Crash [@ js::MapGCThingTyped] or Assertion failure: Infallible unbox type mismatch, at js/src/jit/MacroAssembler.cpp:2034

RESOLVED FIXED in Firefox 67

Status

()

defect
--
critical
RESOLVED FIXED
5 months ago
5 months ago

People

(Reporter: gkw, Assigned: wingo)

Tracking

(Blocks 2 bugs, 5 keywords)

Trunk
mozilla67
x86_64
Linux
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(firefox-esr60 unaffected, firefox65 unaffected, firefox66 unaffected, firefox67 fixed)

Details

(Whiteboard: [jsbugmon:update])

Attachments

(3 attachments)

The following testcase crashes on mozilla-central revision 6a3edc353ef2 (build with --enable-debug, run with --fuzzing-safe --no-threads --ion-eager):

// Adapted from randomly chosen test: js/src/tests/test262/language/expressions/postfix-increment/bigint.js
x = 0n;
// jsfunfuzz-generated
function f(x) {
    if (x) {
      x = 0;
    }
    else {
      x = 0;
    }
}
y = [1, x];
for (let j = 0; j < 2; ++j) {
    for (let k = 0; k < 2; ++k) {
        f(y[j]);
    }
}

Backtrace:

#0 0x000029eca35cd883 in ?? ()
#1 0x000029eca34a5ac4 in ?? ()
#2 0x0000000000001043 in ?? ()
#3 0x00003e6c435b2a62 in ?? ()
#4 0x0000000000000000 in ?? ()
/snip

For detailed crash information, see attachment.

Unboxing type mismatch sounds dangerous, setting s-s as a start.

Blocks: 1100132

Other unreduced forms seem to also crash [@ js::MapGCThingTyped]

STACK_TEXT:
000000b9`d55fa1d0 00007ff6`5f56394d : 0000023f`4f640890 000000b9`d55fb3f0 000000b9`d55fa598 00007ff6`5f7cce9f : js_64_profDisabled_clang_windows_amd64_952b928f1605!js::MapGCThingTyped<`lambda at C:/Users/fuzz1/trees/mozilla-central/js/src/gc/Marking.cpp:2740:43'>+0x9e
000000b9`d55fa230 00007ff6`5f5b67b4 : 00000000`00000000 00007ff6`5f331067 000000b9`d55fadb0 0000023f`4f01cec0 : js_64_profDisabled_clang_windows_amd64_952b928f1605!js::gc::TraceEdgeInternal<JS::Value>+0x6d
000000b9`d55fa290 00007ff6`5f580d29 : 0004b873`bc6a8168 000000b9`d55fa4a0 000000b9`d55fa468 00007ff6`5f568701 : js_64_profDisabled_clang_windows_amd64_952b928f1605!js::jit::TraceJitActivations+0x604
000000b9`d55fa420 00007ff6`5f57d2e1 : 00000000`00034008 00000135`5d1dcd70 0000023f`4efa1aa0 00001bc2`d516d410 : js_64_profDisabled_clang_windows_amd64_952b928f1605!js::gc::GCRuntime::traceRuntimeCommon+0x59
000000b9`d55fa4f0 00007ff6`5f57c8c7 : 00000000`0000020a 00000000`0000020b 00000000`0000020c 00007ff6`5f5b35be : js_64_profDisabled_clang_windows_amd64_952b928f1605!js::gc::GCRuntime::traceRuntimeForMinorGC+0x31
000000b9`d55fa530 00007ff6`5f57b7a8 : 00000000`00000720 00000000`00000730 0000023f`4ef806c8 000000b9`d55fa6a0 : js_64_profDisabled_clang_windows_amd64_952b928f1605!js::Nursery::doCollection+0x547
000000b9`d55fa680 00007ff6`5f55e02c : 45300000`43300000 00000000`00000000 43300000`00000000 45300000`00000000 : js_64_profDisabled_clang_windows_amd64_952b928f1605!js::Nursery::collect+0x318
000000b9`d55fa8a0 00007ff6`5f55da23 : 000000b9`d55fb358 000000b9`00000006 00000000`00000000 00000000`00000000 : js_64_profDisabled_clang_windows_amd64_952b928f1605!js::gc::GCRuntime::minorGC+0x14c
000000b9`d55fa910 00007ff6`5f55e7ab : 000000b9`00000000 00000000`00000000 0000023f`00000002 0000023f`4f5a8434 : js_64_profDisabled_clang_windows_amd64_952b928f1605!js::gc::GCRuntime::gcCycle+0x403
000000b9`d55faa40 00007ff6`5f54181b : 0000023f`5162e010 0000023f`4f5a8fb7 0000023f`4f5a9112 0000023f`4f150fc0 : js_64_profDisabled_clang_windows_amd64_952b928f1605!js::gc::GCRuntime::collect+0x14b
000000b9`d55faaf0 00007ff6`5f541400 : 0000023f`4efabff0 00007ff6`5f3d4492 00000000`00000002 00000001`00000001 : js_64_profDisabled_clang_windows_amd64_952b928f1605!js::gc::GCRuntime::runDebugGC+0x36b
000000b9`d55fabf0 00007ff6`5f56bbdb : 0000023f`4efac030 00007ff8`b59b9b56 00000000`00000000 00000000`00000057 : js_64_profDisabled_clang_windows_amd64_952b928f1605!js::gc::GCRuntime::gcIfNeededAtAllocation+0x50
000000b9`d55fac60 00007ff6`5f3d46b1 : 0000023f`4efabff0 00000000`00000000 00000000`00000001 00007ff8`b59b9b56 : js_64_profDisabled_clang_windows_amd64_952b928f1605!js::AllocateString<JSString,js::CanGC>+0x5b
000000b9`d55faca0 00007ff6`5f4523b7 : 00000000`00000012 00007ff6`5fa68458 0000023f`4f63c440 0000023f`4f63c455 : js_64_profDisabled_clang_windows_amd64_952b928f1605!js::NewStringCopyNDontDeflate<js::CanGC,unsigned char>+0x381
000000b9`d55fad20 00007ff6`5f47c314 : 00000000`00000210 00000000`00000211 00000000`00000003 000000b9`d55fafd0 : js_64_profDisabled_clang_windows_amd64_952b928f1605!JS_NewStringCopyZ+0x27
000000b9`d55fad60 00007ff6`5f2b815a : 00000000`00000000 00000000`00000007 0000023f`00000000 0000023f`4efa0000 : js_64_profDisabled_clang_windows_amd64_952b928f1605!js::ErrorToException+0x114
000000b9`d55fae80 00007ff6`5f444842 : 0000023f`4efac058 000000b9`d55fb5f0 fffb116a`f5822d20 0000116a`f5822d28 : js_64_profDisabled_clang_windows_amd64_952b928f1605!js::ReportErrorNumberVA+0x13a
000000b9`d55faf60 00007ff6`5f2b84d6 : 00001bc2`d516dfc0 0000023f`4efabff0 00007ff6`5fa63c58 000000b9`d55fb150 : js_64_profDisabled_clang_windows_amd64_952b928f1605!JS_ReportErrorNumberUTF8+0x42
000000b9`d55fafb0 00007ff6`5f175346 : 000000b9`d55fb380 0000023f`4efac058 000000b9`d55fb150 000000b9`d55fb130 : js_64_profDisabled_clang_windows_amd64_952b928f1605!js::ReportIsNotDefined+0x76
000000b9`d55fb010 00007ff6`5f5b11f0 : 0000144c`00000000 0000023f`4f150000 00001bc2`d516c040 000000b9`d55fb288 : js_64_profDisabled_clang_windows_amd64_952b928f1605!js::FetchName<js::GetNameMode::Normal>+0x196
000000b9`d55fb0b0 00000060`fbd146b6 : 00000000`00000000 00000000`00000000 00001bc2`d516c230 fffe116a`f58732b0 : js_64_profDisabled_clang_windows_amd64_952b928f1605!js::jit::IonGetNameIC::update+0x320
Summary: Assertion failure: Infallible unbox type mismatch, at js/src/jit/MacroAssembler.cpp:2034 → Crash [@ js::MapGCThingTyped] or Assertion failure: Infallible unbox type mismatch, at js/src/jit/MacroAssembler.cpp:2034

autobisectjs shows this is probably related to the following changeset:

The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/4b74d76e55a8
user: Andy Wingo
date: Wed Feb 06 13:41:56 2019 +0000
summary: Bug 1522436 - Enable BigInt compilation by default r=jandem,terpri,froydnj

Andy, is bug 1522436 a likely regressor? (If it is, BigInt isn't in the testcase, so is m-c still affected?)

Blocks: 1522436
Flags: needinfo?(wingo)

Hi, thanks for the report, I'll take this one. I think m-c is indeed affected. Will let you know what I find.

Assignee: nobody → wingo
Flags: needinfo?(wingo)

On looking again I see that there is a BigInt in the test case -- the x = 0n in the beginning.

BigInt increment/decrement is still missing a couple of things to work; see bug 1501105 comment 6, which I'm working on. I didn't expect this crash but it's not inconceivable.

I think we should clear the s-s flag and make this bug block bug 1501105 and fix with normal priority (i.e. as the bigint ++/-- stuff lands). WDYT?

Flags: needinfo?(nth10sd)

Agreed.

Blocks: 1501105
No longer blocks: 1522436
Group: javascript-core-security
Flags: needinfo?(nth10sd)

Actually this one isn't related to inc/dec :/ the bigint in this case is just stored in an array. Still investigating. I still think it's not security-sensitive though as you need the bigint to hit it.

The bug doesn't show up if inlining is off, with the test above. But it does if I manually inline. Here's a further reduced test case:

for (let j = 0; j < 2; ++j) {
    let z = j ? 0n : 1;
    if (z) {
        z = 0;
    } else {
        z = 0;
    }
}

Run as --no-threads --ion-eager.

As you can see in the image, somehow Ion has decided that it can do an infallible unbox. I think it's because of this comment in IonBuilder:

  // By default MTest tests ToBoolean(input). As a result in the true branch we
  // can filter undefined and null. In false branch we can only encounter
  // undefined, null, false, 0, "" and objects that emulate undefined.

But, there is now one more false value: 0n. Will work on the fix!

The

Keywords: checkin-needed

Pushed by ccoroiu@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/0ca63f8a449c
Adapt ToBoolean Ion type inference for false BigInt values r=jandem

Keywords: checkin-needed
Status: NEW → RESOLVED
Closed: 5 months ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla67
You need to log in before you can comment on or make changes to this bug.