Closed Bug 1494159 Opened 6 years ago Closed 6 years ago

Assertion failure: offThreadStatus_.isOk(), at js/src/jit/MIRGenerator.h:88

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla64
Tracking Flags:
Tracking Status
firefox-esr60 --- wontfix
firefox62 --- wontfix
firefox63 --- wontfix
firefox64 --- fixed

People

(Reporter: gkw, Assigned: tcampbell)

Details

(4 keywords, Whiteboard: [jsbugmon:update])

Attachments

(2 files)

Detailed Crash Information
6.99 KB, text/plain
Details
Bug 1494159 - Allow LIR to throw muliple errors
46 bytes, text/x-phabricator-request
jandem
: review+
Details | Review 
The following testcase crashes on mozilla-central revision 2e3e89c9c68c (build with --enable-debug, run with --fuzzing-safe --no-threads --ion-eager --ion-check-range-analysis):

f = function() {};
Math.clz32;
Math.pow;
Math.imul;
f = Math.max;
Math.round;
function g() {
    Math.fround;
}
for (var j = 0; j < 99; ++j) {
    g();
}
function h(x, y) {
    return +
        +
        +
        +
        +(+c(y) < Math.imul(Math.fround(+Math.l(y)),
            Math.fround(Math.max(f(x | 0, 8), -x < +x | 0) >> 0))) ? +(+
            +(Math.round(x | 0) ^ +Math.fround(Math.a(Math.h(y)) >>
            Math.max(Math.s(y) >> 0, x >> 0) >> 0)) ==
            Math.clz32(- +f(Math.round) >> 0)) :
            + -(Math.s(f(Math.pow(y, Math.fround(y)), y)) >> 0)
}
oomTest(h, {
    keepFailing: true
})

Backtrace:

#0  0x0000562eebc451c7 in js::jit::MIRGenerator::setOffThreadStatus (this=<optimized out>, result=...) at js/src/jit/MIRGenerator.h:88
#1  js::jit::LIRGeneratorShared::abort (this=0x7fff3f29df48, r=js::jit::AbortReason::Alloc, message=<optimized out>) at js/src/jit/shared/Lowering-shared.h:59
#2  0x0000562eebbe7986 in js::jit::LIRGenerator::visitTruncateToInt32 (this=0x7fff3f29df48, truncate=0x7f18734b8710) at js/src/jit/Lowering.cpp:2312
#3  0x0000562eebbfef5c in js::jit::LIRGenerator::visitInstruction (this=0x7fff3f29df48, ins=0x7f18734b8710) at js/src/jit/Lowering.cpp:5210
#4  0x0000562eebbff77f in js::jit::LIRGenerator::visitBlock (this=0x7fff3f29df48, block=0x7f18734a2a40) at js/src/jit/Lowering.cpp:5300
/snip

For detailed crash information, see attachment.

Setting s-s to be safe since this involves MIR/allocation, but then again oomTest is involved, nonetheless letting our js gurus figure this out.
autobisectjs shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/e5c0d34d8fdf
user:        Jon Coppeard
date:        Wed Sep 12 14:58:05 2018 +0100
summary:     Bug 1490390 - Add an option to make oomTest keep failing after the initial simulated failure r=nbp

Jon, this presumably only caused the issue to show up. Or Ted, you might want to poke at this too.
Flags: needinfo?(tcampbell)
Flags: needinfo?(jcoppeard)
Recent updates to jsfunfuzz found this:

https://github.com/MozillaSecurity/funfuzz/pull/211

(keepFailing is now accepted in oomTest)
Looking. It is seeming like we are continuing to far after reporting an error.
Assignee: nobody → tcampbell
Flags: needinfo?(tcampbell)
Flags: needinfo?(jcoppeard)
We can hit LIRGenerator::abort(AllocReason::Alloc) multiple times before [1] finally checks it. The MIRGenerator (M!) doesn't like this and trips a benign assert. The assert is still very useful to catch logic errors, but in this case we should prevent LIRGenerator from reporting more than once. There is no problem is release so this isn't s-s.

[1] https://searchfox.org/mozilla-central/rev/881a3c5664ede5e08ee986d76433bc5c4b5680e6/js/src/jit/Lowering.cpp#5230
Group: javascript-core-security
Error handling for LIRGenerator lets us defer handling until the end of
the instruction but this can result in tripping some sanity checks. Only
report the first error up to caller.
Comment on attachment 9012333 [details]
Bug 1494159 - Allow LIR to throw muliple errors

Jan de Mooij [:jandem] has approved the revision.
Attachment #9012333 - Flags: review+
Pushed by tcampbell@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/23fc16cdf093
Allow LIR to throw muliple errors r=jandem
https://hg.mozilla.org/mozilla-central/rev/23fc16cdf093
Status: NEW → RESOLVED
Closed: 6 years ago
status-firefox64: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla64
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: