Closed Bug 1577565 Opened 5 years ago Closed 5 years ago

Assertion failure: cmpret == 0, at js/src/jit/arm/Simulator-arm.cpp:1055 with Debugger

Categories

(Core :: JavaScript Engine, defect, P1)

Product:
Core
Component:
JavaScript Engine
Platform:
ARM
Linux
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla70
Tracking Flags:
Tracking Status
firefox-esr60 --- unaffected
firefox-esr68 --- unaffected
firefox69 --- unaffected
firefox70 --- fixed

People

(Reporter: decoder, Assigned: jandem)

Details

(4 keywords, Whiteboard: [fuzzblocker] [jsbugmon:update])

Attachments

(1 file)

Bug 1577565 - Fix patchNopToCall and patchCallToNop to flush the icache on ARM and MIPS. r?lth!
47 bytes, text/x-phabricator-request
Details | Review

The following testcase crashes on mozilla-central revision 23824765c6aa (build with --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --enable-debug --without-intl-api --enable-optimize --target=i686-pc-linux-gnu --enable-simulator=arm, run with --fuzzing-safe --ion-offthread-compile=off --more-compartments --baseline-eager --arm-sim-icache-checks --ion-warmup-threshold=0 test.js):

let g97 = newGlobal();
let dbg = Debugger(g97);

Backtrace:

received signal SIGSEGV, Segmentation fault.
#0  js::jit::SimulatorProcess::checkICacheLocked (instr=0x594797d4) at js/src/jit/arm/Simulator-arm.cpp:1055
#1  0x5704bfa2 in js::jit::Simulator::instructionDecode (this=0xf662d000, instr=0x594797d4) at js/src/jit/arm/Simulator-arm.cpp:4664
#2  0x5704c7fa in js::jit::Simulator::execute<false> (this=0xf662d000) at js/src/jit/arm/Simulator-arm.cpp:4750
#3  js::jit::Simulator::callInternal (this=0xf662d000, entry=0x59466700 "\360O-\351\004\320M\342\020\212-\355\r\200\240\341h\220\235\345\r\260\240\341t\240\235", <incomplete sequence \345>) at js/src/jit/arm/Simulator-arm.cpp:4828
#4  0x5704ca99 in js::jit::Simulator::call (this=<optimized out>, entry=<optimized out>, argument_count=<optimized out>) at js/src/jit/arm/Simulator-arm.cpp:4915
#5  0x571aa80f in EnterJit (cx=<optimized out>, cx@entry=0xf660f800, state=..., code=0x594afce0 "\004\340-\345\a") at js/src/jit/Jit.cpp:111
#6  0x571ab206 in js::jit::MaybeEnterJit (cx=0xf660f800, state=...) at js/src/jit/Jit.cpp:194
#7  0x567d4f0d in js::RunScript (cx=<optimized out>, state=...) at js/src/vm/Interpreter.cpp:409
[...]
#16 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:11363
eax	0x57c8faf4	1472789236
ebx	0x57c8eff4	1472786420
ecx	0xf7517864	-145655708
edx	0x5777b9cd	1467464141
esi	0x594797d4	1497864148
edi	0xf66a87d4	-160790572
ebp	0xffe15488	4292957320
esp	0xffe15460	4292957280
eip	0x57047cc4 <js::jit::SimulatorProcess::checkICacheLocked(js::jit::SimInstruction*)+244>
=> 0x57047cc4 <js::jit::SimulatorProcess::checkICacheLocked(js::jit::SimInstruction*)+244>:	movl   $0x0,0x0
   0x57047cce <js::jit::SimulatorProcess::checkICacheLocked(js::jit::SimInstruction*)+254>:	ud2

This is a fuzzblocker on ARM due to it's high frequency.

Sean or Nicolas, could one of you look into this fuzzblocker on ARM?

Flags: needinfo?(sstangl)
Flags: needinfo?(nicolas.b.pierron)
Whiteboard: [jsbugmon:update,bisect][fuzzblocker] → [fuzzblocker] [jsbugmon:bisect]
JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.
Whiteboard: [fuzzblocker] [jsbugmon:bisect] → [fuzzblocker] [jsbugmon:update,bisect]
Whiteboard: [fuzzblocker] [jsbugmon:update,bisect] → [fuzzblocker] [jsbugmon:update]
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/e72770318826
user:        Jan de Mooij
date:        Tue Aug 27 15:57:33 2019 +0000
summary:     Bug 1576567 part 3 - Use real NOPs for debug trap handler calls in interpreter loop. r=tcampbell

This iteration took 466.380 seconds to run.
Flags: needinfo?(nicolas.b.pierron) → needinfo?(jdemooij)

The ARM64 code was already doing this correctly.

This also affects Wasm debugger breakpoints but it's not clear to me why
fuzzing didn't find the same issue there.

We are considering doing icache flushing on mprotect, it would eliminate
these issues.

Assignee: nobody → jdemooij
Status: NEW → ASSIGNED
Flags: needinfo?(sstangl)
Flags: needinfo?(jdemooij)
Pushed by jdemooij@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/9e00286ac2a6
Fix patchNopToCall and patchCallToNop to flush the icache on ARM and MIPS. r=lth
Priority: -- → P1

https://hg.mozilla.org/mozilla-central/rev/9e00286ac2a6

Status: ASSIGNED → RESOLVED
Closed: 5 years ago
status-firefox70: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla70

Can we land the testcase from this bug?

status-firefox69: --- → unaffected
status-firefox-esr60: --- → unaffected
status-firefox-esr68: --- → unaffected
Flags: needinfo?(jdemooij)
Flags: in-testsuite?

(In reply to Ryan VanderMeulen [:RyanVM] from comment #8)

Can we land the testcase from this bug?

The test requires --arm-sim-icache-checks which doesn't work on non-ARM...

Bug 1575153 removed all this code and replaced it with a much simpler mechanism, so the test isn't that useful anymore and I think we're good.

Flags: needinfo?(jdemooij)
Flags: in-testsuite? → in-testsuite-
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: