Closed Bug 1667699 Opened 4 years ago Closed 4 years ago

[warp] Assertion failure: hasBaseScript(), at vm/JSFunction.h:463 with relazifyFunctions

Categories

(Core :: JavaScript Engine, defect, P1)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
83 Branch
Tracking Flags:
Tracking Status
firefox-esr78 --- unaffected
firefox81 --- unaffected
firefox82 --- disabled
firefox83 --- fixed

People

(Reporter: gkw, Assigned: jandem)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: regression, reporter-external, testcase)

Attachments

(1 file)

Bug 1667699 - Get function script after checking the function is inlinable. r?iain!
47 bytes, text/x-phabricator-request
Details | Review 
var z = [,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,];
"".replace();
function f (code) {
  Function(code.replace())();
}
f("");
f("");
f("");
f("");
f("");
f("");
f("");
f("");
f("");
f("");
f("");
f("");
f("relazifyFunctions();");
f("");

(gdb) bt
#0  JSFunction::nonLazyScript (this=<optimized out>) at /home/skygentoo/trees/mozilla-central/js/src/vm/JSFunction.h:463
#1  WarpScriptOracle::maybeInlineCallIC (this=0x7fffffffac80, snapshots=..., loc=..., stub=0x7ffff5f3f420, fallbackStub=0x7ffff5f3f0a0, 
    stubDataCopy=0x7ffff69ed328 "\200\003:\031\060\004") at /home/skygentoo/trees/mozilla-central/js/src/jit/WarpOracle.cpp:957
#2  0x0000555557e6cb10 in WarpScriptOracle::maybeInlineIC (this=0x7fffffffac80, snapshots=..., loc=...)
    at /home/skygentoo/trees/mozilla-central/js/src/jit/WarpOracle.cpp:931
#3  0x0000555557e69bb3 in WarpScriptOracle::createScriptSnapshot (this=0x7fffffffac80) at /home/skygentoo/trees/mozilla-central/js/src/jit/WarpOracle.cpp:303
#4  0x0000555557e69469 in js::jit::WarpOracle::createSnapshot (this=0x7fffffffad20) at /home/skygentoo/trees/mozilla-central/js/src/jit/WarpOracle.cpp:141
#5  0x00005555580d9985 in js::jit::CreateWarpSnapshot (cx=0x7ffff6927000, mirGen=0x7ffff69ed210, script=...)
    at /home/skygentoo/trees/mozilla-central/js/src/jit/Ion.cpp:1606
#6  0x00005555580d93aa in js::jit::IonCompile (cx=0x7ffff6927000, script=..., baselineFrame=0x7fffffffb0f0, baselineFrameSize=80, osrPc=0x0, 
    recompile=false, optimizationLevel=js::jit::OptimizationLevel::Full) at /home/skygentoo/trees/mozilla-central/js/src/jit/Ion.cpp:1703
#7  0x00005555580ccc7b in js::jit::Compile (cx=0x7ffff6927000, script=..., osrFrame=0x7fffffffb0f0, osrFrameSize=80, osrPc=0x0, forceRecompile=false)
    at /home/skygentoo/trees/mozilla-central/js/src/jit/Ion.cpp:1973
#8  0x00005555580cd3b4 in BaselineCanEnterAtEntry (cx=0x7ffff6927000, script=..., frame=0x7fffffffb0f0, frameSize=80)
    at /home/skygentoo/trees/mozilla-central/js/src/jit/Ion.cpp:2101
#9  IonCompileScriptForBaseline (cx=0x7ffff6927000, frame=0x7fffffffb0f0, frameSize=<optimized out>, pc=<optimized out>)
    at /home/skygentoo/trees/mozilla-central/js/src/jit/Ion.cpp:2227
#10 0x000015e96fa5f0e5 in ?? ()
#11 0xaaaaaaaaaaaaaaaa in ?? ()
#12 0x00007fffffffb0d0 in ?? ()
#13 0x0000555558d3ef30 in js::jit::vmFunctions ()
#14 0x000015e96fad37a3 in ?? ()
#15 0x0000000000005821 in ?? ()
#16 0x00007fffffffb0f0 in ?? ()
#17 0xaaaaaaaaaaaaaaaa in ?? ()
#18 0xaaaaaaaaaaaaaaaa in ?? ()
#19 0x0000000000000000 in ?? ()
(gdb)

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/cfb6ef22174c
user:        Jan de Mooij
date:        Wed Sep 16 11:15:38 2020 +0000
summary:     Bug 1664786 part 4 - Set initial warm-up threshold for trial-inlined scripts. r=iain

Run with --fuzzing-safe --fast-warmup --warp --cpu-count=2 --ion-eager, compile with AR=ar sh ./configure --enable-debug --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests, tested on m-c rev cb8232ebe212.

Not sure if this is s-s. This testcase can be a little intermittent.

Flags: sec-bounty?
Flags: needinfo?(jdemooij)

The code in WarpOracle::maybeInlineCallIC:

  RootedFunction targetFunction(cx_, callData->target);
  RootedScript targetScript(cx_, targetFunction->nonLazyScript());
  ICScript* icScript = callData->icScript;
  if (!TrialInliner::canInline(targetFunction, script_)) {
    return false;
  }

Here TrialInliner::canInline ensures the function has a BaseScript, but the targetFunction->nonLazyScript() call happens before that, so we just need to change the order of these two lines.

This isn't security-sensitve: in non-debug builds targetScript could point to a SelfHostedLazyScript instead of a JSScript, but we don't use that value anywhere.

Flags: needinfo?(jdemooij)
Assignee: nobody → jdemooij
Status: NEW → ASSIGNED

Set release status flags based on info from the regressing bug 1664786

status-firefox81: --- → unaffected
status-firefox82: --- → affected
status-firefox-esr78: --- → unaffected

AIUI warp is disabled in 82

status-firefox82: affecteddisabled
Severity: -- → S3
Priority: -- → P1
Group: core-security → javascript-core-security
Group: javascript-core-security
Pushed by jdemooij@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/ffc4085cd1ee Get function script after checking the function is inlinable. r=iain

https://hg.mozilla.org/mozilla-central/rev/ffc4085cd1ee

Status: ASSIGNED → RESOLVED
Closed: 4 years ago
status-firefox83: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 83 Branch

(In reply to Jan de Mooij [:jandem] from comment #1)

This isn't security-sensitve: in non-debug builds targetScript could point to a SelfHostedLazyScript instead of a JSScript, but we don't use that value anywhere.

Sounds like we can unhide this bug then, correct?

Flags: needinfo?(jdemooij)

Nevermind, apologies.

Flags: sec-bounty?
Flags: sec-bounty-
Flags: needinfo?(jdemooij)
Has Regression Range: --- → yes
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: