Closed Bug 1334356 Opened 7 years ago Closed 7 years ago

Crash [@ js::jit::IonCannon] or Assertion failure: Should have monitored undefined result, at js/src/jit/MacroAssembler.cpp:1597

Categories

(Core :: JavaScript Engine, defect, P1)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
macOS
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla54
Tracking Flags:
Tracking Status
firefox-esr45 --- unaffected
firefox51 --- unaffected
firefox52 --- unaffected
firefox53 --- wontfix
firefox54 --- fixed

People

(Reporter: gkw, Assigned: jandem)

References

Details

(Keywords: assertion, bugmon, testcase, Whiteboard: [jsbugmon:update])

Crash Data

Attachments

(3 files)

Detailed Crash Information
30.19 KB, text/plain
Details
Opt stack
4.77 KB, text/plain
Details
Patch
1.43 KB, patch
h4writer
: review+
Details | Diff | Splinter Review 
The following testcase crashes on mozilla-central revision d92fd6b6d6bf (build with --enable-debug --enable-more-deterministic, run with --fuzzing-safe --no-threads --ion-eager):

// jsfunfuzz-generated
setJitCompilerOption('ion.forceinlineCaches', 1);
try {
    Object.defineProperty(this, "x", {
        get: function () {
            Array.prototype.slice;
        }
    });
    // Adapted from randomly chosen test: js/src/tests/js1_8_1/extensions/strict-warning.js
    options('strict');
    options('werror');
    // jsfunfuzz-generated
    x.u;
} catch (e) {}
try {
    delete Array.prototype.slice;
    x;
} catch (e) {}
x;

Backtrace:

0   ???                           	0x000000010679ee0e 0 + 4403621390
1   js-dbg-64-dm-clang-darwin-d92fd6b6d6bf	0x00000001045998da js::jit::IonCannon(JSContext*, js::RunState&) + 874 (Ion.cpp:2901)
2   js-dbg-64-dm-clang-darwin-d92fd6b6d6bf	0x000000010442e4da js::RunScript(JSContext*, js::RunState&) + 378 (Interpreter.cpp:386)
3   js-dbg-64-dm-clang-darwin-d92fd6b6d6bf	0x000000010443eb0c js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) + 604 (Interpreter.cpp:478)
4   js-dbg-64-dm-clang-darwin-d92fd6b6d6bf	0x000000010443fb0a js::CallGetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) + 154 (Interpreter.cpp:524)
/snip

For detailed crash information, see attachment.

Setting s-s because the assert sounds scary, and deletion of Arrays are involved.
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/547a8c1acff1
user:        Jan de Mooij
date:        Fri Dec 23 08:34:03 2016 +0100
summary:     Bug 1322093 part 19 - Enable the new IonGetPropertyIC that's based on CacheIR. r=h4writer

Jan, is bug 1322093 a likely regressor?
Blocks: 1322093
Flags: needinfo?(jdemooij)
The testcase also crashes at a weird memory address with js::jit::IonCannon on the stack, on opt builds. Assuming sec-critical.
Crash Signature: [@ js::jit::IonCannon]
Keywords: sec-critical
Summary: Assertion failure: Should have monitored undefined result, at js/src/jit/MacroAssembler.cpp:1597 → Crash [@ js::jit::IonCannon] or Assertion failure: Should have monitored undefined result, at js/src/jit/MacroAssembler.cpp:1597
Attached file Opt stack 
The program counter seems to be loading an arbitrary address 0x1031c4cd0 into the instruction pointer.
At least Fx53 is also affected, not sure about earlier branches.
status-firefox53: --- → affected
Group: javascript-core-security
Flags: needinfo?(jdemooij)
Keywords: sec-critical
Attached patch PatchSplinter Review 
Funny bug. When both the extra-warnings + warnings-as-errors options are enabled, we may throw an exception instead of returning undefined when a property is missing, so we shouldn't attach a missing-property stub.

Probably a pre-existing bug, or at least it was a correctness issue.

Not s-s in any way because both of these options are disabled by default.
Assignee: nobody → jdemooij
Status: NEW → ASSIGNED
Attachment #8831137 - Flags: review?(hv1989)
Comment on attachment 8831137 [details] [diff] [review]
Patch

Review of attachment 8831137 [details] [diff] [review]:
-----------------------------------------------------------------

Good catch
Attachment #8831137 - Flags: review?(hv1989) → review+
Crash volume for signature 'js::jit::IonCannon':
 - nightly (version 54): 0 crashes from 2017-01-23.
 - aurora  (version 53): 0 crashes from 2017-01-23.
 - beta    (version 52): 1 crash from 2017-01-23.
 - release (version 51): 236 crashes from 2017-01-16.
 - esr     (version 45): 1349 crashes from 2016-08-03.

Crash volume on the last weeks (Week N is from 01-30 to 02-05):
            W. N-1  W. N-2  W. N-3  W. N-4  W. N-5  W. N-6  W. N-7
 - nightly       0
 - aurora        0
 - beta          1
 - release     115       0
 - esr          76      69      65      71      48      73      63

Affected platforms: Windows, Mac OS X, Linux

Crash rank on the last 7 days:
           Browser   Content   Plugin
 - nightly
 - aurora
 - beta
 - release #235      #82
 - esr     #217
status-firefox51: --- → affected
status-firefox52: --- → affected
status-firefox-esr45: --- → affected
The Release Management Bot setting status flags is the worst. These crashes are totally unrelated to this mostly-shell-only bug.
status-firefox51: affectedunaffected
status-firefox52: affectedunaffected
status-firefox53: affectedwontfix
status-firefox-esr45: affectedunaffected
Pushed by jandemooij@gmail.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/2c7238d4ab0a
Don't attach a missing-property stub if extra warnings are enabled. r=h4writer
https://hg.mozilla.org/mozilla-central/rev/2c7238d4ab0a
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
status-firefox54: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla54
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: