1315634 - Assertion failure: resumePointsEmpty(), at js/src/jit/MIRGraph.cpp:998

Status: VERIFIED FIXED

(Core :: JavaScript Engine, defect)

Description

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

The following testcase crashes on mozilla-central revision 908557c762f7 (build with --enable-debug --enable-more-deterministic, run with --fuzzing-safe --baseline-eager):

setJitCompilerOption('ion.forceinlineCaches', 1);
function g(f, x) {
    for (var j = 0; j < 3; ++j)
        for (var k = 0; k < 21; ++k)
            try {
                f(x[k]);
            } catch (e) {}
}
a0 = y = [];
function f2() {
    f1()
};
function f1() {
    switch (abs(abs(3187503207)(134217728) | 0) | 0) {
        case -2:
            this.y.splice(NaN, 2, x({}) = 4277)
    }
    return
    4006901336 | 0
}
g(f1, []);
g(f2, []);
f1 = (function() {
    function f() {
        a0.splice(NaN, 0);
    }
    return f;
})();
g(f2, []);


Backtrace:

0   js-dbg-64-dm-clang-darwin-908557c762f7	0x00000001039ee459 js::jit::MIRGraph::removeBlock(js::jit::MBasicBlock*) + 745 (MIRGraph.cpp:998)
1   js-dbg-64-dm-clang-darwin-908557c762f7	0x00000001039f6b1a js::jit::MBasicBlock::BackupPoint::restore() + 650 (InlineList.h:425)
2   js-dbg-64-dm-clang-darwin-908557c762f7	0x00000001038f1d19 js::jit::IonBuilder::inlineScriptedCall(js::jit::CallInfo&, JSFunction*) + 1801 (IonBuilder.cpp:5255)
3   js-dbg-64-dm-clang-darwin-908557c762f7	0x00000001038f4cbc js::jit::IonBuilder::inlineCalls(js::jit::CallInfo&, mozilla::Vector<JSObject*, 4ul, js::jit::JitAllocPolicy> const&, mozilla::Vector<bool, 4ul, js::jit::JitAllocPolicy>&, js::jit::MGetPropertyCache*) + 3308 (IonBuilder.cpp:6073)
/snip

For detailed crash information, see attachment.

Setting s-s as a start because MIR seems involved.

Comment 1

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Attachment: Detailed Crash Information

Comment 2

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/47e4fb57325d
user:        Nicolas B. Pierron
date:        Fri Oct 28 12:45:31 2016 +0000
summary:     Bug 1303399 part 2 - IonMonkey: Fallback when we fail to inline an uninlinable function. r=h4writer

Nicolas, is bug 1303399 a likely regressor?

Comment 3

[Nicolas B. Pierron [:nbp]]

Ok, Looking into this, for the moment this does not sounds like a security issue, but only a sanity issue as we create extra resume points when we attempt to inline, which are made to fallback to before the GetPropertyCache which is loading the JSFunction's target.

I already faced this issue a while back when adding this assertion.  I will try to come-up with a patch tomorrow.

Comment 4

[Nicolas B. Pierron [:nbp]]

Attachment: Discard fallback resume points created on JSOP_CALLPROP if we are not inlining any function.

Idempotent MGetPropertyCache get attach a resume point which is used as a
fallback for targets that we cannot inline.  This resume point is already
being discarded by MWrapMGetPropertyCache when it is not needed after the
end of the inlining.

This patch also removes this resume point it we fail sooner than the
MWrapMGetPropertyCache, or if getInlineableGetPropertyCache fails to return
the last MGetPropertyCache.

Comment 5

[Hannes Verschore [:h4writer]]

Nicolas is in PTO till Monday. In order to still get this in without uplift, I pushed it.
https://hg.mozilla.org/integration/mozilla-inbound/rev/3930bf2158788bc3681992d61cc0d26614c8b388

Comment 6

[Andrew McCreight [:mccr8]]

Marking sec-other per comment 3.

Comment 7

[Wes Kocher (:KWierso) (Not reading bugmail; email directly if needed)]

https://hg.mozilla.org/mozilla-central/rev/3930bf215878

Comment 8

[Fuzzing Team]

JSBugMon: This bug has been automatically verified fixed.