Assertion failure: LoadUnboxedObjectOrNull instruction returned object with unexpected type, at jit/MacroAssembler.cpp:1881
Categories
(Core :: JavaScript Engine, defect, P1)
Tracking
()
People
(Reporter: decoder, Assigned: jandem)
References
Details
(7 keywords, Whiteboard: [Nightly only] [jsbugmon:bisect][post-critsmash-triage][sec-survey])
Attachments
(5 files)
The following testcase crashes on mozilla-central revision 20200107-e728bf01a2b6 (build with --enable-debug, run with --fuzzing-safe --no-threads --ion-warmup-threshold=1 --baseline-warmup-threshold=0):
var uint32 = TypedObject.Object;
var VectorType = uint32.array(3);
var VectorsType = VectorType.array(3);
var array = new VectorsType([
[1, 2, 3],
[4, 5, 6],
[{
get a82() {
return a82;
},
set a82(VectorsType) {
return obj = StructType
}
}, 8, 9]
]);
var sum = array.reduce(vectorAdd);
function vectorAdd(l85, r74) {
for (var i79 = 0; i79 < l85.length; i79++)
l85[i79] += r74[i79];
return l85;
}
Backtrace:
received signal SIGTRAP, Trace/breakpoint trap.
0x000017839e359920 in ?? ()
#0 0x000017839e359920 in ?? ()
#1 0x000020c977500a18 in ?? ()
#2 0xfffa80000000000a in ?? ()
#3 0x0000000000000000 in ?? ()
rax 0x116d8d0a72e0 19162215379680
rbx 0x0 0
rcx 0x0 0
rdx 0x20c977500af8 36049662249720
rsi 0x116d8d07f420 19162215216160
rdi 0x20c9775007d8 36049662248920
rbp 0x20c977500a68 36049662249576
rsp 0x7fffffffa438 140737488331832
r8 0x4 4
r9 0x2 2
r10 0x116d8d0a1880 19162215356544
r11 0x7ffff6ba47a0 140737332791200
r12 0x20c977500798 36049662248856
r13 0x7fffffffaf38 140737488334648
r14 0x0 0
r15 0x0 0
rip 0x17839e359920 25854062467360
=> 0x17839e359920: push %r10
0x17839e359922: push %r9
Dangerous JIT assertion, marking s-s.
Assignee | ||
Comment 1•4 years ago
|
||
It's possible this is TypedObject-specific because MLoadUnboxedObjectOrNull is only used in IonBuilder::pushReferenceLoadFromTypedObject.
Updated•4 years ago
|
Updated•4 years ago
|
Assignee | ||
Comment 2•4 years ago
•
|
||
AFAICT this has to do with TypedObjects so it's Nightly specific. When we call reduce, we end up creating an OutlineOpaqueTypedObject for an InlineOpaqueTypedObject. I think this object doesn't have correct type information (typeset for the JSID_VOID property doesn't exist), confusing IonBuilder into thinking no type barrier is needed. That object with the "x" getter/setter then shows up, triggering the TI check.
I think we should strongly consider disabling TypedObjects in the browser, or at least the JS implementation. Or the IonBuilder code - considering our JIT plans for this year that code will likely be removed/replaced anyway.
Reduced testcase:
function vectorAdd(arr1, arr2) {
for (var i = 0; i < 3; i++) {
print(arr2[i].toString());
}
return arr1;
}
var VectorType = TypedObject.Object.array(3);
var VectorsType = VectorType.array(3);
var array = new VectorsType([
[1, 2, 3],
[4, 5, 6],
[{get x() { return 1; }, set x(VectorsType) {}}, 8, 9]
]);
array.reduce(vectorAdd);
Comment 3•4 years ago
|
||
Removing TypedObject optimizations from TI and IonMonkey makes a lot of sense since even if they have a future, the JIT story will be changing.
Comment 4•4 years ago
|
||
We depend on TypedObjects for some experimental wasm gc work, but that is all baseline-only at this point and I think removing TO JIT functionality is probably not going to be a problem for us.
Updated•4 years ago
|
Updated•4 years ago
|
Comment 5•4 years ago
|
||
JSBugMon: Cannot process bug: Error: Failed to isolate original revision for test
Assignee | ||
Updated•4 years ago
|
Assignee | ||
Updated•4 years ago
|
Assignee | ||
Comment 6•4 years ago
|
||
Typed objects are Nightly-only. The code depends heavily on TI, has bugs, and
would have to be removed/replaced for WarpBuilder anyway.
Updated•4 years ago
|
Assignee | ||
Comment 7•4 years ago
|
||
Depends on D62738
Assignee | ||
Comment 8•4 years ago
|
||
Ion no longer uses the template object after part 1.
Depends on D62739
Assignee | ||
Comment 9•4 years ago
|
||
This 'fixes' bug 1611194.
Assignee | ||
Comment 10•4 years ago
|
||
Depends on D62745
Assignee | ||
Comment 12•4 years ago
|
||
https://hg.mozilla.org/integration/autoland/rev/10063ed635d6
https://hg.mozilla.org/integration/autoland/rev/a0e7391a18f2
https://hg.mozilla.org/integration/autoland/rev/70af5c75f31c
https://hg.mozilla.org/integration/autoland/rev/be8014541db4
https://hg.mozilla.org/integration/autoland/rev/2dd173738034
(Typed objects are Nightly-only.)
Comment 13•4 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/10063ed635d6
https://hg.mozilla.org/mozilla-central/rev/a0e7391a18f2
https://hg.mozilla.org/mozilla-central/rev/70af5c75f31c
https://hg.mozilla.org/mozilla-central/rev/be8014541db4
https://hg.mozilla.org/mozilla-central/rev/2dd173738034
(Typed objects are Nightly-only.)
Set 74 to disabled.
Updated•4 years ago
|
Comment 14•4 years ago
|
||
As part of a security bug pattern analysis, we are requesting your help with a high level analysis of this bug. It is our hope to develop static analysis (or potentially runtime/dynamic analysis) in the future to identify classes of bugs.
Please visit this google form to reply.
Assignee | ||
Updated•4 years ago
|
Updated•4 years ago
|
Description
•