Closed Bug 1261326 Opened 4 years ago Closed 4 years ago

Assertion failure: value->type() == MIRType_Object || value->type() == MIRType_Null || value->type() == MIRType_Value, at js/src/jit/IonBuilder.cpp:12564

Categories

(Core :: JavaScript Engine: JIT, defect, critical)

x86_64
Linux
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla48
Tracking Status
firefox48 --- fixed

People

(Reporter: decoder, Assigned: jandem)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update])

Attachments

(1 file)

The following testcase crashes on mozilla-central revision bccb11375f2a (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe --no-threads --baseline-eager):

x = x = "";
function Obj1(x) 
  this.x = x;
arr = [];
o = {};
for (i = 0; i < 10000; i++) 
  new Obj1(o);
Obj1('');



Backtrace:

Program received signal SIGSEGV, Segmentation fault.
0x00000000006c9169 in js::jit::IonBuilder::storeUnboxedValue (this=this@entry=0x7fffffffba90, obj=obj@entry=0x7ffff699e280, elements=elements@entry=0x7ffff699e280, elementsOffset=elementsOffset@entry=16, scaledOffset=scaledOffset@entry=0x7ffff699e328, unboxedType=unboxedType@entry=JSVAL_TYPE_OBJECT, value=value@entry=0x7ffff699b810, preBarrier=preBarrier@entry=true) at js/src/jit/IonBuilder.cpp:12562
#0  0x00000000006c9169 in js::jit::IonBuilder::storeUnboxedValue (this=this@entry=0x7fffffffba90, obj=obj@entry=0x7ffff699e280, elements=elements@entry=0x7ffff699e280, elementsOffset=elementsOffset@entry=16, scaledOffset=scaledOffset@entry=0x7ffff699e328, unboxedType=unboxedType@entry=JSVAL_TYPE_OBJECT, value=value@entry=0x7ffff699b810, preBarrier=preBarrier@entry=true) at js/src/jit/IonBuilder.cpp:12562
#1  0x00000000006c9845 in js::jit::IonBuilder::storeUnboxedProperty (this=this@entry=0x7fffffffba90, obj=obj@entry=0x7ffff699e280, offset=<optimized out>, unboxedType=<optimized out>, value=value@entry=0x7ffff699b810) at js/src/jit/IonBuilder.cpp:12528
#2  0x00000000006ef714 in js::jit::IonBuilder::setPropTryInlineAccess (this=this@entry=0x7fffffffba90, emitted=emitted@entry=0x7fffffffb750, obj=0x7ffff699e280, name=name@entry=0x7ffff7e00b68, value=0x7ffff699b810, barrier=barrier@entry=false, objTypes=objTypes@entry=0x7ffff699e1b8) at js/src/jit/IonBuilder.cpp:12685
#3  0x0000000000700bdd in js::jit::IonBuilder::jsop_setprop (this=this@entry=0x7fffffffba90, name=0x7ffff7e00b68) at js/src/jit/IonBuilder.cpp:12229
#4  0x00000000006f9654 in js::jit::IonBuilder::inspectOpcode (this=this@entry=0x7fffffffba90, op=op@entry=JSOP_SETPROP) at js/src/jit/IonBuilder.cpp:2030
#5  0x00000000006fa098 in js::jit::IonBuilder::traverseBytecode (this=this@entry=0x7fffffffba90) at js/src/jit/IonBuilder.cpp:1523
#6  0x00000000006fb052 in js::jit::IonBuilder::buildInline (this=this@entry=0x7fffffffba90, callerBuilder=callerBuilder@entry=0x7ffff6994270, callerResumePoint=callerResumePoint@entry=0x7ffff699b988, callInfo=...) at js/src/jit/IonBuilder.cpp:1090
#7  0x00000000006fb69c in js::jit::IonBuilder::inlineScriptedCall (this=this@entry=0x7ffff6994270, callInfo=..., target=<optimized out>) at js/src/jit/IonBuilder.cpp:5129
#8  0x00000000006fc190 in js::jit::IonBuilder::inlineSingleCall (this=0x7ffff6994270, callInfo=..., targetArg=<optimized out>) at js/src/jit/IonBuilder.cpp:5637
#9  0x00000000006fd8dc in js::jit::IonBuilder::inlineCallsite (this=this@entry=0x7ffff6994270, targets=..., callInfo=...) at js/src/jit/IonBuilder.cpp:5693
#10 0x00000000006fdc6d in js::jit::IonBuilder::jsop_call (this=this@entry=0x7ffff6994270, argc=1, constructing=<optimized out>) at js/src/jit/IonBuilder.cpp:6631
#11 0x00000000006f9688 in js::jit::IonBuilder::inspectOpcode (this=this@entry=0x7ffff6994270, op=op@entry=JSOP_CALL) at js/src/jit/IonBuilder.cpp:1889
#12 0x00000000006fa098 in js::jit::IonBuilder::traverseBytecode (this=this@entry=0x7ffff6994270) at js/src/jit/IonBuilder.cpp:1523
#13 0x00000000006fa8d5 in js::jit::IonBuilder::build (this=this@entry=0x7ffff6994270) at js/src/jit/IonBuilder.cpp:918
#14 0x00000000006ade69 in js::jit::IonCompile (cx=cx@entry=0x7ffff6908800, script=script@entry=0x7ffff7e6f160, baselineFrame=baselineFrame@entry=0x7fffffffcc28, osrPc=<optimized out>, constructing=<optimized out>, recompile=<optimized out>, optimizationLevel=optimizationLevel@entry=js::jit::Normal) at js/src/jit/Ion.cpp:2143
#15 0x00000000006ae8ec in js::jit::Compile (cx=0x7ffff6908800, script=..., script@entry=..., osrFrame=osrFrame@entry=0x7fffffffcc28, osrPc=osrPc@entry=0x7ffff518e839 "ず", constructing=<optimized out>, forceRecompile=forceRecompile@entry=false) at js/src/jit/Ion.cpp:2375
#16 0x00000000006af3a2 in BaselineCanEnterAtBranch (pc=0x7ffff518e839 "ず", osrFrame=0x7fffffffcc28, script=..., cx=0x7ffff6908800) at js/src/jit/Ion.cpp:2562
#17 js::jit::IonCompileScriptForBaseline (cx=cx@entry=0x7ffff6908800, frame=frame@entry=0x7fffffffcc28, pc=pc@entry=0x7ffff518e839 "ず") at js/src/jit/Ion.cpp:2620
#18 0x0000000000616697 in js::jit::DoWarmUpCounterFallbackOSR (cx=0x7ffff6908800, frame=0x7fffffffcc28, stub=0x7ffff51bc4f8, infoPtr=0x7fffffffcc00) at js/src/jit/BaselineIC.cpp:141
#19 0x00007ffff7ff2679 in ?? ()
[...]
#30 0x0000000000000000 in ?? ()
rax	0x0	0
rbx	0x7fffffffba90	140737488337552
rcx	0x7ffff6ca5870	140737333844080
rdx	0x0	0
rsi	0x7ffff6f7a9d0	140737336814032
rdi	0x7ffff6f791c0	140737336807872
rbp	0x7fffffffb540	140737488336192
rsp	0x7fffffffb500	140737488336128
r8	0x7ffff7fdf7c0	140737354004416
r9	0x6372732f736a2f6c	7165916604736876396
r10	0x7fffffffb2c0	140737488335552
r11	0x7ffff6c27ee0	140737333329632
r12	0x7ffff699e280	140737330668160
r13	0x7ffff699e328	140737330668328
r14	0x10	16
r15	0x7fffffffba90	140737488337552
rip	0x6c9169 <js::jit::IonBuilder::storeUnboxedValue(js::jit::MDefinition*, js::jit::MDefinition*, int, js::jit::MDefinition*, JSValueType, js::jit::MDefinition*, bool)+121>
=> 0x6c9169 <js::jit::IonBuilder::storeUnboxedValue(js::jit::MDefinition*, js::jit::MDefinition*, int, js::jit::MDefinition*, JSValueType, js::jit::MDefinition*, bool)+121>:	movl   $0x3114,0x0
   0x6c9174 <js::jit::IonBuilder::storeUnboxedValue(js::jit::MDefinition*, js::jit::MDefinition*, int, js::jit::MDefinition*, JSValueType, js::jit::MDefinition*, bool)+132>:	callq  0x4aa040 <abort()>


Marking s-s as these types of asserts can indicate sec-high/critical issues.
Component: JavaScript Engine → JavaScript Engine: JIT
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result:
=== Treeherder Build Bisection Results by autoBisect ===

The "good" changeset has the timestamp "20160227063626" and the hash "4cba1f83f797b5cf6013a47683eff3f66e7d139b".
The "bad" changeset has the timestamp "20160227083326" and the hash "62b2390a22b28cda8000e5a1524ab96104361900".

Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=4cba1f83f797b5cf6013a47683eff3f66e7d139b&tochange=62b2390a22b28cda8000e5a1524ab96104361900
Not sure if the regression window in comment 1 is accurate, so setting needinfo? from Jan as a start.
Flags: needinfo?(jdemooij)
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/bd00e87978b2
user:        Jan de Mooij
date:        Sat Feb 27 17:32:44 2016 +0100
summary:     Bug 1216130 part 2 - Add test. r=bhackett

Seems like this changeset added the assert.
Attached patch PatchSplinter Review
Usually this assert holds because of the checks we do in PropertyWriteNeedsTypeBarrier.

Here, though, we get the ObjectGroup from the Baseline IC so we don't check it in PropertyWriteNeedsTypeBarrier.

This patch just disables this path if the group is one that can't actually show up at runtime - I think that's a nice check to have for other reasons as well, so I also added it to the getprop path.

I think this is just a bogus assert - the group guard will always fail so the correctness bug the assert is guarding against is not really an issue.
Assignee: nobody → jdemooij
Status: NEW → ASSIGNED
Flags: needinfo?(jdemooij)
Attachment #8742923 - Flags: review?(bhackett1024)
Group: javascript-core-security
Keywords: sec-high
Attachment #8742923 - Flags: review?(bhackett1024) → review+
https://hg.mozilla.org/mozilla-central/rev/5d3ac1da48e0
Status: ASSIGNED → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla48
You need to log in before you can comment on or make changes to this bug.