Closed Bug 1664007 Opened 5 years ago Closed 5 years ago

Crash [@ js::Shape::maybeCreateCacheForLookup] or [@ js::jit::SetNativeDataPropertyPure<false>]

Categories

(Core :: JavaScript Engine: JIT, defect, P2)

Product:
Core
Component:
JavaScript Engine: JIT
Platform:
x86
Linux
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
82 Branch
Tracking Flags:
Tracking Status
firefox-esr68 --- unaffected
firefox-esr78 --- unaffected
firefox80 --- disabled
firefox81 --- disabled
firefox82 --- fixed

People

(Reporter: decoder, Assigned: jandem)

References

Details

(Keywords: crash, regression, testcase, Whiteboard: [bugmon:update,bisect,confirmed])

Crash Data

Attachments

(2 files)

Testcase
157 bytes, text/plain
Details
Bug 1664007 - Change megamorphic instructions to use a temp register. r?iain!
47 bytes, text/x-phabricator-request
Details | Review

The following testcase crashes on mozilla-central revision 20200908-dc90a7a18c07 (debug build, run with --fuzzing-safe --ion-offthread-compile=off --warp):

function foo() {
  function z89() {
    this.a3 = function () {}
    this.a3 = this
  }
  for (e37 in [0, 0, 0, (new z89)])
    new new.target()
}
new foo();

Backtrace:

received signal SIGSEGV, Segmentation fault.
#0  js::Shape::maybeCreateCacheForLookup (this=0xffffff8c, cx=0xf6e1f000) at js/src/vm/Shape-inl.h:41
#1  0x57ef3d30 in js::Shape::search<(js::MaybeAdding)0> (cx=0xf6e1f000, start=0xffffff8c, id=...) at js/src/vm/Shape-inl.h:83
#2  0x5863dfde in js::Shape::search (this=0xffffff8c, cx=0xf508de00, id=...) at js/src/vm/Shape-inl.h:37
#3  js::jit::SetNativeDataPropertyPure<false> (cx=0xf6e1f000, obj=0xfffdd2e8, name=0xf5c05538, val=0xfffdd2e8) at js/src/jit/VMFunctions.cpp:1683
#4  0x59ec905b in ?? ()
[...]
#9  0x5c8b0824 in ?? ()
eax	0xf508de00	-183968256
ebx	0x5932ff5c	1496514396
ecx	0xf5c05538	-171944648
edx	0xfffdd298	-142696
esi	0xffffff8c	-116
edi	0xf6e1f000	-152965120
ebp	0xfffdd228	4294824488
esp	0xfffdd210	4294824464
eip	0x57ef4007 <js::Shape::maybeCreateCacheForLookup(JSContext*)+23>
=> 0x57ef4007 <js::Shape::maybeCreateCacheForLookup(JSContext*)+23>:	mov    (%esi),%eax
   0x57ef4009 <js::Shape::maybeCreateCacheForLookup(JSContext*)+25>:	test   $0x7,%al
Attached file Testcase
Keywords: bugmon
Whiteboard: [bugmon:update,bisect] → [bugmon:update,bisect,confirmed]
Bugmon Analysis: Unable to reproduce bug using the following builds: > mozilla-central 20200909213959-e00579f0f735 > mozilla-central 20200908215255-dc90a7a18c07 Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Setting S4 rating as WarpBuilder is shipped behind a pref in nightly.

Iain can you look at this issue?

Severity: -- → S4
Flags: needinfo?(iireland)
Priority: -- → P2

This looked like something I broke so I investigated and posted a patch. Unfortunately Bugzilla and Phabricator integration is broken right now but it's https://phabricator.services.mozilla.com/D90223

Assignee: nobody → jdemooij
Status: NEW → ASSIGNED
Flags: needinfo?(iireland)

Problem was a SetProp of the form x.prop = x where we pushed the RHS and then
clobbered its register, but that also clobbered the object register on x86 because
it was the same register.

This patch adds an extra temp register to some of these instructions and uses
that instead.

Pushed by jdemooij@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/0717335afeaa Change megamorphic instructions to use a temp register. r=iain

https://hg.mozilla.org/mozilla-central/rev/0717335afeaa

Status: ASSIGNED → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → 82 Branch
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: