1681597 - Assertion failure: !outerScript->hadEagerTruncationBailout(), at jit/BaselineBailouts.cpp:2029

Status: RESOLVED FIXED

(Core :: JavaScript Engine: JIT, enhancement, P3)

Description

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

function f(x) {
    (function () {
        (1 == (x & 0) * 1.1) + x;
    })();
}
let y = [,,,2147483648,0,0];
for (let i = 0; i < 6; i++) {
    f(y[i]);
    f(y[i]);
    f(y[i]);
    f(y[i]);
    f(y[i]);
    f(y[i]);
    f(y[i]);
    f(y[i]);
    f(y[i]);
}

Assertion failure: !outerScript->hadEagerTruncationBailout(), at /home/skygentoo/trees/mozilla-central/js/src/jit/BaselineBailouts.cpp:2029

Thread 1 "js-dbg-64-linux" received signal SIGSEGV, Segmentation fault.
js::jit::FinishBailoutToBaseline (bailoutInfoArg=0x0) at /home/skygentoo/trees/mozilla-central/js/src/jit/BaselineBailouts.cpp:2029
2029	    case BailoutKind::NonInt32ArrayLength:
(gdb) bt
#0  js::jit::FinishBailoutToBaseline (bailoutInfoArg=0x0) at /home/skygentoo/trees/mozilla-central/js/src/jit/BaselineBailouts.cpp:2029
#1  0x00002912f8aa11e7 in ?? ()
#2  0xf3000000a024947f in ?? ()
#3  0x00007fffffffb3a8 in ?? ()
#4  0x0000d024ac7f0f44 in ?? ()
#5  0x00002912f8acc0da in ?? ()
#6  0x00007fffffffb418 in ?? ()
#7  0x00000000000000ff in ?? ()
#8  0x00002912f8acc0da in ?? ()
#9  0x0000000000005021 in ?? ()
#10 0x000006d79ef9a0b0 in ?? ()
#11 0x00007ffff66e6531 in ?? ()
#12 0x00007ffff635d7e0 in ?? ()
#13 0x00002ab4059021e0 in ?? ()
#14 0x00007ffff635d7c0 in ?? ()
#15 0x0000000000000000 in ?? ()
(gdb)

Bisecting now...

Run with --fuzzing-safe --no-threads --fast-warmup, compile with AR=ar sh ./configure --enable-debug --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests, tested on m-c rev b4cd29abb74a.

Not sure if this is s-s yet.

Comment 1

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/6c51def94269
user:        Iain Ireland
date:        Wed Nov 11 00:31:06 2020 +0000
summary:     Bug 1673497: Part 13: Initialize snapshot bailout kind from MIR while lowering r=jandem

Iain/Jan, any thoughts?

Comment 2

[Iain Ireland [:iain]]

Not a security issue. Part of a set of new assertions we've added to help eliminate bailout loops. Thanks for finding it, though!

(The bisection is wrong, by the way. I just landed this assertion yesterday.)

Comment 3

[Christian Holler (:decoder)]

Fwiw, we found the same crash this morning (found by jsfunfuzz).

Comment 4

[Nicolas B. Pierron [:nbp]]

(In reply to Iain Ireland [:iain] from comment #2)

Not a security issue. Part of a set of new assertions we've added to help eliminate bailout loops. Thanks for finding it, though!

This is not the first time I see this reply, maybe we should annotate the MOZ_ASSERT with a reason payload which explains that this issue is not a security issue but a whishful thinking about something which we hope to make fade away.

Comment 5

[Iain Ireland [:iain]]

Attachment: Bug 1681597: Disable eager truncation based on outer script r=jandem

There was a mismatch where the bailout code set the hadEagerTruncationBailout flag on the outer script, but RangeAnalysis looked at the inlined script.

Comment 6

[Pulsebot]

Pushed by iireland@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/87b146018b53
Disable eager truncation based on outer script r=jandem

Comment 7

[Cristina Coroiu [:ccoroiu]]

https://hg.mozilla.org/mozilla-central/rev/87b146018b53