[warp] Assertion failure: !icScript_->hasInlinedChild(entry.pcOffset()), at jit/TrialInlining.cpp:358 with gc
Categories
(Core :: JavaScript Engine, defect, P1)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox-esr78 | --- | unaffected |
| firefox82 | --- | wontfix |
| firefox83 | --- | fixed |
People
(Reporter: gkw, Assigned: jandem)
References
(Blocks 1 open bug, Regression)
Details
(4 keywords, Whiteboard: [sec-survey][post-critsmash-triage][adv-main83+])
Attachments
(2 files, 1 obsolete file)
Function.call.bind();
Function.call.bind();
Function.call.bind();
Function.call.bind();
Function.call.bind();
Function.call.bind();
Function.call.bind();
Function.call.bind();
gc();
oomTest(Function.call.bind);
(gdb) bt
#0 js::jit::TrialInliner::maybeInlineCall (this=0x7fffffffab70, entry=..., loc=...)
at /home/skygentoo/trees/mozilla-central/js/src/jit/TrialInlining.cpp:358
#1 0x0000555557dc18ca in js::jit::TrialInliner::tryInlining (this=0x7fffffffab70) at /home/skygentoo/trees/mozilla-central/js/src/jit/TrialInlining.cpp:413
#2 0x0000555557dc15fb in js::jit::DoTrialInlining (cx=0x7ffff6927000, frame=0x7fffffffac40)
at /home/skygentoo/trees/mozilla-central/js/src/jit/TrialInlining.cpp:62
#3 0x00003d28197eac35 in ?? ()
#4 0x0000000000002043 in ?? ()
#5 0x00007fffffffac00 in ?? ()
#6 0x0000555558d3da10 in js::jit::vmFunctions ()
#7 0x00003d2819860b11 in ?? ()
#8 0x0000000000007821 in ?? ()
#9 0x00007fffffffac40 in ?? ()
#10 0xfff9800000000000 in ?? ()
#11 0xfff9800000000000 in ?? ()
#12 0xfff9800000000000 in ?? ()
#13 0xfff9800000000000 in ?? ()
#14 0x0000007aba99d0b0 in ?? ()
#15 0x00007ffff63fa0a3 in ?? ()
#16 0x0000000000000000 in ?? ()
(gdb)
The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/cfb6ef22174c
user: Jan de Mooij
date: Wed Sep 16 11:15:38 2020 +0000
summary: Bug 1664786 part 4 - Set initial warm-up threshold for trial-inlined scripts. r=iain
Run with --fuzzing-safe --baseline-warmup-threshold=0 --ion-warmup-threshold=0 --cpu-count=2 --fast-warmup --warp, compile with AR=ar sh ./configure --enable-debug --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests, tested on m-c rev cb8232ebe212.
I doubt this is s-s since oomTest is here, but gc is involved, so I'll let Jan/other devs make the decision.
|
Assignee | |
Comment 1•4 years ago
|
||
|
||
Updated•4 years ago
|
|
|
Assignee | |
Comment 2•4 years ago
|
||
This one is probably sec-high: on OOM we can leave a bogus entry in the ICScript's inlinedChildren_ Vector. If later on we do a second trial-inlining and that succeeds, we could confuse the Warp bailout code.
|
||
Updated•4 years ago
|
|
|
Assignee | |
Comment 3•4 years ago
|
||
|
||
Comment 4•4 years ago
|
||
|
||
Updated•4 years ago
|
|
||
Comment 5•4 years ago
|
||
As part of a security bug pattern analysis, we are requesting your help with a high level analysis of this bug. It is our hope to develop static analysis (or potentially runtime/dynamic analysis) in the future to identify classes of bugs.
Please visit this google form to reply.
|
||
Updated•4 years ago
|
|
||
Updated•4 years ago
|
|
||
Updated•4 years ago
|
|
||
Updated•4 years ago
|
|
||
Comment 6•4 years ago
|
||
|
|
||
Comment 7•4 years ago
|
||
|
|
||
Updated•4 years ago
|
|
|
||
Updated•4 years ago
|
|
||
Updated•4 years ago
|
|
|
Assignee | |
Updated•3 years ago
|
|
|
Reporter | |
Updated•11 months ago
|
|
||
Updated•9 months ago
|
Description
•