Assertion failure: resumePointsEmpty(), at js/src/jit/MIRGraph.cpp:998

VERIFIED FIXED

Status

()

defect
--
critical
VERIFIED FIXED
3 years ago
2 years ago

People

(Reporter: gkw, Unassigned)

Tracking

(Blocks 1 bug, 4 keywords)

Trunk
x86_64
macOS
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox52 verified)

Details

(Whiteboard: [jsbugmon:update][adv-main52-])

Attachments

(2 attachments)

Reporter

Description

3 years ago
The following testcase crashes on mozilla-central revision 908557c762f7 (build with --enable-debug --enable-more-deterministic, run with --fuzzing-safe --baseline-eager):

setJitCompilerOption('ion.forceinlineCaches', 1);
function g(f, x) {
    for (var j = 0; j < 3; ++j)
        for (var k = 0; k < 21; ++k)
            try {
                f(x[k]);
            } catch (e) {}
}
a0 = y = [];
function f2() {
    f1()
};
function f1() {
    switch (abs(abs(3187503207)(134217728) | 0) | 0) {
        case -2:
            this.y.splice(NaN, 2, x({}) = 4277)
    }
    return
    4006901336 | 0
}
g(f1, []);
g(f2, []);
f1 = (function() {
    function f() {
        a0.splice(NaN, 0);
    }
    return f;
})();
g(f2, []);


Backtrace:

0   js-dbg-64-dm-clang-darwin-908557c762f7	0x00000001039ee459 js::jit::MIRGraph::removeBlock(js::jit::MBasicBlock*) + 745 (MIRGraph.cpp:998)
1   js-dbg-64-dm-clang-darwin-908557c762f7	0x00000001039f6b1a js::jit::MBasicBlock::BackupPoint::restore() + 650 (InlineList.h:425)
2   js-dbg-64-dm-clang-darwin-908557c762f7	0x00000001038f1d19 js::jit::IonBuilder::inlineScriptedCall(js::jit::CallInfo&, JSFunction*) + 1801 (IonBuilder.cpp:5255)
3   js-dbg-64-dm-clang-darwin-908557c762f7	0x00000001038f4cbc js::jit::IonBuilder::inlineCalls(js::jit::CallInfo&, mozilla::Vector<JSObject*, 4ul, js::jit::JitAllocPolicy> const&, mozilla::Vector<bool, 4ul, js::jit::JitAllocPolicy>&, js::jit::MGetPropertyCache*) + 3308 (IonBuilder.cpp:6073)
/snip

For detailed crash information, see attachment.

Setting s-s as a start because MIR seems involved.
Reporter

Comment 2

3 years ago
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/47e4fb57325d
user:        Nicolas B. Pierron
date:        Fri Oct 28 12:45:31 2016 +0000
summary:     Bug 1303399 part 2 - IonMonkey: Fallback when we fail to inline an uninlinable function. r=h4writer

Nicolas, is bug 1303399 a likely regressor?
Blocks: 1303399
Flags: needinfo?(nicolas.b.pierron)
Ok, Looking into this, for the moment this does not sounds like a security issue, but only a sanity issue as we create extra resume points when we attempt to inline, which are made to fallback to before the GetPropertyCache which is loading the JSFunction's target.

I already faced this issue a while back when adding this assertion.  I will try to come-up with a patch tomorrow.
Idempotent MGetPropertyCache get attach a resume point which is used as a
fallback for targets that we cannot inline.  This resume point is already
being discarded by MWrapMGetPropertyCache when it is not needed after the
end of the inlining.

This patch also removes this resume point it we fail sooner than the
MWrapMGetPropertyCache, or if getInlineableGetPropertyCache fails to return
the last MGetPropertyCache.
Attachment #8808701 - Flags: review?(hv1989)
Attachment #8808701 - Flags: review?(hv1989) → review+
Nicolas is in PTO till Monday. In order to still get this in without uplift, I pushed it.
https://hg.mozilla.org/integration/mozilla-inbound/rev/3930bf2158788bc3681992d61cc0d26614c8b388
Flags: needinfo?(nicolas.b.pierron)
Marking sec-other per comment 3.
Keywords: sec-other
https://hg.mozilla.org/mozilla-central/rev/3930bf215878
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED

Updated

3 years ago
Status: RESOLVED → VERIFIED

Comment 8

3 years ago
JSBugMon: This bug has been automatically verified fixed.
Group: javascript-core-security → core-security-release
Whiteboard: [jsbugmon:update] → [jsbugmon:update][adv-main52-]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.