Assertion failure: (asBits_ & js::gc::CellAlignMask) == 0 (GC pointer is not aligned. Is this memory corruption?), at js/Value.h:587
Categories
(Core :: JavaScript Engine: JIT, defect)
Tracking
()
Tracking | Status | |
---|---|---|
firefox-esr78 | --- | unaffected |
firefox86 | --- | unaffected |
firefox87 | --- | unaffected |
firefox88 | --- | fixed |
People
(Reporter: decoder, Assigned: iain)
References
(Regression)
Details
(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:update,bisected,confirmed])
Attachments
(2 files)
The following testcase crashes on mozilla-central revision 20210309-5f0f6477c734 (debug build, run with --fuzzing-safe --no-threads --baseline-eager --fast-warmup --ion-gvn=off --scalar-replace-arguments):
function a(b) {
return String(b);
}
function c(d, e = []) {
f = new Proxy(d, {
get(g, b) {
k = e.concat(a(b));
h = d;
c(h).apply;
}
})
return f;
}
[] = c([]);
Backtrace:
received signal SIGSEGV, Segmentation fault.
0x584c71dc in js::jit::AssertValidValue(JSContext*, JS::Value*) ()
#0 0x584c71dc in js::jit::AssertValidValue(JSContext*, JS::Value*) ()
#1 0x31b15143 in ?? ()
Backtrace stopped: previous frame inner to this frame (corrupt stack?)
eax 0x56763cae 1450589358
ebx 0x58ec0fa4 1491865508
ecx 0x58ec2894 1491871892
edx 0x0 0
esi 0xfffed9e8 -75288
edi 0xfffeda24 -75228
ebp 0xfffeda08 4294892040
esp 0xfffed9e0 4294892000
eip 0x584c71dc <js::jit::AssertValidValue(JSContext*, JS::Value*)+236>
=> 0x584c71dc <_ZN2js3jit16AssertValidValueEP9JSContextPN2JS5ValueE+236>: movl $0x24b,0x0
0x584c71e6 <_ZN2js3jit16AssertValidValueEP9JSContextPN2JS5ValueE+246>: call 0x5799e16f <abort>
Not s-s because this feature is still disabled by default. Reproduces on 32-bit builds only.
Reporter | ||
Comment 1•3 years ago
|
||
Comment 2•3 years ago
|
||
Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20210311093001-bd8121e747b5.
The bug appears to have been introduced in the following build range:
Start: b332567cbbcaa6e2b70bfe5449410e9cfb8b838f (20210309094921)
End: 5f0f6477c734369a72fec1211b608eb14d33bd4a (20210309161138)
Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=b332567cbbcaa6e2b70bfe5449410e9cfb8b838f&tochange=5f0f6477c734369a72fec1211b608eb14d33bd4a
Assignee | ||
Comment 3•3 years ago
|
||
This is very similar to bug 1697483, in that it happens because we are reusing the source of a moveValue as part of the destination. I glanced at the 32-bit code when I fixed that, but missed this problem.
We should not set the tag register until after we copy the src into the payloadReg, because that breaks when src and typeReg are assigned the same register. Swapping the order fixes the problem.
I fixed MIPS while I was at it. ARM64 doesn't need a fix, because it can set the tag without a scratch register.
I'm not adding a new testcase here, because I already gave it my best shot in bug 1697483 and it doesn't catch this problem. Specific register allocation patterns are hard to test. It does seem like the fuzzer catches these cases quickly, though.
Updated•3 years ago
|
Pushed by iireland@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/6b87ba86385f Fix moveValue when src == typeReg r=jandem
Comment 5•3 years ago
|
||
bugherder |
Comment 6•3 years ago
|
||
Bugmon Analysis:
Verified bug as fixed on rev mozilla-central 20210312215843-658f0e3e5bcc.
Removing bugmon keyword as no further action possible.
Please review the bug and re-add the keyword for further analysis.
Updated•3 years ago
|
Updated•3 years ago
|
Description
•