1657399 - [warp] Assertion failure: end[0] == ZeroLengthArrayData, at vm/TypedArrayObject.cpp:153 or Assertion failure: asValue() % sizeof(std::conditional_t<std::is_void_v<std::remove_pointer_t<U>>, char, std::remove_pointer_t<U>>) == 0, at vm/SharedMem.h:82

Status: VERIFIED FIXED

(Core :: JavaScript Engine: JIT, defect)

Description

[Christian Holler (:decoder)]

The following testcase crashes on mozilla-central revision 20200805-297a47c209fa (debug build, run with --fuzzing-safe --ion-offthread-compile=off --warp --ion-warmup-threshold=1):

function defineProp() {
  var ta = new Int32Array(0);
  for (var i17 = 0; i17 < 0; ++i17)
    Reflect.defineProperty(ta)
  defineProp();
}
defineProp();

Backtrace:

received signal SIGSEGV, Segmentation fault.
#0  0x000055555716d466 in js::TypedArrayObject::assertZeroLengthArrayData() const ()
#1  0x000055555716d28f in js::TypedArrayObject::hasInlineElements() const ()
#2  0x0000555556ff719c in JSObject::allocKindForTenure(js::Nursery const&) const ()
#3  0x0000555557607102 in js::TenuringTracer::moveToTenuredSlow(JSObject*) ()
#4  0x0000555557606b1c in void js::TenuringTracer::traverse<JSObject>(JSObject**) ()
#5  0x00005555575f87d4 in TraceGenericPointerRootAndType(JSTracer*, js::gc::Cell*, JS::TraceKind, char const*) ()
#6  0x00005555575f8739 in js::TraceGenericPointerRoot(JSTracer*, js::gc::Cell**, char const*) ()
#7  0x0000555557b17be4 in js::jit::TraceJitActivations(JSContext*, JSTracer*) ()
#8  0x000055555762a57f in js::gc::GCRuntime::traceRuntimeCommon(JSTracer*, js::gc::GCRuntime::TraceOrMarkRuntime) ()
#9  0x000055555761f45e in js::Nursery::doCollection(JS::GCReason, js::gc::TenureCountCache&) ()
#10 0x000055555761e928 in js::Nursery::collect(JSGCInvocationKind, JS::GCReason) ()
#11 0x00005555575b4e1e in js::gc::GCRuntime::collectNursery(JSGCInvocationKind, JS::GCReason, js::gcstats::PhaseKind) ()
#12 0x00005555575b7c89 in js::gc::GCRuntime::minorGC(JS::GCReason, js::gcstats::PhaseKind) ()
#13 0x0000555557568dca in JSObject* js::gc::GCRuntime::tryNewNurseryObject<(js::AllowGC)1>(JSContext*, unsigned long, unsigned long, JSClass const*) ()
#14 0x00005555575688f5 in JSObject* js::AllocateObject<(js::AllowGC)1>(JSContext*, js::gc::AllocKind, unsigned long, js::gc::InitialHeap, JSClass const*) ()
#15 0x0000555556c3d36a in js::NativeObject::create(JSContext*, js::gc::AllocKind, js::gc::InitialHeap, JS::Handle<js::Shape*>, JS::Handle<js::ObjectGroup*>) ()
#16 0x0000555556fdee0a in NewObject(JSContext*, JS::Handle<js::ObjectGroup*>, js::gc::AllocKind, js::NewObjectKind, unsigned int) ()
#17 0x0000555556fdf88f in js::NewObjectWithGroupCommon(JSContext*, JS::Handle<js::ObjectGroup*>, js::gc::AllocKind, js::NewObjectKind) ()
#18 0x000055555716ec24 in js::NewTypedArrayWithTemplateAndLength(JSContext*, JS::Handle<JSObject*>, int) ()
#19 0x00002d666e33f579 in ?? ()
#20 0x0000000000000000 in ?? ()
rax	0x5555558e71c5	93824995979717
rbx	0x8d6ab83ff50	9718093578064
rcx	0x55555846da80	93825041619584
rdx	0x0	0
rsi	0x7ffff7105770	140737338431344
rdi	0x7ffff7104540	140737338426688
rbp	0x7ffffffc83c0	140737488126912
rsp	0x7ffffffc83b0	140737488126896
r8	0x7ffff7105770	140737338431344
r9	0x7ffff7f9ddc0	140737353735616
r10	0x58	88
r11	0x7ffff6dac7a0	140737334921120
r12	0x7ffffffc8740	140737488127808
r13	0x8d6ab83ff50	9718093578064
r14	0x8d6ab83ff50	9718093578064
r15	0x7ffffffc8e08	140737488129544
rip	0x55555716d466 <js::TypedArrayObject::assertZeroLengthArrayData() const+342>
=> 0x55555716d466 <_ZNK2js16TypedArrayObject25assertZeroLengthArrayDataEv+342>:	movl   $0x99,0x0
   0x55555716d471 <_ZNK2js16TypedArrayObject25assertZeroLengthArrayDataEv+353>:	callq  0x555556bb4ebe <abort>

Comment 1

[Christian Holler (:decoder)]

Attachment: Testcase

Comment 2

[Jason Kratzer [:jkratzer]]

Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20200805124410-297a47c209fa.
The bug appears to have been introduced in the following build range:
> Start: 255b4f5888e9e9cdd40f59fec969af247859d76a (20200803213927)
> End: 7112fefc4b7976247f108d77c2c000dae392ea31 (20200803142306)
> Pushlog: https://hg.mozilla.org/mozilla-unified/pushloghtml?fromchange=255b4f5888e9e9cdd40f59fec969af247859d76a&tochange=7112fefc4b7976247f108d77c2c000dae392ea31

Comment 3

[André Bargull [:anba]]

Ion correctly doesn't allow zero length for MNewTypedArray: providedLen <= 0. But Warp has len >= 0 instead of len > 0.

Comment 4

[Jan de Mooij [:jandem]]

Attachment: Bug 1657399 - Don't use MNewTypedArray if the length is zero. r?anba!

Also add an assertion for this to MacroAssembler::initTypedArraySlots. This replaces
some invalid code that used dataSlotOffset instead of dataOffset.

Not adding the test because with the new assertion this failed jit-tests.

Comment 5

[Pulsebot]

Pushed by jdemooij@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/c6ad7f173e72
Don't use MNewTypedArray if the length is zero. r=anba

Comment 6

[Alexandru Michis [:malexandru]]

https://hg.mozilla.org/mozilla-central/rev/c6ad7f173e72

Comment 7

[Jason Kratzer [:jkratzer]]

Bugmon Analysis:
Verified bug as fixed on rev mozilla-central 20200811214738-5d63045bb341.
Removing bugmon keyword as no further action possible.
Please review the bug and re-add the keyword for further analysis.