Closed
Bug 1646199
Opened 5 years ago
Closed 5 years ago
[warp] Assertion failure: Unexpected null or lazy proto in MObjectStaticProto, at jit/MacroAssembler.cpp:1970
Categories
(Core :: JavaScript Engine: JIT, defect, P2)
Tracking
()
RESOLVED
FIXED
mozilla80
| Tracking | Status | |
|---|---|---|
| firefox-esr68 | --- | unaffected |
| firefox-esr78 | --- | disabled |
| firefox78 | --- | disabled |
| firefox79 | --- | disabled |
| firefox80 | --- | fixed |
People
(Reporter: decoder, Assigned: jandem)
References
(Blocks 1 open bug, Regression)
Details
(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:update,bisected,confirmed])
Attachments
(5 files)
The following testcase crashes on mozilla-central revision 20200615-f05a0084c5f2 (debug build, run with --fuzzing-safe --cpu-count=2 --ion-offthread-compile=off --warp --disable-oom-functions --ion-extra-checks --ion-full-warmup-threshold=0):
Object.defineProperty(this, "f", {});
Object.defineProperty(this, "c", {});
function evalInFunc(src) {
evaluate(src);
}
(function(global) {
var ObjectCreate = global.Object.create;
var ObjectDefineProperty = global.Object.defineProperty;
var ReflectApply = global.Reflect.apply;
var StringPrototypeSubstring = global.String.prototype.substring;
function ArrayPush(arr, val) {
var desc = ObjectCreate(null);
ObjectDefineProperty(arr, arr.length, desc);
}
function StringSplit(str, delimiter) {
var parts = [];
ArrayPush(parts, ReflectApply(StringPrototypeSubstring, str, []));
}
function printStatus(msg) {
msg = String(msg);
var lines = StringSplit(msg, "\\n");
}
global.printStatus = printStatus;
})(this);
printStatus();
printStatus();
printStatus();
printStatus();
printStatus();
printStatus();
printStatus();
printStatus();
printStatus();
printStatus();
printStatus();
printStatus();
printStatus();
printStatus();
printStatus();
printStatus();
try {
evalInFunc(`
printStatus();
printStatus();
printStatus();
function sharedConstructor(baseConstructor) {
class SharedTypedArray extends Object.getPrototypeOf(baseConstructor) {}
Object.defineProperty(SharedTypedArray,"BYTES_PER_ELEMENT", {__proto__: null, value: baseConstructor.BYTES_PER_ELEMENT});
Object.defineProperty(SharedTypedArray.prototype, "BYTES_PER_ELEMENT", {__proto__: null, value: baseConstructor.BYTES_PER_ELEMENT});
Object.defineProperty(SharedTypedArray, "name", {__proto__: null, value: baseConstructor.name});
}
const typedArrayConstructors = Object.freeze([
Int8Array,
Uint8Array,
Uint8ClampedArray,
Int16Array,
Uint16Array,
Int32Array,
Uint32Array,
Float32Array,
Float64Array,
]);
typedArrayConstructors.map(sharedConstructor)
`);
} catch(exc) {}
typedArrayConstructors.map(sharedConstructor)
typedArrayConstructors.map(sharedConstructor)
Backtrace:
received signal SIGTRAP, Trace/breakpoint trap.
0x00001e6b0efa4d67 in ?? ()
#0 0x00001e6b0efa4d67 in ?? ()
#1 0x0000000000000000 in ?? ()
rax 0x0 0
rbx 0x1e6b0efa1010 33445161603088
rcx 0xd3dc1927e60 14558891769440
rdx 0x1a7ad6f04ef8 29114894405368
rsi 0x1 1
rdi 0x7ffff5440798 140737308264344
rbp 0x7fffffffb540 140737488336192
rsp 0x7fffffffb460 140737488335968
r8 0xd3dc19ac3d0 14558892311504
r9 0xd3dc1980980 14558892132736
r10 0xe628cd14 3861433620
r11 0x7ffff6dac7a0 140737334921120
r12 0x0 0
r13 0x7ffff54530b0 140737308340400
r14 0x7ffff544e207 140737308320263
r15 0x0 0
rip 0x1e6b0efa4d67 33445161618791
=> 0x1e6b0efa4d67: push %rcx
0x1e6b0efa4d68: movabs $0x7ffff5472800,%rcx
|
Reporter | |
Comment 1•5 years ago
|
||
|
||
Updated•5 years ago
|
Whiteboard: [bugmon:update,bisect] → [bugmon:update,bisected,confirmed]
|
|
||
Comment 2•5 years ago
|
||
Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20200617093637-3155ffead6ae.
The bug appears to have been introduced in the following build range:
> Start: a8f7a2c1d5073d8d1e0904b941f44f6e51cf4e39 (20200529110714)
> End: 9c257fb7548dd9f4bbd2df8f05192f239c733e02 (20200529112442)
> Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=a8f7a2c1d5073d8d1e0904b941f44f6e51cf4e39&tochange=9c257fb7548dd9f4bbd2df8f05192f239c733e02
|
||
Updated•5 years ago
|
Severity: -- → S4
Priority: -- → P2
|
Assignee | |
Comment 3•5 years ago
|
||
Use GuardProto / GuardNullProto to prevent loading a null proto in LoadProto.
The next patch will assert objects stored in stub fields are always non-null.
|
||
Updated•5 years ago
|
Assignee: nobody → jdemooij
Status: NEW → ASSIGNED
|
|
Assignee | |
Comment 4•5 years ago
|
||
Depends on D82328
|
|
Assignee | |
Comment 5•5 years ago
|
||
Depends on D82329
Pushed by jdemooij@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/f179e9362e9f
part 1 - Fix CacheIR LoadProto to assert the result isn't nullptr. r=evilpie
https://hg.mozilla.org/integration/autoland/rev/bb26ed69fa5a
part 2 - Assert object stub fields are non-nullptr. r=evilpie
https://hg.mozilla.org/integration/autoland/rev/07db2282c6f9
part 3 - Transpile GuardProto and GuardNullProto. r=evilpie
|
||
Comment 7•5 years ago
|
||
Backed out for assertion failures and crashes on CacheIR
backout: https://hg.mozilla.org/integration/autoland/rev/b5dfcca4130ec47accba0ac60854e51014b1c494
push: https://treeherder.mozilla.org/#/jobs?repo=autoland&revision=07db2282c6f979160edf55885673d871ac2f89d4&group_state=expanded . Failures have started appearing on a later push: https://treeherder.mozilla.org/#/jobs?repo=autoland&revision=808a0f6d42729600506c5737acca5d7051ba5175&selectedTaskRun=D4aVHxfXRGu2LghO3UTJGg.0
failure log e.g.:
- dom/media/tests/mochitest/test_peerConnection_captureStream_canvas_2d.html | application crashed [@ js::jit::CacheIRWriter::writeObjectField(JSObject*)] https://treeherder.mozilla.org/logviewer.html#/jobs?job_id=308829518&repo=autoland&lineNumber=2134
- Assertion failure: obj, at /builds/worker/checkouts/gecko/js/src/jit/CacheIR.h:556 https://treeherder.mozilla.org/logviewer.html#/jobs?job_id=308829705&repo=autoland&lineNumber=3377
Flags: needinfo?(jdemooij)
|
|
Assignee | |
Comment 8•5 years ago
|
||
This way we can also remove the hasExpando flag.
Depends on D82328
|
|
||
Updated•5 years ago
|
Attachment #9161546 -
Attachment description: Bug 1646199 part 2 - Assert object stub fields are non-nullptr. r?evilpie! → Bug 1646199 part 3 - Assert object stub fields are non-nullptr. r?evilpie!
|
|
||
Updated•5 years ago
|
Attachment #9161548 -
Attachment description: Bug 1646199 part 3 - Transpile GuardProto and GuardNullProto. r?evilpie! → Bug 1646199 part 4 - Transpile GuardProto and GuardNullProto. r?evilpie!
Pushed by jdemooij@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/8d77f43ba3e8
part 1 - Fix CacheIR LoadProto to assert the result isn't nullptr. r=evilpie
https://hg.mozilla.org/integration/autoland/rev/00f8d21e8211
part 2 - Split XrayExpandoShapeAndDefaultProto in two instructions to avoid storing a nullptr object. r=evilpie
https://hg.mozilla.org/integration/autoland/rev/66141f547b06
part 3 - Assert object stub fields are non-nullptr. r=evilpie
https://hg.mozilla.org/integration/autoland/rev/c7b6b13b88f4
part 4 - Transpile GuardProto and GuardNullProto. r=evilpie
|
|
Assignee | |
Updated•5 years ago
|
Flags: needinfo?(jdemooij)
|
||
Comment 10•5 years ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/8d77f43ba3e8
https://hg.mozilla.org/mozilla-central/rev/00f8d21e8211
https://hg.mozilla.org/mozilla-central/rev/66141f547b06
https://hg.mozilla.org/mozilla-central/rev/c7b6b13b88f4
Status: ASSIGNED → RESOLVED
Closed: 5 years ago
status-firefox80:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla80
|
||
Updated•5 years ago
|
status-firefox78:
--- → disabled
status-firefox-esr68:
--- → unaffected
status-firefox-esr78:
--- → disabled
Regressed by: 1641469
|
||
Updated•5 years ago
|
Has Regression Range: --- → yes
|
|
||
Updated•5 years ago
|
|
|
||
Comment 11•5 years ago
|
||
Bugmon Analysis:
Bug marked as FIXED but still reproduces on mozilla-central 20200713095122-2c8bc998c107.
|
||
Comment 12•5 years ago
|
||
It now asserts with "Overridden getAliasSet without updating AliasAnalysis GetObject", which is already tracked in bug 1652049.
|
|
Assignee | |
Comment 13•5 years ago
|
||
(In reply to André Bargull [:anba] from comment #12)
It now asserts with "Overridden getAliasSet without updating AliasAnalysis GetObject", which is already tracked in bug 1652049.
Yes, I'll fix the assertion failure in bug 1652049.
Status: REOPENED → RESOLVED
Closed: 5 years ago → 5 years ago
Resolution: --- → FIXED
|
|
||
Updated•5 years ago
|
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
|
|
||
Comment 14•5 years ago
|
||
Bugmon Analysis:
Bug marked as FIXED but still reproduces on mozilla-central 20200714083249-23131da780b5.
|
|
Assignee | |
Comment 15•5 years ago
|
||
(In reply to Jason Kratzer [:jkratzer] from comment #14)
Bugmon Analysis:
Bug marked as FIXED but still reproduces on mozilla-central
20200714083249-23131da780b5.
Also an older revision.
Status: REOPENED → RESOLVED
Closed: 5 years ago → 5 years ago
Flags: needinfo?(jkratzer)
Resolution: --- → FIXED
|
|
||
Updated•5 years ago
|
You need to log in
before you can comment on or make changes to this bug.
Description
•