Closed Bug 1647114 Opened 7 months ago Closed 7 months ago

[warp] Assertion failure: type != ins->type(), at jit/MIR.h:3367

Categories

(Core :: JavaScript Engine: JIT, defect)

Product:
Core
Component:
JavaScript Engine: JIT
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla79
Tracking Flags:
Tracking Status
firefox-esr68 --- unaffected
firefox-esr78 --- unaffected
firefox77 --- unaffected
firefox78 --- unaffected
firefox79 --- fixed

People

(Reporter: decoder, Assigned: evilpie)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:update,bisected,confirmed])

Attachments

(2 files)

Testcase
161 bytes, text/plain
Details
Bug 1647114 - Actually don't unbox numbers when transpiling GuardToTypedArrayIndex. r?jandem
47 bytes, text/x-phabricator-request
Details | Review

The following testcase crashes on mozilla-central revision 20200619-341563fe5463 (debug build, run with --fuzzing-safe --ion-offthread-compile=off --warp --baseline-eager --ion-warmup-threshold=10 test.js):

var array = new Int32Array(10);
function check() {
    for (var i = 0; i < 4; i++) {
        assertEq(undefined, array["4294967295"]);
    }
}
check();
check();

Backtrace:

received signal SIGSEGV, Segmentation fault.
#0  0x00005569dcc07822 in js::jit::MUnbox::MUnbox(js::jit::MDefinition*, js::jit::MIRType, js::jit::MUnbox::Mode, js::jit::BailoutKind, js::jit::TempAllocator&) ()
#1  0x00005569dd2ab307 in WarpCacheIRTranspiler::emitGuardToTypedArrayIndex(js::jit::ValOperandId, js::jit::Int32OperandId) ()
#2  0x00005569dd2a795d in WarpCacheIRTranspiler::transpile(mozilla::Vector<js::jit::MDefinition*, 8ul, js::SystemAllocPolicy> const&) ()
#3  0x00005569dd2a6576 in js::jit::TranspileCacheIRToMIR(js::jit::MIRGenerator&, js::BytecodeLocation, js::jit::MBasicBlock*, js::jit::WarpCacheIR const*, mozilla::Vector<js::jit::MDefinition*, 8ul, js::SystemAllocPolicy> const&) ()
#4  0x00005569dd2a1199 in js::jit::WarpBuilder::buildIC(js::BytecodeLocation, js::jit::CacheKind, std::initializer_list<js::jit::MDefinition*>) ()
#5  0x00005569dd2937d3 in js::jit::WarpBuilder::build_GetElem(js::BytecodeLocation) ()
#6  0x00005569dd28e829 in js::jit::WarpBuilder::buildBody() ()
#7  0x00005569dd28dc3a in js::jit::WarpBuilder::build() ()
#8  0x00005569dce10dda in js::jit::CompileBackEnd(js::jit::MIRGenerator*, js::jit::WarpSnapshot*) ()
#9  0x00005569dce25191 in js::jit::IonCompile(JSContext*, JS::Handle<JSScript*>, js::jit::BaselineFrame*, unsigned int, unsigned char*, bool, js::jit::OptimizationLevel) ()
#10 0x00005569dce122a1 in js::jit::Compile(JSContext*, JS::Handle<JSScript*>, js::jit::BaselineFrame*, unsigned int, unsigned char*, bool) ()
#11 0x00005569dce12ac7 in IonCompileScriptForBaseline(JSContext*, js::jit::BaselineFrame*, unsigned int, unsigned char*) ()
#12 0x00005569dce130fd in js::jit::IonCompileScriptForBaselineOSR(JSContext*, js::jit::BaselineFrame*, unsigned int, unsigned char*, js::jit::IonOsrTempData**) ()
#13 0x00002c1d16217a27 in ?? ()
#14 0xfff9800000000000 in ?? ()
#15 0x00007ffe3d682aa8 in ?? ()
#16 0x00007ffe3d682b28 in ?? ()
#17 0x0000000000000000 in ?? ()
rax	0x5569dd8c18d8	93913176873176
rbx	0x7fb050331f80	140395236499328
rcx	0x5569deb73840	93913196476480
rdx	0x0	0
rsi	0x7fb05144f770	140395254445936
rdi	0x7fb05144e540	140395254441280
rbp	0x7ffe3d681f90	140729928654736
rsp	0x7ffe3d681f60	140729928654688
r8	0x7fb05144f770	140395254445936
r9	0x7fb052340d40	140395270114624
r10	0x58	88
r11	0x7fb0510f67a0	140395250935712
r12	0x7fb05032f020	140395236487200
r13	0x7fb050331e58	140395236499032
r14	0x0	0
r15	0x5	5
rip	0x5569dcc07822 <js::jit::MUnbox::MUnbox(js::jit::MDefinition*, js::jit::MIRType, js::jit::MUnbox::Mode, js::jit::BailoutKind, js::jit::TempAllocator&)+386>
=> 0x5569dcc07822 <_ZN2js3jit6MUnboxC2EPNS0_11MDefinitionENS0_7MIRTypeENS1_4ModeENS0_11BailoutKindERNS0_13TempAllocatorE+386>:	movl   $0xd27,0x0
   0x5569dcc0782d <_ZN2js3jit6MUnboxC2EPNS0_11MDefinitionENS0_7MIRTypeENS1_4ModeENS0_11BailoutKindERNS0_13TempAllocatorE+397>:	callq  0x5569dc05f64e <abort>
Attached file Testcase
Assignee: nobody → evilpies
Pushed by evilpies@gmail.com:
https://hg.mozilla.org/integration/autoland/rev/df9a7fb5aa21
Actually don't unbox numbers when transpiling GuardToTypedArrayIndex. r=jandem
Whiteboard: [bugmon:update,bisect] → [bugmon:update,bisected,confirmed]
Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20200622093309-24787602a9f6.
The bug appears to have been introduced in the following build range:
> Start: 00d535d4004d9c4ca5b34ce95c34e59ba54bf3ec (20200617142451)
> End: 6fbdf96ceeb6bab2897adc99d05aaf62186ba9ee (20200617142550)
> Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=00d535d4004d9c4ca5b34ce95c34e59ba54bf3ec&tochange=6fbdf96ceeb6bab2897adc99d05aaf62186ba9ee

https://hg.mozilla.org/mozilla-central/rev/df9a7fb5aa21

Status: NEW → RESOLVED
Closed: 7 months ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla79
Status: RESOLVED → VERIFIED
Keywords: bugmon
Bugmon Analysis:
Verified bug as fixed on rev mozilla-central 20200623034439-b1146cce5053.
Removing bugmon keyword as no further action possible.
Please review the bug and re-add the keyword for further analysis.
You need to log in before you can comment on or make changes to this bug.