Assertion failure: !JitOptions.warpBuilder, at jit/shared/Lowering-shared.cpp:259
Categories
(Core :: JavaScript Engine: JIT, defect, P3)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox-esr78 | --- | unaffected |
| firefox83 | --- | unaffected |
| firefox84 | --- | verified |
| firefox85 | --- | verified |
People
(Reporter: decoder, Assigned: iain)
References
(Regression)
Details
(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update,bisect][bugmon:bisected,confirmed][fuzzblocker])
Attachments
(3 files)
The following testcase crashes on mozilla-central revision 20201111-68867f327c62 (debug build, run with --fuzzing-safe --ion-offthread-compile=off --fast-warmup):
function testMathyFunction(f, inputs) {
var results = [];
for (var j = 0; j < inputs.length; ++j) {
for (var k = 0; k < inputs.length; ++k) {
results.push(f(inputs[j], inputs[k]));
}
}
}
mathy0 = (function(x, y) {
return (Math.atanh(x <= (2 ** 53) === Math.fround(0 >>> 0) | 0) != (Math.tanh(Math.max) >>> 0));
});
testMathyFunction(mathy0, [, 0, 0 / 0, -1 / 0, -0x080000000, Number.MAX_SAFE_INTEGER]);
Backtrace:
received signal SIGSEGV, Segmentation fault.
0x0000555557703581 in js::jit::LIRGeneratorShared::assignSnapshot(js::jit::LInstruction*, js::jit::BailoutKind) ()
#0 0x0000555557703581 in js::jit::LIRGeneratorShared::assignSnapshot(js::jit::LInstruction*, js::jit::BailoutKind) ()
#1 0x0000555557a8858b in js::jit::LIRGenerator::visitToNumberInt32(js::jit::MToNumberInt32*) ()
#2 0x0000555557abc56c in js::jit::LIRGenerator::visitInstruction(js::jit::MInstruction*) ()
#3 0x0000555557abceff in js::jit::LIRGenerator::visitBlock(js::jit::MBasicBlock*) ()
#4 0x0000555557abd315 in js::jit::LIRGenerator::generate() ()
#5 0x0000555557934c5e in js::jit::GenerateLIR(js::jit::MIRGenerator*) ()
#6 0x0000555557935d65 in js::jit::CompileBackEnd(js::jit::MIRGenerator*, js::jit::WarpSnapshot*) ()
#7 0x000055555793d486 in js::jit::IonCompile(JSContext*, JS::Handle<JSScript*>, js::jit::BaselineFrame*, unsigned int, unsigned char*, bool, js::jit::OptimizationLevel) ()
#8 0x00005555579371a4 in js::jit::Compile(JSContext*, JS::Handle<JSScript*>, js::jit::BaselineFrame*, unsigned int, unsigned char*, bool) ()
#9 0x00005555579379b7 in IonCompileScriptForBaseline(JSContext*, js::jit::BaselineFrame*, unsigned int, unsigned char*) ()
#10 0x00003ebc69abc0e5 in ?? ()
#11 0x0000000000000000 in ?? ()
rax 0x5555557d9cb3 93824994876595
rbx 0x7fffffffa020 140737488330784
rcx 0x5555580c8878 93825037797496
rdx 0x0 0
rsi 0x7ffff7105770 140737338431344
rdi 0x7ffff7104540 140737338426688
rbp 0x7fffffff9ee0 140737488330464
rsp 0x7fffffff9ed0 140737488330448
r8 0x7ffff7105770 140737338431344
r9 0x7ffff7f998c0 140737353717952
r10 0x58 88
r11 0x7ffff6dac7a0 140737334921120
r12 0x7ffff4de8ac0 140737301613248
r13 0x7ffff4de19d8 140737301584344
r14 0x7ffff4de8ac0 140737301613248
r15 0x7ffff4de65d8 140737301603800
rip 0x555557703581 <js::jit::LIRGeneratorShared::assignSnapshot(js::jit::LInstruction*, js::jit::BailoutKind)+193>
=> 0x555557703581 <_ZN2js3jit18LIRGeneratorShared14assignSnapshotEPNS0_12LInstructionENS0_11BailoutKindE+193>: movl $0x103,0x0
0x55555770358c <_ZN2js3jit18LIRGeneratorShared14assignSnapshotEPNS0_12LInstructionENS0_11BailoutKindE+204>: callq 0x555556ac2316 <abort>
For detailed crash information, see attachment.
Marked s-s until investigated.
|
Reporter | |
Comment 1•4 years ago
|
||
|
|
Reporter | |
Comment 2•4 years ago
|
||
|
|
Reporter | |
Comment 3•4 years ago
•
|
||
.
|
|
Reporter | |
Comment 4•4 years ago
|
||
|
||
Comment 6•4 years ago
|
||
Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20201111095506-68867f327c62.
The bug appears to have been introduced in the following build range:
Start: 8d1e363aa14acf66d3d0b67ae45a627e0c770cb7 (20201111012346)
End: 6c51def942690aa7f708acbed22800abf5b4f784 (20201111013444)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=8d1e363aa14acf66d3d0b67ae45a627e0c770cb7&tochange=6c51def942690aa7f708acbed22800abf5b4f784
|
||
Updated•4 years ago
|
|
Assignee | |
Comment 7•4 years ago
|
||
I confirm that this is caused by the bailout code.
This is not a security bug. This is a newly-added diagnostic assertion, to find cases where we generate a bailout for a node that has not been assigned a specific bailout kind. In non-debug builds, we will assign a generic bailout kind and everything will work fine.
The bug here is that BoxInputsPolicy creates an infallible MToDouble node to box a float32 value. The MToDouble has BailoutKind::Unknown, which is reasonable because it can't bail out. It is eventually folded to a constant, then RangeAnalysis wraps the constant in an MToNumberInt32. The unknown bailout kind is propagated through to the MToNumberInt32, which asserts when we try to lower it to LDoubleToInt32.
This is all very silly, given that the value in question is a constant 0.
|
||
Updated•4 years ago
|
|
||
Updated•4 years ago
|
|
||
Comment 8•4 years ago
|
||
Moving this from being a defect to as task as per comment 7, this is some diagnostic assertion.
However, we should make sure this diagnostic assertion does not turn into a fuzz-blocker.
|
||
Updated•4 years ago
|
|
|
||
Comment 9•3 years ago
|
||
The severity field is not set for this bug.
:sdetar, could you have a look please?
For more information, please visit auto_nag documentation.
|
||
Updated•3 years ago
|
|
|
||
Comment 10•3 years ago
|
||
Fixed by backout for 84.
https://hg.mozilla.org/releases/mozilla-beta/rev/bb8c52ad9943
|
|
Reporter | |
Comment 11•3 years ago
|
||
This issue is being hit very frequently by jsfunfuzz, it would be good to get this fixed soon.
|
|
Assignee | |
Comment 12•3 years ago
|
||
This fixes a fuzz bug where BoxInputsPolicy creates an infallible MToDouble node (with BailoutKind::Unknown, because it's infallible), then range analysis eagerly truncates it, creating an MToNumberInt32 with unknown bailout kind. The fix is to create a new bailout kind for eager truncation and have range analysis set it where appropriate.
(We were talking about doing this earlier, but I held off because I don't understand the truncation code well and I was a bit concerned that it might cause performance regressions. Fortunately, the performance looks good on try: https://treeherder.mozilla.org/perfherder/compare?originalProject=mozilla-central&newProject=try&newRevision=36e971cbb226366c5b8df7ad37b445e692258e46&framework=10&selectedTimeRange=604800.)
|
||
Updated•3 years ago
|
|
|
Assignee | |
Comment 13•3 years ago
|
||
decoder: This should fix the problem in the attached testcase. If the fuzzer still hits this assertion post-patch, it's probably a separate bug.
|
||
Comment 14•3 years ago
|
||
Pushed by iireland@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/7fbcdc47728f Add BailoutKind::EagerTruncation r=jandem
|
||
Comment 15•3 years ago
|
||
| bugherder | ||
|
|
||
Comment 16•3 years ago
|
||
Bugmon Analysis:
Verified bug as fixed on rev mozilla-central 20201209034903-b4cd29abb74a.
Removing bugmon keyword as no further action possible.
Please review the bug and re-add the keyword for further analysis.
Description
•