1526413 - Crash [@ js::jit::SnapshotIterator::allocationValue] or Hit MOZ_CRASH(Unexpected type) at jit/JitFrames.cpp:1612 with BigInt

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

The following testcase crashes on mozilla-central revision 22ca3a5f976f (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --disable-debug --enable-optimize, run with --fuzzing-safe --cpu-count=2 --ion-offthread-compile=off --ion-eager):

const zero = BigInt(0);
[zero].includes(zero);

Backtrace:

received signal SIGSEGV, Segmentation fault.
js::jit::SnapshotIterator::allocationValue (this=this@entry=0x7fffffffba70, alloc=..., rm=rm@entry=js::jit::SnapshotIterator::RM_Normal) at js/src/jit/JitFrames.cpp:1612
#0  js::jit::SnapshotIterator::allocationValue (this=this@entry=0x7fffffffba70, alloc=..., rm=rm@entry=js::jit::SnapshotIterator::RM_Normal) at js/src/jit/JitFrames.cpp:1612
#1  0x0000555555fa0a4a in js::jit::SnapshotIterator::read (this=this@entry=0x7fffffffba70) at js/src/jit/JSJitFrameIter.h:523
#2  0x000055555616df14 in InitFromBailout (invalidate=<optimized out>, excInfo=<optimized out>, nextCallee=..., startFrameFormals=..., builder=..., iter=..., script=..., fun=..., frameNo=0, cx=0x7ffff5f16000) at js/src/jit/BaselineBailouts.cpp:874
#3  js::jit::BailoutIonToBaseline (cx=cx@entry=0x7ffff5f16000, activation=0x7fffffffc0e0, iter=..., invalidate=invalidate@entry=true, bailoutInfo=bailoutInfo@entry=0x7fffffffbdf0, excInfo=excInfo@entry=0x0) at js/src/jit/BaselineBailouts.cpp:1794
#4  0x000055555617092e in js::jit::InvalidationBailout (sp=<optimized out>, frameSizeOut=0x7fffffffbdf8, bailoutInfo=0x7fffffffbdf0) at js/src/jit/Bailouts.cpp:134
#5  0x00002785e2c152ad in ?? ()
#6  0x00007fffffffbe30 in ?? ()
#7  0x00007fffffffbdf0 in ?? ()
#8  0x0000000000000000 in ?? ()
rax	0x555557551160	93825025773920
rbx	0x7fffffffba70	140737488337520
rcx	0x5555565f39ac	93825009662380
rdx	0x5555565f3a30	93825009662512
rsi	0x7fffffffb694	140737488336532
rdi	0x5555565bba96	93825009433238
rbp	0x7fffffffba70	140737488337520
rsp	0x7fffffffb688	140737488336520
r8	0x7fffffffb64c	140737488336460
r9	0x0	0
r10	0x10	16
r11	0x0	0
r12	0x7fffffffb8d0	140737488337104
r13	0x1	1
r14	0x7ffff5f16000	140737319624704
r15	0x7fffffffb940	140737488337216
rip	0x555555f18681 <js::jit::SnapshotIterator::allocationValue(js::jit::RValueAllocation const&, js::jit::SnapshotIterator::ReadMethod)+769>
=> 0x555555f18681 <js::jit::SnapshotIterator::allocationValue(js::jit::RValueAllocation const&, js::jit::SnapshotIterator::ReadMethod)+769>:	movl   $0x0,0x0
   0x555555f1868c <js::jit::SnapshotIterator::allocationValue(js::jit::RValueAllocation const&, js::jit::SnapshotIterator::ReadMethod)+780>:	ud2

Not s-s as BigInt is still off by default and this looks like a safe crash.

Comment 1

[Fuzzing Team]

JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/4b74d76e55a8
user:        Andy Wingo
date:        Wed Feb 06 13:41:56 2019 +0000
summary:     Bug 1522436 - Enable BigInt compilation by default r=jandem,terpri,froydnj

This iteration took 545.159 seconds to run.

Comment 2

[Andy Wingo [:wingo]]

Attachment: Bug 1526413 - Add support for reading BigInt values from bailout snapshots

Comment 3

[Pulsebot]

Pushed by archaeopteryx@coole-files.de:
https://hg.mozilla.org/integration/autoland/rev/e803c3338809
Add support for reading BigInt values from bailout snapshots r=jandem

Comment 4

[Bogdan Tara[:bogdan_tara | bogdant]]

https://hg.mozilla.org/mozilla-central/rev/e803c3338809