Closed Bug 1647250 Opened 4 years ago Closed 4 years ago

[warp] Assertion failure: Integer input should be equal or higher than Lowerbound., at jit/MacroAssembler.cpp:1970

Categories

(Core :: JavaScript Engine: JIT, defect, P2)

Product:
Core
Component:
JavaScript Engine: JIT
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla80
Tracking Flags:
Tracking Status
firefox-esr68 --- unaffected
firefox-esr78 --- disabled
firefox77 --- disabled
firefox78 --- disabled
firefox79 --- disabled
firefox80 --- verified

People

(Reporter: decoder, Assigned: jandem)

References

(Blocks 1 open bug, Regression)

Details

(4 keywords, Whiteboard: [bugmon:update,bisected,confirmed])

Attachments

(2 files)

Testcase
232 bytes, text/plain
Details
Bug 1647250 - Fix MArrayLength to check for non-int32 array lengths in Warp. r?evilpie!
47 bytes, text/x-phabricator-request
Details | Review

The following testcase crashes on mozilla-central revision 20200622-24787602a9f6 (debug build, run with --fuzzing-safe --ion-offthread-compile=off --warp --ion-check-range-analysis --baseline-eager --ion-warmup-threshold=10):

function intLength(a, l) {
  var res = 0;
  for (var i = 0; i < l; i++)
    res += a.length;
}
var denseArray = [0, 1, 2, 3, 4, 5, 6, 7, 8, 9];
var hugeArray = new Array(4294967295);
intLength(denseArray, 10)
intLength(hugeArray, 1)

Backtrace:

received signal SIGTRAP, Trace/breakpoint trap.
0x0000149db34f1f26 in ?? ()
#0  0x0000149db34f1f26 in ?? ()
[...]
#10 0x0000000000000000 in ?? ()
rax	0x0	0
rbx	0x1	1
rcx	0x7ffff4efb010	140737302736912
rdx	0x0	0
rsi	0xfff9800000000000	-1829587348619264
rdi	0xfff9800000000000	-1829587348619264
rbp	0xffffffff	4294967295
rsp	0x7fffffffb240	140737488335424
r8	0xd38c67004f8	14537498559736
r9	0x0	0
r10	0xffffd555570e94f0	-46912467200784
r11	0x7ffff6dac7a0	140737334921120
r12	0x8	8
r13	0x7fffffffbba0	140737488337824
r14	0x3043	12355
r15	0x0	0
rip	0x149db34f1f26	22667550727974
=> 0x149db34f1f26:	mov    0x30(%rsp),%r8
   0x149db34f1f2b:	mov    %rsi,%r9
Attached file Testcase 

    
    

    
  
Good catch. I think the problem here is that MArrayLength in Warp needs to check the length fits in an int32.


Whiteboard: [bugmon:update,bisect] → [bugmon:update,bisected,confirmed]

    
    

    
  
Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20200622154848-fa015682f653.
The bug appears to have been introduced in the following build range:
> Start: 38fd7b58a1d32f807a3affaf1ef9aebd486b4dc5 (20200414104423)
> End: be31e7714633a29f99c1002c48ee00c1fb0de213 (20200414110746)
> Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=38fd7b58a1d32f807a3affaf1ef9aebd486b4dc5&tochange=be31e7714633a29f99c1002c48ee00c1fb0de213
Severity: -- → N/A
Priority: -- → P2
Severity: N/A → S4
Assignee: nobody → jdemooij
Status: NEW → ASSIGNED

    
    

    
  
Pushed by jdemooij@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/d3ba9f8006f6
Fix MArrayLength to check for non-int32 array lengths in Warp. r=evilpie

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/d3ba9f8006f6


Status: ASSIGNED → RESOLVED
Closed: 4 years ago

          status-firefox80:
          --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla80

    
  
Has Regression Range: --- → yes
Status: RESOLVED → VERIFIED

          status-firefox80:
          fixedverified
Keywords: bugmon

    
    

    
  
Bugmon Analysis:
Verified bug as fixed on rev mozilla-central 20200702094606-6e29c02e7e5f.
Removing bugmon keyword as no further action possible.
Please review the bug and re-add the keyword for further analysis.

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: