Closed Bug 1257089 Opened 9 years ago Closed 9 years ago

Assertion failure: block->graph().osrBlock(), at js/src/jit/Lowering.cpp:4691

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla48
Tracking Flags:
Tracking Status
firefox47 --- unaffected
firefox48 --- fixed

People

(Reporter: gkw, Assigned: nbp)

References

Details

(Keywords: assertion, regression, testcase, Whiteboard: [fuzzblocker] [jsbugmon:update])

Attachments

(1 file)

Weaken the assertions to account for unreachable annotation added by Range Analysis.
2.39 KB, patch
sunfish
: review+
Details | Diff | Splinter Review
The following testcase crashes on mozilla-central revision 7773387a9a2f (build with --enable-debug --enable-more-deterministic, run with --fuzzing-safe --no-threads --ion-eager --ion-gvn=off): (function() { for (var i = 0; i < 0; ++i) {} })(); Backtrace: 0 js-dbg-64-dm-clang-darwin-7773387a9a2f 0x000000010036ee29 js::jit::LIRGenerator::updateResumeState(js::jit::MBasicBlock*) + 233 (Lowering.cpp:4691) 1 js-dbg-64-dm-clang-darwin-7773387a9a2f 0x000000010036ee68 js::jit::LIRGenerator::visitBlock(js::jit::MBasicBlock*) + 40 (Lowering.cpp:4662) 2 js-dbg-64-dm-clang-darwin-7773387a9a2f 0x000000010036f2d9 js::jit::LIRGenerator::generate() + 153 (Lowering.cpp:4759) 3 js-dbg-64-dm-clang-darwin-7773387a9a2f 0x00000001002885ca js::jit::GenerateLIR(js::jit::MIRGenerator*) + 474 (Ion.cpp:1831) 4 js-dbg-64-dm-clang-darwin-7773387a9a2f 0x0000000100288c22 js::jit::CompileBackEnd(js::jit::MIRGenerator*) + 82 (Ion.cpp:1926) 5 js-dbg-64-dm-clang-darwin-7773387a9a2f 0x000000010028a957 js::jit::Compile(JSContext*, JS::Handle<JSScript*>, js::jit::BaselineFrame*, unsigned char*, bool, bool) + 4183 (Ion.cpp:2190) 6 js-dbg-64-dm-clang-darwin-7773387a9a2f 0x000000010028954a js::jit::CanEnter(JSContext*, js::RunState&) + 378 (Ion.cpp:2449) 7 js-dbg-64-dm-clang-darwin-7773387a9a2f 0x000000010079cf85 js::RunScript(JSContext*, js::RunState&) + 389 (Interpreter.cpp:405) 8 js-dbg-64-dm-clang-darwin-7773387a9a2f 0x00000001007b3689 js::Invoke(JSContext*, JS::CallArgs const&, js::MaybeConstruct) + 841 (Interpreter.cpp:496) 9 js-dbg-64-dm-clang-darwin-7773387a9a2f 0x00000001007b3d6b js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value const*, JS::MutableHandle<JS::Value>) + 555 (Interpreter.cpp:530) 10 js-dbg-64-dm-clang-darwin-7773387a9a2f 0x0000000100460054 js::jit::InvokeFunction(JSContext*, JS::Handle<JSObject*>, bool, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) + 580 (VMFunctions.cpp:104) 11 ??? 0x0000000101eee5fb 0 + 4327400955 12 js-dbg-64-dm-clang-darwin-7773387a9a2f 0x000000010028c593 js::jit::IonCannon(JSContext*, js::RunState&) + 755 (Ion.cpp:2715) 13 js-dbg-64-dm-clang-darwin-7773387a9a2f 0x000000010079cfa4 js::RunScript(JSContext*, js::RunState&) + 420 (Interpreter.cpp:408) 14 js-dbg-64-dm-clang-darwin-7773387a9a2f 0x00000001007b4afa js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::AbstractFramePtr, JS::Value*) + 602 (Interpreter.cpp:684) 15 js-dbg-64-dm-clang-darwin-7773387a9a2f 0x00000001007b4e85 js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) + 469 (RootingAPI.h:667) 16 js-dbg-64-dm-clang-darwin-7773387a9a2f 0x00000001005544a8 ExecuteScript(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSScript*>, JS::Value*) + 408 (jsapi.cpp:4371) 17 js-dbg-64-dm-clang-darwin-7773387a9a2f 0x00000001005546e2 JS_ExecuteScript(JSContext*, JS::Handle<JSScript*>) + 82 (RootingAPI.h:667) 18 js-dbg-64-dm-clang-darwin-7773387a9a2f 0x0000000100020aff Process(JSContext*, char const*, bool, FileKind) + 3439 (js.cpp:522) 19 js-dbg-64-dm-clang-darwin-7773387a9a2f 0x0000000100006052 main + 12370 (js.cpp:6612) 20 js-dbg-64-dm-clang-darwin-7773387a9a2f 0x0000000100001024 start + 52 Setting this as s-s just-in-case, because it involves the LIR. However, also note that --ion-gvn=off is needed.
This is happening very often, essentially fuzzing with --ion-gvn=off is broken right now.
Whiteboard: [jsbugmon:update,bisect] → [fuzzblocker][jsbugmon:update,bisect]
This also happens without --ion-gvn=off it seems, at least LangFuzz is hitting this quite often as well (and I think I don't fuzz with that option). Can we fix this issue quickly?
This is likely a greedy assertion added in Bug 1186006.
Flags: needinfo?(nicolas.b.pierron)
Assignee: nobody → nicolas.b.pierron
Flags: needinfo?(nicolas.b.pierron)
I am unable to reproduce this issue on Linux x64. I really do not see how this issue could dependent on the platform. Dan, can you look if you can reproduce this issue?
Flags: needinfo?(sunfish)
Whiteboard: [fuzzblocker][jsbugmon:update,bisect] → [fuzzblocker] [jsbugmon:update]
JSBugMon: Bisection requested, result: === Treeherder Build Bisection Results by autoBisect === The "good" changeset has the timestamp "20160315095526" and the hash "1b13d13b8cc582431eb30bb19fee8a20c0047d86". The "bad" changeset has the timestamp "20160315095634" and the hash "130026ae6a1e5b748dc8a583ec612ccdb4b31c61". Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=1b13d13b8cc582431eb30bb19fee8a20c0047d86&tochange=130026ae6a1e5b748dc8a583ec612ccdb4b31c61
(In reply to Nicolas B. Pierron [:nbp] from comment #4) > I am unable to reproduce this issue on Linux x64. > I really do not see how this issue could dependent on the platform. > > Dan, can you look if you can reproduce this issue? I could reproduce with: --no-threads --ion-eager --ion-gvn=off Did you use all the flags?
Flags: needinfo?(nicolas.b.pierron)
This is an automated crash issue comment: Summary: Assertion failure: block->graph().osrBlock(), at js/src/jit/Lowering.cpp:4691 Build version: mozilla-central revision 341344bdec8f Build flags: --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug Runtime options: --fuzzing-safe --no-threads --disable-oom-functions --baseline-eager --ion-eager Testcase: function withJitOptions() { oldOpts = getJitCompilerOptions(); try {} finally { for (k in oldOpts) setJitCompilerOption(k, oldOpts[k]); } } withJitOptions(); function unboxint() { for (var i = 0; i < 0;) 0 } unboxint(); Backtrace: Program received signal SIGSEGV, Segmentation fault. 0x00000000007346a7 in js::jit::LIRGenerator::updateResumeState (this=this@entry=0x7fffffffb1c0, block=block@entry=0x7ffff6996b18) at js/src/jit/Lowering.cpp:4691 #0 0x00000000007346a7 in js::jit::LIRGenerator::updateResumeState (this=this@entry=0x7fffffffb1c0, block=block@entry=0x7ffff6996b18) at js/src/jit/Lowering.cpp:4691 #1 0x00000000007346e7 in js::jit::LIRGenerator::visitBlock (this=0x7fffffffb1c0, block=0x7ffff6996b18) at js/src/jit/Lowering.cpp:4701 #2 0x0000000000734af3 in js::jit::LIRGenerator::generate (this=this@entry=0x7fffffffb1c0) at js/src/jit/Lowering.cpp:4759 #3 0x0000000000692e52 in js::jit::GenerateLIR (mir=mir@entry=0x7ffff69951c0) at js/src/jit/Ion.cpp:1831 #4 0x00000000006967e3 in js::jit::CompileBackEnd (mir=mir@entry=0x7ffff69951c0) at js/src/jit/Ion.cpp:1926 #5 0x000000000069fbf9 in js::jit::IonCompile (cx=cx@entry=0x7ffff6907800, script=script@entry=0x7ffff7e6e300, baselineFrame=baselineFrame@entry=0x0, osrPc=<optimized out>, constructing=<optimized out>, recompile=<optimized out>, optimizationLevel=optimizationLevel@entry=js::jit::Normal) at js/src/jit/Ion.cpp:2190 #6 0x00000000006a02cc in js::jit::Compile (cx=cx@entry=0x7ffff6907800, script=..., script@entry=..., osrFrame=osrFrame@entry=0x0, osrPc=osrPc@entry=0x0, constructing=<optimized out>, forceRecompile=forceRecompile@entry=false) at js/src/jit/Ion.cpp:2357 #7 0x00000000006a04de in js::jit::CanEnter (cx=cx@entry=0x7ffff6907800, state=...) at js/src/jit/Ion.cpp:2449 #8 0x0000000000a7abf9 in js::RunScript (cx=cx@entry=0x7ffff6907800, state=...) at js/src/vm/Interpreter.cpp:404 #9 0x0000000000a7aefc in js::Invoke (cx=cx@entry=0x7ffff6907800, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:496 #10 0x0000000000a7b8fc in js::Invoke (cx=cx@entry=0x7ffff6907800, thisv=..., fval=..., argc=argc@entry=0, argv=argv@entry=0x7fffffffcc08, rval=..., rval@entry=...) at js/src/vm/Interpreter.cpp:530 #11 0x0000000000d32b66 in js::jit::DoCallFallback (cx=0x7ffff6907800, frame=0x7fffffffcc38, stub_=<optimized out>, argc=<optimized out>, vp=0x7fffffffcbf8, res=...) at js/src/jit/BaselineIC.cpp:6140 #12 0x00007ffff7fe9f2f in ?? () #13 0x0000000000000000 in ?? () rax 0x0 0 rbx 0x7ffff6996b18 140737330637592 rcx 0x7ffff6ca5870 140737333844080 rdx 0x0 0 rsi 0x7ffff6f7a9d0 140737336814032 rdi 0x7ffff6f791c0 140737336807872 rbp 0x7fffffffb0c0 140737488335040 rsp 0x7fffffffb0b0 140737488335024 r8 0x7ffff7fdf7c0 140737354004416 r9 0x6372732f736a2f6c 7165916604736876396 r10 0x7fffffffae70 140737488334448 r11 0x7ffff6c27ee0 140737333329632 r12 0x7fffffffb1c0 140737488335296 r13 0x7ffff6996b18 140737330637592 r14 0x7ffff6996b18 140737330637592 r15 0x7ffff69951c0 140737330631104 rip 0x7346a7 <js::jit::LIRGenerator::updateResumeState(js::jit::MBasicBlock*)+215> => 0x7346a7 <js::jit::LIRGenerator::updateResumeState(js::jit::MBasicBlock*)+215>: movl $0x1253,0x0 0x7346b2 <js::jit::LIRGenerator::updateResumeState(js::jit::MBasicBlock*)+226>: callq 0x4a7c60 <abort()>
Flags: needinfo?(sunfish)
(In reply to Benjamin Bouvier [:bbouvier] from comment #6) > I could reproduce […] > Did you use all the flags? This was my bad, I forgot to fetch the latest modification before rebasing.
Flags: needinfo?(nicolas.b.pierron)
Attachment #8731684 - Flags: review?(sunfish) → review+
This is not a security issue, only greedy assertions.
Group: javascript-core-security
https://hg.mozilla.org/mozilla-central/rev/c89040d453b6
Status: NEW → RESOLVED
Closed: 9 years ago
status-firefox48: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla48
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: