Closed
Bug 1653913
Opened 4 years ago
Closed 4 years ago
[warp] Assertion failure: (asBits_ & js::gc::CellAlignMask) == 0 (GC pointer is not aligned. Is this memory corruption?), at dist/include/js/Value.h:563
Categories
(Core :: JavaScript Engine: JIT, defect)
Tracking
()
VERIFIED
FIXED
mozilla80
People
(Reporter: decoder, Assigned: jandem)
References
(Blocks 1 open bug)
Details
(4 keywords, Whiteboard: [bugmon:update,bisected,confirmed])
Attachments
(2 files)
The following testcase crashes on mozilla-central revision 20200720-015515bcba1f (debug build, run with --fuzzing-safe --no-threads --warp --ion-warmup-threshold=0):
function innerLoopIntOuterDouble() {
count = lfAsync;
return "" + count;
}
async function lfAsync() {
await lfPromise();
} lfAsync();
prototype = innerLoopIntOuterDouble;
for (var x of [, [...prototype(new Int8Array())]])
x * 1
Backtrace:
received signal SIGSEGV, Segmentation fault.
0x00005555557c6ca3 in JS::Value::toObject() const ()
#0 0x00005555557c6ca3 in JS::Value::toObject() const ()
#1 0x000055555595a1b2 in js::ContextChecks::check(JS::Value const&, int) ()
#2 0x000055555595e0af in js::GetObjectElementOperation ()
#3 0x0000555555939746 in Interpret(JSContext*, js::RunState&) ()
#4 0x0000555555931932 in js::RunScript(JSContext*, js::RunState&) ()
#5 0x0000555555946bdf in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) ()
#6 0x000055555594835c in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) ()
#7 0x00005555563a01b5 in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICCall_Fallback*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) ()
#8 0x000026ca097d4ed3 in ?? ()
[...]
#17 0x0000000000000000 in ?? ()
rax 0x555556fce32e 93825019994926
rbx 0x7fffffffac68 140737488333928
rcx 0x5555583cb840 93825040955456
rdx 0x0 0
rsi 0x7ffff7105770 140737338431344
rdi 0x7ffff7104540 140737338426688
rbp 0x7fffffffabf0 140737488333808
rsp 0x7fffffffabf0 140737488333808
r8 0x7ffff7105770 140737338431344
r9 0x7ffff7f9bd40 140737353727296
r10 0x58 88
r11 0x7ffff6dac7a0 140737334921120
r12 0x7ffff6027000 140737320742912
r13 0x1 1
r14 0x0 0
r15 0x7ffff5af21b0 140737315283376
rip 0x5555557c6ca3 <JS::Value::toObject() const+291>
=> 0x5555557c6ca3 <_ZNK2JS5Value8toObjectEv+291>: movl $0x233,0x0
0x5555557c6cae <_ZNK2JS5Value8toObjectEv+302>: callq 0x55555584c42e <abort>
The test is whitespace sensitive (I suggest using the attachment) and can crash in various ways.
|
Reporter | |
Comment 1•4 years ago
|
||
|
||
Comment 2•4 years ago
•
|
||
Minimised test case:
var s = "a".repeat(100);
for (var x of [, [...s]]) ;
Edit: Can even be further minimised to:
var s = "a".repeat(100);
var a = [, [...s]];
|
|
Reporter | |
Updated•4 years ago
|
Summary: Assertion failure: (asBits_ & js::gc::CellAlignMask) == 0 (GC pointer is not aligned. Is this memory corruption?), at dist/include/js/Value.h:563 → [warp] Assertion failure: (asBits_ & js::gc::CellAlignMask) == 0 (GC pointer is not aligned. Is this memory corruption?), at dist/include/js/Value.h:563
|
||
Updated•4 years ago
|
Whiteboard: [bugmon:update,bisect] → [bugmon:update,bisected,confirmed]
|
|
||
Comment 3•4 years ago
|
||
Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20200720141506-630250c6e58d.
Failed to bisect testcase (End build does not crash!):
> Start: e8b7c48d4e7ed1b63aeedff379b51e566ea499d9 (20191107015224)
> End: 015515bcba1f358432cad988600672d027fd125d (20200720031207)
> BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=False, coverage=False, valgrind=False)
|
Assignee | |
Comment 4•4 years ago
|
||
(In reply to André Bargull [:anba] from comment #2)
Minimised test case:
Thanks for that!
This bug is a good find, pre-existing JSOp::InitElemArray inconsistency that Ion happens to avoid but it affects WarpBuilder's fast path because we use it in more cases.
|
|
Assignee | |
Comment 5•4 years ago
|
||
Warp code assumes index == initLength at the start of JSOp::InitArrayElem. The
VM implementation however didn't bump the initLength for hole values. This becomes
a problem when there's a spread loop and we enter Warp code there.
IonBuilder does not have this issue because initArrayElemTryFastPath checks for
MNewArray and in this case we have a loop phi so we don't use the fast path.
I added an assert to InitArrayElemOperation and cleaned it up a bit: restructure,
change the argument from HandleObject to HandleArrayObject etc.
|
||
Updated•4 years ago
|
Assignee: nobody → jdemooij
Status: NEW → ASSIGNED
Pushed by jdemooij@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/2c03f0bcc9d1 Fix InitArrayElemOperation to match Ion/Warp code for hole values. r=anba
|
||
Comment 7•4 years ago
|
||
| bugherder | ||
Status: ASSIGNED → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla80
|
|
||
Updated•4 years ago
|
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
|
|
||
Comment 8•4 years ago
|
||
Bugmon Analysis: Bug marked as FIXED but still reproduces on mozilla-central 20200722094100-a3424b79d068.
|
|
Assignee | |
Updated•4 years ago
|
Status: REOPENED → RESOLVED
Closed: 4 years ago → 4 years ago
Resolution: --- → FIXED
|
||
Updated•4 years ago
|
status-firefox78:
--- → wontfix
status-firefox79:
--- → wontfix
status-firefox-esr68:
--- → wontfix
status-firefox-esr78:
--- → wontfix
Flags: in-testsuite+
|
|
||
Updated•4 years ago
|
|
|
||
Comment 9•4 years ago
|
||
Bugmon Analysis: Verified bug as fixed on rev mozilla-central 20200722155017-5e83cc94405f. Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
You need to log in
before you can comment on or make changes to this bug.
Description
•