Closed Bug 1692857 Opened 4 years ago Closed 4 years ago

Assertion failure: !outerScript->hadSpeculativePhiBailout(), at jit/BaselineBailouts.cpp:1997

Categories

(Core :: JavaScript Engine: JIT, defect)

Product:
Core
Component:
JavaScript Engine: JIT
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
87 Branch
Tracking Flags:
Tracking Status
firefox-esr78 --- unaffected
firefox85 --- unaffected
firefox86 --- wontfix
firefox87 --- verified

People

(Reporter: decoder, Assigned: iain)

References

(Regression)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:update,bisected,confirmed])

Attachments

(2 files)

Testcase
513 bytes, text/plain
Details
Bug 1692857: Disable float32 optimization when phi speculation fails r=jandem
48 bytes, text/x-phabricator-request
Details | Review

The following testcase crashes on mozilla-central revision 20210214-0abd3454600d (debug build, run with --fuzzing-safe --ion-offthread-compile=off --baseline-warmup-threshold=0 --ion-warmup-threshold=1 --no-threads):

function testMathyFunction(f, inputs) {
  for (var j = 0; j < inputs.length; ++j) 
    for (var k = 0; k < inputs.length; ++k) 
      try {
        f(inputs[j], inputs[k])
      } catch (e) {}
}
mathy2 = (function(){ 
  var Float32ArrayView = new Float32Array(new ArrayBuffer(40));
  function f(i0,d1) {
    d1 = Float32ArrayView[0];
    switch(0) {
      case 2: break;
      default:
        d1 = Float32ArrayView[0 + i0];
    }
  }
  return f;
})();
testMathyFunction(mathy2, [null,Number.M,Number.M,Number.M])

Backtrace:

received signal SIGSEGV, Segmentation fault.
0x00005555575d3c15 in js::jit::FinishBailoutToBaseline(js::jit::BaselineBailoutInfo*) ()
#0  0x00005555575d3c15 in js::jit::FinishBailoutToBaseline(js::jit::BaselineBailoutInfo*) ()
#1  0x000018d3fabdf1e7 in ?? ()
[...]
#17 0x0000000000000000 in ?? ()
rax	0x5555557d4159	93824994853209
rbx	0x2	2
rcx	0x555557fe4d68	93825036864872
rdx	0x0	0
rsi	0x7ffff7105770	140737338431344
rdi	0x7ffff7104540	140737338426688
rbp	0x7fffffffb100	140737488335104
rsp	0x7fffffffafa0	140737488334752
r8	0x7ffff7105770	140737338431344
r9	0x7ffff7f99840	140737353717824
r10	0x58	88
r11	0x7ffff6dac7a0	140737334921120
r12	0xffffb301	4294947585
r13	0x0	0
r14	0xa	10
r15	0x2	2
rip	0x5555575d3c15 <js::jit::FinishBailoutToBaseline(js::jit::BaselineBailoutInfo*)+5653>
=> 0x5555575d3c15 <_ZN2js3jit23FinishBailoutToBaselineEPNS0_19BaselineBailoutInfoE+5653>:	movl   $0x7cd,0x0
   0x5555575d3c20 <_ZN2js3jit23FinishBailoutToBaselineEPNS0_19BaselineBailoutInfoE+5664>:	callq  0x555556a7dcfc <abort>

Marking s-s until investigated due to JIT-related assertion.

Attached file Testcase

Jan, I am guessing this might be related to Array buffer changes?

Flags: needinfo?(jdemooij)

It's more likely from Iain's bailout changes.

Flags: needinfo?(jdemooij) → needinfo?(iireland)

Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20210215093120-ffed7ebd405a.
The bug appears to have been introduced in the following build range:

Start: 69f91b43accc6a4d3d1a0cde0317b5ac9799878e (20201111004353)
End: 279eb8cf0dcd36d0b73ba1df2d1464387e30e383 (20201111012055)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=69f91b43accc6a4d3d1a0cde0317b5ac9799878e&tochange=279eb8cf0dcd36d0b73ba1df2d1464387e30e383

Whiteboard: [bugmon:update,bisect] → [bugmon:update,bisected,confirmed]
Has Regression Range: --- → yes

This is another non-security-sensitive bailout loop detection assertion.

The problem occurs in guessPhiTypes, when we speculatively optimize a phi to use float32 values and insert a fallible unbox. If a LoadTypedArrayElementHole reads out-of-bounds, the unbox can fail. We give that unbox BailoutKind::SpeculativePhi, which currently only disables OSR phi speculation. The simplest fix is to also disable float32 phi specialization in that case.

We could also add a separate bailout kind to track these optimizations separately, but neither fails often enough outside of fuzz bugs to justify it. The number of flag bits available on the script is finite.

Group: javascript-core-security
Flags: needinfo?(iireland)

In guessPhiTypes, if we speculatively optimize a phi to use float32 values, we insert a fallible unbox with BailoutKind::SpeculativePhi, which can fail if a LoadTypedArrayElementHole reads out-of-bounds. SpeculativePhi bailouts currently only disable OSR phi speculation, so we can get caught in a bailout loop. The simplest fix is to also disable float32 phi specialization.

We could also add a separate bailout kind to track these optimizations separately, but neither fails often enough outside of fuzz bugs to justify it. The number of flag bits available on the script is finite.

Assignee: nobody → iireland
Status: NEW → ASSIGNED

Set release status flags based on info from the regressing bug 1673497

status-firefox85: --- → unaffected
status-firefox86: --- → affected
status-firefox-esr78: --- → unaffected
Pushed by iireland@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/7ccf56d3e185 Disable float32 optimization when phi speculation fails r=jandem

https://hg.mozilla.org/mozilla-central/rev/7ccf56d3e185

Status: ASSIGNED → RESOLVED
Closed: 4 years ago
status-firefox87: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 87 Branch

Bugmon Analysis:
Verified bug as fixed on rev mozilla-central 20210218092411-d1b7430e5ebb.
Removing bugmon keyword as no further action possible.
Please review the bug and re-add the keyword for further analysis.

Status: RESOLVED → VERIFIED
status-firefox87: fixedverified
Keywords: bugmon
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: