailable>) at BytecodeEmitter.cpp:8524
    frame #1: 0x000000010013e00c js-64-dm-darwin-d53a52b39a95`js::jit::IonBuilder::processCondSwitchCase(this=0x00000001042f4188, state=0x00000001042f4398) + 92 at IonBuilder.cpp:4049
    frame #2: 0x0000000100132898 js-64-dm-darwin-d53a52b39a95`js::jit::IonBuilder::processCfgStack(this=0x00000001042f4188) + 72 at IonBuilder.cpp:2142
    frame #3: 0x0000000100131472 js-64-dm-darwin-d53a52b39a95`js::jit::IonBuilder::traverseBytecode(this=0x00000001042f4188) + 322 at IonBuilder.cpp:1484
    frame #4: 0x000000010012e046 js-64-dm-darwin-d53a52b39a95`js::jit::IonBuilder::build(this=0x00000001042f4188) + 1798 at IonBuilder.cpp:913
I'm also seeing several more crashes probably related to this bug. Marking as fuzzblocker.
Whiteboard: [jsbugmon:update] → [jsbugmon:update][fuzzblocker]
Attached patch PatchSplinter Review 
Turns out terminating control flow for THROWSETCONST in IonBuilder is complicated because it can happen in a lot of places where we don't handle this. Like the 'case b = 0' in this testcase, or 'while (b = 0)' in the other bug.

I tried to fix these places but it's a lot of complexity. This patch just treats THROWSETCONST as a non-fallthrough op for simplicity. It's an edge case anyway so not worth spending more time on.
Assignee: nobody → jdemooij
Status: NEW → ASSIGNED
Flags: needinfo?(jdemooij)
Attachment #8679414 - Flags: review?(shu)
Comment on attachment 8679414 [details] [diff] [review]
Patch

Review of attachment 8679414 [details] [diff] [review]:
-----------------------------------------------------------------

Yeah, this is sensible to me. Sorry for trying to be too clever with the fallthrough thing and botching it. :(
Attachment #8679414 - Flags: review?(shu) → review+
(In reply to Shu-yu Guo [:shu] from comment #8)
> Sorry for trying to be too clever with the
> fallthrough thing and botching it. :(

No worries, I also thought it made sense to match JSOP_THROW. Then fuzzing happened :)
https://hg.mozilla.org/mozilla-central/rev/30a015dc8335
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
status-firefox44: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla44
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: