Closed Bug 1663993 Opened 5 years ago Closed 5 years ago

[warp] Crash [@ ??] with invalid read

Categories

(Core :: JavaScript Engine: JIT, defect, P2)

Product:
Core
Component:
JavaScript Engine: JIT
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
82 Branch
Tracking Flags:
Tracking Status
firefox-esr68 --- unaffected
firefox-esr78 --- wontfix
firefox80 --- wontfix
firefox81 --- wontfix
firefox82 --- fixed

People

(Reporter: decoder, Assigned: iain)

References

Details

(Keywords: crash, regression, testcase, Whiteboard: [bugmon:update,bisect,confirmed])

Crash Data

Attachments

(2 files)

Testcase
257 bytes, text/plain
Details
Bug 1663993: Add warm-up data field to SelfHostedLazyScript r=tcampbell
47 bytes, text/x-phabricator-request
Details | Review

The following testcase crashes on mozilla-central revision 20200908-dc90a7a18c07 (debug build, run with --fuzzing-safe --ion-offthread-compile=off --warp --fast-warmup):

function r(x) {
  if (x.substr(-3) != "xxx")
    evaluate(x);
}
var b = `
  // NOP
  // NOP
  // NOP
  // NOP
  // NOP
  // NOP
  relazifyFunctions();
`.split('\n');
while (true) {
    let line = b.shift(); if (line == null) break;
    r("");
    r(line);
}

Backtrace:

received signal SIGSEGV, Segmentation fault.
#0  0x00001c2792f377b8 in ?? ()
#1  0x00001c2792f36dc3 in ?? ()
#2  0xfff88000fffffffd in ?? ()
#3  0xfffb339dec4257a0 in ?? ()
#4  0xfffe339dec4a0470 in ?? ()
#5  0x00007ffff6027000 in ?? ()
#6  0x00007fffffffb4d0 in ?? ()
#7  0x00007ffff605f9d2 in ?? ()
#8  0x0000339dec47e040 in ?? ()
#9  0x00007ffff6060cb8 in ?? ()
#10 0x00007fffffffb490 in ?? ()
#11 0x7db9ad3d970b2b00 in ?? ()
#12 0x0000006000000000 in ?? ()
#13 0x0000000000000000 in ?? ()
rax	0x339dec4a0470	56753367155824
rbx	0xe4e4e400	3840205824
rcx	0x1	1
rdx	0x1	1
rsi	0x7ffff6094020	140737321189408
rdi	0x7ffff6094268	140737321189992
rbp	0x7fffffffb6c8	140737488336584
rsp	0x7fffffffb660	140737488336480
r8	0x7ffff4de17d5	140737301583829
r9	0x7fffffffb638	140737488336440
r10	0x1a0	416
r11	0xfffe000000000000	-562949953421312
r12	0x0	0
r13	0x0	0
r14	0x7ffff605f9e1	140737320974817
r15	0x7ffff6027000	140737320742912
rip	0x1c2792f377b8	30956294731704
=> 0x1c2792f377b8:	mov    0x88(%rbx),%rbx
   0x1c2792f377bf:	cmp    $0x1,%rbx

Not marking s-s because Warp is still disabled by default.

Attached file Testcase

This appears to be related to trial inlining. Looking into it.

Keywords: bugmon
Whiteboard: [bugmon:update,bisect] → [bugmon:update,bisect,confirmed]
Bugmon Analysis: Unable to reproduce bug using the following builds: > mozilla-central 20200909213959-e00579f0f735 > mozilla-central 20200908215255-dc90a7a18c07 Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Jan, can you look at this issue?

Severity: -- → S4
Flags: needinfo?(jdemooij)
Priority: -- → P2

The issue here is that we trial-inline a self-hosted call, trigger relazification, then try to call the trial-inlined function. Unlike other functions, self-hosted lazy functions do not have a BaseScript. Instead, we have a fake SelfHostedLazyScript per-runtime that contains a trampoline pointer. In general, this is good enough for jitcode. However, when we call a trial-inlined function, we have to guard that it has a BaselineScript, and the first step is to check if it has a JitScript.

To make branchIfScriptHasNoJitScript work for self-hosted lazy functions, this patch adds a warm-up data field to SelfHostedLazyScript.

Assignee: nobody → iireland
Status: NEW → ASSIGNED
Flags: needinfo?(jdemooij)
Pushed by iireland@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/b32cb06ef2ae Add warm-up data field to SelfHostedLazyScript r=tcampbell

https://hg.mozilla.org/mozilla-central/rev/b32cb06ef2ae

Status: ASSIGNED → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → 82 Branch
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: