Closed Bug 1608994 Opened 4 years ago Closed 4 years ago

Assertion failure: LoadUnboxedObjectOrNull instruction returned object with unexpected type, at jit/MacroAssembler.cpp:1881

Categories

(Core :: JavaScript Engine, defect, P1)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla75
Tracking Flags:
Tracking Status
firefox-esr68 --- disabled
firefox72 --- disabled
firefox73 --- disabled
firefox74 --- disabled
firefox75 --- fixed

People

(Reporter: decoder, Assigned: jandem)

References

Details

(7 keywords, Whiteboard: [Nightly only] [jsbugmon:bisect][post-critsmash-triage][sec-survey])

Attachments

(5 files)

Bug 1608994 part 1 - Remove TypedObject code from Ion. r?iain!
47 bytes, text/x-phabricator-request
Details | Review
Bug 1608994 part 2 - Remove TypedObjectPrediction.h/cpp files. r?iain!
47 bytes, text/x-phabricator-request
Details | Review
Bug 1608994 part 3 - Remove class hook template object. r?iain!
47 bytes, text/x-phabricator-request
Details | Review
Bug 1608994 part 4 - Remove InlineTypedObject code from MacroAssembler. r?iain!
47 bytes, text/x-phabricator-request
Details | Review
Bug 1608994 part 5 - Remove some now unused VM functions. r?iain!
47 bytes, text/x-phabricator-request
Details | Review

The following testcase crashes on mozilla-central revision 20200107-e728bf01a2b6 (build with --enable-debug, run with --fuzzing-safe --no-threads --ion-warmup-threshold=1 --baseline-warmup-threshold=0):

var uint32 = TypedObject.Object;
var VectorType = uint32.array(3);
var VectorsType = VectorType.array(3);
var array = new VectorsType([
    [1, 2, 3],
    [4, 5, 6],
    [{
        get a82() {
            return a82;
        },
        set a82(VectorsType) {
            return obj = StructType
        }
    }, 8, 9]
]);
var sum = array.reduce(vectorAdd);
function vectorAdd(l85, r74) {
    for (var i79 = 0; i79 < l85.length; i79++)
        l85[i79] += r74[i79];
    return l85;
}

Backtrace:

received signal SIGTRAP, Trace/breakpoint trap.
0x000017839e359920 in ?? ()
#0  0x000017839e359920 in ?? ()
#1  0x000020c977500a18 in ?? ()
#2  0xfffa80000000000a in ?? ()
#3  0x0000000000000000 in ?? ()
rax	0x116d8d0a72e0	19162215379680
rbx	0x0	0
rcx	0x0	0
rdx	0x20c977500af8	36049662249720
rsi	0x116d8d07f420	19162215216160
rdi	0x20c9775007d8	36049662248920
rbp	0x20c977500a68	36049662249576
rsp	0x7fffffffa438	140737488331832
r8	0x4	4
r9	0x2	2
r10	0x116d8d0a1880	19162215356544
r11	0x7ffff6ba47a0	140737332791200
r12	0x20c977500798	36049662248856
r13	0x7fffffffaf38	140737488334648
r14	0x0	0
r15	0x0	0
rip	0x17839e359920	25854062467360
=> 0x17839e359920:	push   %r10
   0x17839e359922:	push   %r9

Dangerous JIT assertion, marking s-s.

It's possible this is TypedObject-specific because MLoadUnboxedObjectOrNull is only used in IonBuilder::pushReferenceLoadFromTypedObject.

Priority: -- → P1

AFAICT this has to do with TypedObjects so it's Nightly specific. When we call reduce, we end up creating an OutlineOpaqueTypedObject for an InlineOpaqueTypedObject. I think this object doesn't have correct type information (typeset for the JSID_VOID property doesn't exist), confusing IonBuilder into thinking no type barrier is needed. That object with the "x" getter/setter then shows up, triggering the TI check.

I think we should strongly consider disabling TypedObjects in the browser, or at least the JS implementation. Or the IonBuilder code - considering our JIT plans for this year that code will likely be removed/replaced anyway.

Reduced testcase:

function vectorAdd(arr1, arr2) {
    for (var i = 0; i < 3; i++) {
        print(arr2[i].toString());
    }
    return arr1;
}
var VectorType = TypedObject.Object.array(3);
var VectorsType = VectorType.array(3);
var array = new VectorsType([
    [1, 2, 3],
    [4, 5, 6],
    [{get x() { return 1; }, set x(VectorsType) {}}, 8, 9]
]);
array.reduce(vectorAdd);

Removing TypedObject optimizations from TI and IonMonkey makes a lot of sense since even if they have a future, the JIT story will be changing.

We depend on TypedObjects for some experimental wasm gc work, but that is all baseline-only at this point and I think removing TO JIT functionality is probably not going to be a problem for us.

status-firefox72: --- → disabled
status-firefox73: --- → disabled
status-firefox-esr68: --- → disabled
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update,bisect][Nightly only]
Whiteboard: [jsbugmon:update,bisect][Nightly only] → [Nightly only] [jsbugmon:bisect]
JSBugMon: Cannot process bug: Error: Failed to isolate original revision for test
Flags: needinfo?(jdemooij)
Flags: needinfo?(jdemooij)

Typed objects are Nightly-only. The code depends heavily on TI, has bugs, and
would have to be removed/replaced for WarpBuilder anyway.

Assignee: nobody → jdemooij
Status: NEW → ASSIGNED

Ion no longer uses the template object after part 1.

Depends on D62739

Flags: qe-verify-
Whiteboard: [Nightly only] [jsbugmon:bisect] → [Nightly only] [jsbugmon:bisect][post-critsmash-triage]

As part of a security bug pattern analysis, we are requesting your help with a high level analysis of this bug. It is our hope to develop static analysis (or potentially runtime/dynamic analysis) in the future to identify classes of bugs.

Please visit this google form to reply.

Flags: needinfo?(jdemooij)
Whiteboard: [Nightly only] [jsbugmon:bisect][post-critsmash-triage] → [Nightly only] [jsbugmon:bisect][post-critsmash-triage][sec-survey]
Flags: needinfo?(jdemooij)
Group: core-security-release
Regressions: 1661410
No longer regressions: 1661410
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: