Closed Bug 1666142 Opened 4 years ago Closed 4 years ago

[warp] Crash [@ ??] with GC

Categories

(Core :: JavaScript Engine: JIT, defect)

Product:
Core
Component:
JavaScript Engine: JIT
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
83 Branch
Tracking Flags:
Tracking Status
firefox-esr78 --- unaffected
firefox81 --- disabled
firefox82 --- disabled
firefox83 --- fixed

People

(Reporter: decoder, Assigned: iain)

References

(Blocks 1 open bug)

Details

(Keywords: crash, regression, testcase, Whiteboard: [bugmon:update,bisect,confirmed])

Crash Data

Attachments

(3 files)

Testcase
890 bytes, text/plain
Details
Bug 1666142: Fix CreateThis r=jandem
47 bytes, text/x-phabricator-request
Details | Review
Bug 1666142: Add tests r=jandem
47 bytes, text/x-phabricator-request
Details | Review

The following testcase crashes on mozilla-central revision 20200918-ab7d302fd318 (debug build, run with --fuzzing-safe --cpu-count=2 --ion-offthread-compile=off --more-compartments --warp --fast-warmup):

function testWithIntlConstructors(f) {
  ["PluralRules", "RelativeTimeFormat", "ListFormat"].forEach(function(constructor) {
    var Constructor = Intl[constructor];
      f(Constructor);
  });
}
function getLocaleSupportInfo(Constructor) {
  var languages = ["zh", "es", "en", "hi", "ur", "ar", "ja", "pa"];
  var scripts = ["Latn", "Hans", "Deva", "Arab", "Jpan", "Hant", "Guru"];
  var allTags = [];
  for (i = 0; i < languages.length; i++) {
    language = languages[i];
    for (j = 0; j < scripts.length; j++) {
      script = scripts[j];
      allTags.push(language + "-" + script);
    }
  }
  for (i = 0; i < allTags.length; i++) {
    var request = allTags[i];
    var result = new Constructor([request], {localeMatcher: "lookup"}).resolvedOptions().locale;
  };
}
gczeal(14);
testWithIntlConstructors(function (Constructor) {
    var info = getLocaleSupportInfo(Constructor);
});

Backtrace:

received signal SIGSEGV, Segmentation fault.
0x00000138c16e5b00 in ?? ()
#0  0x00000138c16e5b00 in ?? ()
#1  0x00000138c1735bd2 in ?? ()
#2  0x0000000000002042 in ?? ()
#3  0x00003d2d1e8a2881 in ?? ()
#4  0x0000000000000000 in ?? ()
rax	0x0	0
rbx	0x7ffff6027000	140737320742912
rcx	0x2042	8258
rdx	0x0	0
rsi	0x138c16e5b00	1343275031296
rdi	0x7ffff58e9718	140737313150744
rbp	0x7fffffffa300	140737488331520
rsp	0x7fffffffa2d0	140737488331472
r8	0x8	8
r9	0x299490a00008	45718058303496
r10	0x55555842e8d8	93825041361112
r11	0x1fffc	131068
r12	0xfffe3d2d1e8b3200	-495685958159872
r13	0xfffe3d2d1e8b3200	-495685958159872
r14	0x299490a027f0	45718058313712
r15	0xfffb3d2d1e8c60e0	-1340110888214304
rip	0x138c16e5b00	1343275031296
=> 0x138c16e5b00:	in     (%dx),%eax
   0x138c16e5b01:	in     (%dx),%eax
Attached file Testcase

Bugmon Analysis:
Unable to reproduce bug using the following builds:

mozilla-central 20200919212721-ab4f6932ea8a
mozilla-central 20200918211411-ab7d302fd318
Removing bugmon keyword as no further action possible.
Please review the bug and re-add the keyword for further analysis.

Keywords: bugmon
Whiteboard: [bugmon:update,bisect] → [bugmon:update,bisect,confirmed]
Flags: needinfo?(jdemooij)

Good find! Iain, it looks like CreateThisFromIC ends up discarding the Baseline code of the callee so after that we restore codeReg and things go bad..

Test below crashes with --warp --fast-warmup --no-threads.

function f() {
  for (var i = 0; i < 100; i++) {
    new Intl.PluralRules(["en-Latn"], {localeMatcher: "lookup"}).resolvedOptions();
  };
}
gczeal(14);
f();
Flags: needinfo?(jdemooij) → needinfo?(iireland)

Ugh, this is a mess to fix.

We don't know until after making the VM call to CreateThisFromIC whether we've discarded the baseline code. To make a VM call, we need an AutoStubFrame, which requires the stack to be empty, which means that we must be done using the input operands. This seems to rule out using a normal FailurePath.

It's a bit awkward, but I think the best solution is to check after calling CreateThis whether we have a baseline script, and fall back to a non-inlined call if we don't. This requires a bit of a dance in the arguments rectifier.

Patch coming tomorrow.

Flags: needinfo?(iireland)

If it gets too messy, another option is for CreateThisFromIC to preserve JIT code in the Zone (or for the callee script). No great options here..

I will land a testcase separately once I manage to write something that triggers the arguments rectifier code and doesn't use Intl.

Assignee: nobody → iireland
Status: NEW → ASSIGNED

https://hg.mozilla.org/integration/autoland/rev/8aad0c5e497d00bbeb71cc85407d13858403264b
https://hg.mozilla.org/mozilla-central/rev/8aad0c5e497d

Group: javascript-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 4 years ago
status-firefox83: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 83 Branch
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: