1696181 - Assertion failure: argc <= ArgumentsObject::MaxInlinedArgs, at jit/MIR.cpp:5446

Status: VERIFIED FIXED

(Core :: JavaScript Engine: JIT, defect)

Description

[Christian Holler (:decoder)]

The following testcase crashes on mozilla-central revision 20210303-c45b1e6bcd01 (debug build, run with --fuzzing-safe --ion-offthread-compile=off --fast-warmup --baseline-eager):

function b() {}
function c() {}
function d(arr) {
  for (x = 0; x < 100; ++x)
    for (e = 0; e < arr.length; ++e)
      (function() {
        arr[e].apply('a', arguments)
      })(1, 'g', 8, 9);
}
d([b, c]);

Backtrace:

received signal SIGSEGV, Segmentation fault.
#0  0x00005555579fa97f in js::jit::MCreateInlinedArgumentsObject::New(js::jit::TempAllocator&, js::jit::MDefinition*, js::jit::MDefinition*, mozilla::Vector<js::jit::MDefinition*, 6ul, js::jit::JitAllocPolicy>&) ()
#1  0x00005555578efd45 in js::jit::WarpBuilder::build_Arguments(js::BytecodeLocation) ()
#2  0x00005555578dd290 in js::jit::WarpBuilder::buildBody() ()
#3  0x00005555578f7225 in js::jit::WarpBuilder::buildInlinedCall(js::BytecodeLocation, js::jit::WarpInlinedCall const*, js::jit::CallInfo&) ()
#4  0x00005555578f61e5 in js::jit::WarpBuilder::buildCallOp(js::BytecodeLocation) ()
#5  0x00005555578dcafe in js::jit::WarpBuilder::buildBody() ()
#6  0x00005555578dc03d in js::jit::WarpBuilder::build() ()
#7  0x00005555578a4fee in js::jit::CompileBackEnd(js::jit::MIRGenerator*, js::jit::WarpSnapshot*) ()
#8  0x00005555578a69eb in js::jit::Compile(JSContext*, JS::Handle<JSScript*>, js::jit::BaselineFrame*, unsigned char*) ()
#9  0x00005555578a7485 in IonCompileScriptForBaseline(JSContext*, js::jit::BaselineFrame*, unsigned char*) ()
#10 0x00005555578a7caa in js::jit::IonCompileScriptForBaselineOSR(JSContext*, js::jit::BaselineFrame*, unsigned int, unsigned char*, js::jit::IonOsrTempData**) ()
#11 0x00000bbebabf6f47 in ?? ()
#12 0x00007fffffffb798 in ?? ()
#13 0x00007fffffffb718 in ?? ()
#14 0x00000bbebac38687 in ?? ()
#15 0x0000000000000000 in ?? ()
rax	0x5555557b1a3d	93824994712125
rbx	0x7ffff60e9020	140737321537568
rcx	0x555557ff6a48	93825036937800
rdx	0x0	0
rsi	0x7ffff7105770	140737338431344
rdi	0x7ffff7104540	140737338426688
rbp	0x7fffffffa8d0	140737488333008
rsp	0x7fffffffa880	140737488332928
r8	0x7ffff7105770	140737338431344
r9	0x7ffff7f99840	140737353717824
r10	0x58	88
r11	0x7ffff6dac7a0	140737334921120
r12	0x7ffff60eef20	140737321561888
r13	0x7ffff60eefb0	140737321562032
r14	0x7fffffffaec8	140737488334536
r15	0x361c98380180	59496440791424
rip	0x5555579fa97f <js::jit::MCreateInlinedArgumentsObject::New(js::jit::TempAllocator&, js::jit::MDefinition*, js::jit::MDefinition*, mozilla::Vector<js::jit::MDefinition*, 6ul, js::jit::JitAllocPolicy>&)+751>
=> 0x5555579fa97f <_ZN2js3jit29MCreateInlinedArgumentsObject3NewERNS0_13TempAllocatorEPNS0_11MDefinitionES5_RN7mozilla6VectorIS5_Lm6ENS0_14JitAllocPolicyEEE+751>:	movl   $0x1546,0x0
   0x5555579fa98a <_ZN2js3jit29MCreateInlinedArgumentsObject3NewERNS0_13TempAllocatorEPNS0_11MDefinitionES5_RN7mozilla6VectorIS5_Lm6ENS0_14JitAllocPolicyEEE+762>:	callq  0x555556a8227c <abort>

JIT assert, marking s-s until investigated.

Comment 1

[Christian Holler (:decoder)]

Attachment: Testcase

Comment 2

[Bugmon [:jkratzer for issues]]

Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20210303132936-c7e489f5759a.
The bug appears to have been introduced in the following build range:

Start: 7b02a20485dfd5e062112aeba80e4a37d7f4aa31 (20210302190509)
End: e57fcca626d0729634a66aae71dea074fa8ae3fd (20210302190559)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=7b02a20485dfd5e062112aeba80e4a37d7f4aa31&tochange=e57fcca626d0729634a66aae71dea074fa8ae3fd

Comment 3

[Daniel Veditz [:dveditz]]

guessing sec-high from the assertion. please correct if wrong.

Comment 4

[Iain Ireland [:iain]]

Attachment: Bug 1696181: Check argumentsHasVarBinding in trial inlining r=jandem

We should check argumentsHasVarBinding instead of needsArgsObj when checking the number of arguments in trial inlining, because needsArgsObj will change if the arguments optimization fails later. When we remove the old arguments optimization, needsArgsObj will be replaced by argumentsHasVarBinding everywhere.

Comment 5

[Iain Ireland [:iain]]

Attachment: Bug 1696181: Refactor canInline/shouldInline r=jandem

Clarifying the division, where canInline enforces that it's safe/possible to inline, and shouldInline checks softer restrictions. shouldInline is only called when we do trial inlining; canInline is also called by WarpOracle.

Depends on D107125

Comment 6

[Iain Ireland [:iain]]

I believe sec-high is reasonable; in a release build where we don't assert, it looks like we can assign the same register to several arguments, which can probably be turned into a type confusion.

Landing because this is a nightly-only regression with a known recent regressor.

Comment 7

[Sebastian Hengst [:aryx] (needinfo me if it's about an intermittent or backout)]

https://hg.mozilla.org/integration/autoland/rev/8300c9004ad6d0a72040a89ef2b5730d9e4d0989
https://hg.mozilla.org/integration/autoland/rev/7a4eff3b0038695935a0e530ad5762a6788932b5
https://hg.mozilla.org/mozilla-central/rev/8300c9004ad6
https://hg.mozilla.org/mozilla-central/rev/7a4eff3b0038

Comment 8

[Bugmon [:jkratzer for issues]]

Bugmon Analysis:
Verified bug as fixed on rev mozilla-central 20210305085604-8f05e804fa6a.
Removing bugmon keyword as no further action possible.
Please review the bug and re-add the keyword for further analysis.

Comment 9

[BugBot [:suhaib / :marco/ :calixte]]

As part of a security bug pattern analysis, we are requesting your help with a high level analysis of this bug. It is our hope to develop static analysis (or potentially runtime/dynamic analysis) in the future to identify classes of bugs.

Please visit this google form to reply.