Closed Bug 1697483 Opened 3 years ago Closed 3 years ago

Assertion failure: src != dest, at jit/x64/MacroAssembler-x64.cpp:433

Categories

(Core :: JavaScript Engine: JIT, defect, P1)

Product:
Core
Component:
JavaScript Engine: JIT
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
88 Branch
Tracking Flags:
Tracking Status
firefox-esr78 --- unaffected
firefox86 --- unaffected
firefox87 --- unaffected
firefox88 --- verified

People

(Reporter: decoder, Assigned: iain)

References

(Regression)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:update,bisected,confirmed])

Attachments

(2 files)

Testcase
270 bytes, text/plain
Details
Bug 1697483: Fix GetInlinedArgument regalloc on x64 r=jandem
48 bytes, text/x-phabricator-request
Details | Review

The following testcase crashes on mozilla-central revision 20210309-5f0f6477c734 (debug build, run with --fuzzing-safe --no-threads --scalar-replace-arguments --fast-warmup --ion-gvn=off --ion-regalloc=testbed):

function main() {
  let v13 = [13.37,13.37];
  let v15 = [1337,1337,1337];
  let v38 = v13.reduce(Object,v15);
  let v44 = new Promise(Object);
  for (let v49 = 0; v49 < 7; v49++) {
    each = main;
    v57 = each()
  }
  for (let v68 = 0; v68 < 100; v68++) {}
}
main();

Backtrace:

received signal SIGSEGV, Segmentation fault.
#0  0x000055555765c6f8 in js::jit::MacroAssemblerX64::boxValue(JSValueType, js::jit::Register, js::jit::Register) ()
#1  0x00005555576474d8 in js::jit::MacroAssembler::moveValue(js::jit::TypedOrValueRegister const&, js::jit::ValueOperand const&) ()
#2  0x000055555781945f in js::jit::CodeGenerator::visitGetInlinedArgument(js::jit::LGetInlinedArgument*) ()
#3  0x0000555557811961 in js::jit::CodeGenerator::generateBody() ()
#4  0x0000555557853594 in js::jit::CodeGenerator::generate() ()
#5  0x0000555557888c71 in js::jit::GenerateCode(js::jit::MIRGenerator*, js::jit::LIRGraph*) ()
#6  0x0000555557888ed8 in js::jit::CompileBackEnd(js::jit::MIRGenerator*, js::jit::WarpSnapshot*) ()
#7  0x000055555788a79e in js::jit::Compile(JSContext*, JS::Handle<JSScript*>, js::jit::BaselineFrame*, unsigned char*) ()
#8  0x000055555788b317 in IonCompileScriptForBaseline(JSContext*, js::jit::BaselineFrame*, unsigned char*) ()
#9  0x0000146c5ac79715 in ?? ()
[...]
#27 0x0000000000000000 in ?? ()
rax	0x55555587b5f9	93824995538425
rbx	0x0	0
rcx	0x555557fd7ff8	93825036812280
rdx	0x0	0
rsi	0x7ffff7105770	140737338431344
rdi	0x7ffff7104540	140737338426688
rbp	0x7fffffff9df0	140737488330224
rsp	0x7fffffff9d80	140737488330112
r8	0x7ffff7105770	140737338431344
r9	0x7ffff7f99840	140737353717824
r10	0x58	88
r11	0x7ffff6dac7a0	140737334921120
r12	0x7fffffff9eb0	140737488330416
r13	0x7ffff60db380	140737321481088
r14	0x7fffffff9ea8	140737488330408
r15	0x0	0
rip	0x55555765c6f8 <js::jit::MacroAssemblerX64::boxValue(JSValueType, js::jit::Register, js::jit::Register)+552>
=> 0x55555765c6f8 <_ZN2js3jit17MacroAssemblerX648boxValueE11JSValueTypeNS0_8RegisterES3_+552>:	movl   $0x1b1,0x0
   0x55555765c703 <_ZN2js3jit17MacroAssemblerX648boxValueE11JSValueTypeNS0_8RegisterES3_+563>:	callq  0x555556a7cc1c <abort>

This only reproduces with --scalar-replace-arguments but there is no arguments in the test, so it isn't clear if this is really related to that new functionality or an older bug that we just accidentally uncovered. Marking s-s and affected until triaged by :iain.

Attached file Testcase 

    
    

    
  
Bugmon Analysis:

Verified bug as reproducible on mozilla-central 20210310093927-056c2a428e2d.

The bug appears to have been introduced in the following build range:




Start: 7a4eff3b0038695935a0e530ad5762a6788932b5 (20210304234219)

End: b483df09813b5065b407d0657ba921b98a40a40c (20210304235007)

Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=7a4eff3b0038695935a0e530ad5762a6788932b5&tochange=b483df09813b5065b407d0657ba921b98a40a40c




Whiteboard: [bugmon:update,bisect] → [bugmon:update,bisected,confirmed]

    
    

    
  
Not s-s. visitGetInlinedArgument is --scalar-replace-arguments-only. arguments doesn't show up in the source of this testcase, but it's used in self-hosted code.


I'll take a look.


Group: javascript-core-security

    
    

    
  
The problem is that we call moveValue with a TypedRegister argument where src and dest are the same, which we don't currently support in boxValue on X64 (see here).



    
    

    
  


  
The testcase tries to encourage the result of the GetInlinedArgument to be assigned to the same physical register as one of the arguments by tying up as many registers as possible with live values. It fails on x64 without the patch.


Assignee: nobody → iireland
Status: NEW → ASSIGNED
Severity: -- → S3
Priority: -- → P1

    
    

    
  
Pushed by iireland@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/2ea5fbf42766
Fix GetInlinedArgument regalloc on x64 r=jandem

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/2ea5fbf42766


Status: ASSIGNED → RESOLVED
Closed: 3 years ago

          status-firefox88:
          affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 88 Branch

    
    

    
  
Bugmon Analysis:

Verified bug as fixed on rev mozilla-central 20210312153235-8fdbcaa80217.

Removing bugmon keyword as no further action possible.

Please review the bug and re-add the keyword for further analysis.


Status: RESOLVED → VERIFIED

          status-firefox88:
          fixedverified
Keywords: bugmon

    
  
Regressed by: 1688033

    
  
Has Regression Range: --- → yes

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: