Closed Bug 1572051 Opened 5 years ago Closed 5 years ago

Crash [@ JS::Value::isMagic] or Assertion failure: s_.payload_.why_ == why, at dist/include/js/Value.h:669

Categories

(Core :: JavaScript Engine: JIT, defect, P1)

Product:
Core
Component:
JavaScript Engine: JIT
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla70
Tracking Flags:
Tracking Status
firefox-esr60 --- unaffected
firefox-esr68 --- unaffected
firefox68 --- unaffected
firefox69 --- unaffected
firefox70 --- fixed

People

(Reporter: decoder, Assigned: jandem)

References

(Regression)

Details

(5 keywords, Whiteboard: [jsbugmon:update])

Crash Data

Attachments

(1 file)

Bug 1572051 - Add TypeMonitorMagicValue and use it in DoTypeMonitorFallback and TypeMonitorResult. r?iain!
47 bytes, text/x-phabricator-request
Details | Review

The following testcase crashes on mozilla-central revision b94a6b06c9b9 (build with --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --disable-debug --enable-optimize, run with --fuzzing-safe --ion-offthread-compile=off):

evaluate(`
  for (var i69=0; i69<60; i69-- ) {
    Array(Math, {});
    bailout();
  }
`);

Backtrace:

received signal SIGSEGV, Segmentation fault.
JS::Value::isMagic (why=JS_UNINITIALIZED_LEXICAL, this=<optimized out>) at /srv/jenkins/jobs/mozilla-central-build-jsshell/workspace/arch/64/compiler/gcc/instrumentation/none/type/opt/dist/include/js/Value.h:669
#0  JS::Value::isMagic (why=JS_UNINITIALIZED_LEXICAL, this=<optimized out>) at /srv/jenkins/jobs/mozilla-central-build-jsshell/workspace/arch/64/compiler/gcc/instrumentation/none/type/opt/dist/include/js/Value.h:669
#1  js::WrappedPtrOperations<JS::Value, JS::Handle<JS::Value> >::isMagic (why=JS_UNINITIALIZED_LEXICAL, this=<synthetic pointer>) at /srv/jenkins/jobs/mozilla-central-build-jsshell/workspace/arch/64/compiler/gcc/instrumentation/none/type/opt/dist/include/js/Value.h:1186
#2  js::jit::ICTypeMonitor_Fallback::addMonitorStubForValue (this=<optimized out>, cx=cx@entry=0x7ffff5f22000, frame=frame@entry=0x7fffffffbc80, types=<optimized out>, val=val@entry=...) at js/src/jit/BaselineIC.cpp:1315
#3  0x0000555555e3008a in js::jit::ICMonitoredFallbackStub::addMonitorStubForValue (val=..., types=<optimized out>, frame=0x7fffffffbc80, cx=0x7ffff5f22000, this=0x7ffff4cd4290) at js/src/jit/BaselineIC.cpp:1092
#4  js::jit::TypeMonitorResult (cx=cx@entry=0x7ffff5f22000, stub=0x7ffff4cd4290, frame=frame@entry=0x7fffffffbc80, script=script@entry=..., pc=pc@entry=0x7ffff4dfba1e "R\002", val=val@entry=...) at js/src/jit/BaselineIC.cpp:1102
#5  0x000055555621e598 in js::jit::FinishBailoutToBaseline (bailoutInfoArg=0x0) at js/src/jit/BaselineBailouts.cpp:1887
#6  0x00002b3407de00af in ?? ()
[...]
#19 0x0000000000000000 in ?? ()
rax	0x555557543100	93825025716480
rbx	0x55555662da50	93825009900112
rcx	0x1fff5	131061
rdx	0x7fffffffbc80	140737488338048
rsi	0x7ffff5f22000	140737319673856
rdi	0xfffa80000000000a	-1548112371908598
rbp	0x7ffff5f22000	140737319673856
rsp	0x7fffffffb9d0	140737488337360
r8	0x7fffffffbbc0	140737488337856
r9	0xc9ed80a4890	13876368918672
r10	0x1	1
r11	0x7ffff4721a78	140737294506616
r12	0x7ffff4cd4200	140737300480512
r13	0x7fffffffbbc0	140737488337856
r14	0x7ffff4dfba1e	140737301690910
r15	0x7fffffffbb90	140737488337808
rip	0x555555e2f6d0 <js::jit::ICTypeMonitor_Fallback::addMonitorStubForValue(JSContext*, js::jit::BaselineFrame*, js::StackTypeSet*, JS::Handle<JS::Value>)+1504>
=> 0x555555e2f6d0 <js::jit::ICTypeMonitor_Fallback::addMonitorStubForValue(JSContext*, js::jit::BaselineFrame*, js::StackTypeSet*, JS::Handle<JS::Value>)+1504>:	movl   $0x0,0x0
   0x555555e2f6db <js::jit::ICTypeMonitor_Fallback::addMonitorStubForValue(JSContext*, js::jit::BaselineFrame*, js::StackTypeSet*, JS::Handle<JS::Value>)+1515>:	ud2

This could be the same as bug 1570926 (because it is related to bailouts) but the signatures are very different so filing to make sure we don't miss a bug here.

Jan, can you check if this is a dup? Thanks!

Flags: needinfo?(jdemooij)
Assignee: nobody → jdemooij
Status: NEW → ASSIGNED
Flags: needinfo?(jdemooij)

We did a bailout from Ion with a MagicValue(JS_OPTIMIZED_OUT) on top of the stack, then passed that
value to TypeMonitorResult and asserted in addMonitorStubForValue because we expected a different
kind of magic value.

This patch moves MagicValue handling into TypeMonitorMagicValue and calls it from both places so we
have consistent behavior.

Just fails a (release) assert.

Group: javascript-core-security

autobisectjs shows this is probably related to the following changeset:

The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/58ea17fc315e
user: Jan de Mooij
date: Tue Jul 30 12:08:48 2019 +0000
summary: Bug 1567438 part 1 - Replace the enter-monitor-chain bailout code with type monitoring in C++. r=tcampbell,iain

Guessing bug 1567438 is the regressor here.

Regressed by: 1567438
Pushed by jdemooij@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/bde81f964234
Add TypeMonitorMagicValue and use it in DoTypeMonitorFallback and TypeMonitorResult. r=iain

Bugbug thinks this bug is a defect, but please change it back in case of error.

Type: -- → defect
Priority: -- → P1

https://hg.mozilla.org/mozilla-central/rev/bde81f964234

Status: ASSIGNED → RESOLVED
Closed: 5 years ago
status-firefox70: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla70
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/58ea17fc315e
user:        Jan de Mooij
date:        Tue Jul 30 12:08:48 2019 +0000
summary:     Bug 1567438 part 1 - Replace the enter-monitor-chain bailout code with type monitoring in C++. r=tcampbell,iain

This iteration took 399.181 seconds to run.
Has Regression Range: --- → yes
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: