Closed Bug 1741635 Opened 4 years ago Closed 4 years ago

Assertion failure: kind != BailoutKind::Unknown, at jit/shared/Lowering-shared.cpp:275

Categories

(Core :: JavaScript Engine: JIT, defect, P2)

Product:
Core
Component:
JavaScript Engine: JIT
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
96 Branch
Tracking Flags:
Tracking Status
firefox-esr91 --- unaffected
firefox94 --- unaffected
firefox95 --- unaffected
firefox96 --- verified

People

(Reporter: decoder, Assigned: iain)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:update,bisected,confirmed])

Attachments

(3 files)

Detailed Crash Information
2.50 KB, text/plain
Details
Testcase
141 bytes, text/plain
Details
Bug 1741635: Mark add for index as infallible r=anba
48 bytes, text/x-phabricator-request
Details | Review

The following testcase crashes on mozilla-central revision 20211117-3088b7d11351 (debug build, run with --fuzzing-safe --ion-offthread-compile=off --fast-warmup --blinterp-warmup-threshold=10):

b = function() {}
function c(d,...e) {
  for (i67 = 0; i67 < e.length; ++i67) 
    b(e[i67])
}
for (i68 = 0; i68 < 9; ++i68)
  c("", "");
c();

Backtrace:

received signal SIGSEGV, Segmentation fault.
#0  0x0000555557806603 in js::jit::LIRGeneratorShared::assignSnapshot(js::jit::LInstruction*, js::jit::BailoutKind) ()
#1  0x0000555557afc280 in js::jit::LIRGenerator::visitAdd(js::jit::MAdd*) ()
#2  0x0000555557b3865c in js::jit::LIRGenerator::visitInstruction(js::jit::MInstruction*) ()
#3  0x0000555557b38f2f in js::jit::LIRGenerator::visitBlock(js::jit::MBasicBlock*) ()
#4  0x0000555557b39375 in js::jit::LIRGenerator::generate() ()
#5  0x0000555557a73fa3 in js::jit::GenerateLIR(js::jit::MIRGenerator*) ()
#6  0x0000555557a75148 in js::jit::CompileBackEnd(js::jit::MIRGenerator*, js::jit::WarpSnapshot*) ()
#7  0x0000555557a7687c in js::jit::Compile(JSContext*, JS::Handle<JSScript*>, js::jit::BaselineFrame*, unsigned char*) ()
#8  0x0000555557a7747c in IonCompileScriptForBaseline(JSContext*, js::jit::BaselineFrame*, unsigned char*) ()
#9  0x0000172a683f53d5 in ?? ()
[...]
#29 0x0000000000000000 in ?? ()
rax	0x5555558b3d2b	93824995769643
rbx	0x7ffff60cbd70	140737321418096
rcx	0x5555581ac7e0	93825038731232
rdx	0x0	0
rsi	0x7ffff7105770	140737338431344
rdi	0x7ffff7104540	140737338426688
rbp	0x7fffffff9bb0	140737488329648
rsp	0x7fffffff9ba0	140737488329632
r8	0x7ffff7105770	140737338431344
r9	0x7ffff7f99840	140737353717824
r10	0x0	0
r11	0x0	0
r12	0x7fffffff9cd8	140737488329944
r13	0x7ffff60c9598	140737321407896
r14	0x7fffffff9cd8	140737488329944
r15	0x7ffff4a02020	140737297522720
rip	0x555557806603 <js::jit::LIRGeneratorShared::assignSnapshot(js::jit::LInstruction*, js::jit::BailoutKind)+179>
=> 0x555557806603 <_ZN2js3jit18LIRGeneratorShared14assignSnapshotEPNS0_12LInstructionENS0_11BailoutKindE+179>:	movl   $0x113,0x0
   0x55555780660e <_ZN2js3jit18LIRGeneratorShared14assignSnapshotEPNS0_12LInstructionENS0_11BailoutKindE+190>:	callq  0x555556b5c24f <abort>

Marking s-s until investigated since this assert is JIT-related.

Attached file Testcase

Bugmon Analysis
Verified bug as reproducible on mozilla-central 20211117094929-3088b7d11351.
The bug appears to have been introduced in the following build range:

Start: f4d24947f75240a537c73b823acea93ef0ec391f (20211116112818)
End: 36117f21f92e9b781dae6cf688c4e53188ef82a1 (20211116122216)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=f4d24947f75240a537c73b823acea93ef0ec391f&tochange=36117f21f92e9b781dae6cf688c4e53188ef82a1

Whiteboard: [bugmon:update,bisect] → [bugmon:update,bisected,confirmed]

André, Iain, it seems that Scalar Replacement patches might have some side effect on sub-script access of the rest object.

Blocks: 1700381
Severity: -- → S2
status-firefox95: --- → unaffected
Flags: needinfo?(iireland)
Flags: needinfo?(andrebargull)
Priority: -- → P2
Regressed by: 1700398
Has Regression Range: --- → yes

Scalar replacement for rest-arrays adds an MAdd instruction with an unknown bailout kind. The MAdd isn't marked as infallible, so when we create a snapshot, we trigger that assertion. The MAdd instruction can't actually ever fail, so we can just change it to use TruncateKind::Truncate, which makes it infallible, so we won't create a snapshot. I don't think this issue is security-sensitive.

Flags: needinfo?(andrebargull)

I agree with anba's assessment. The only thing I'll add is that this made it through testing because in many cases range analysis will be able to determine that the MAdd can never overflow int32, which also prevents us from needing a snapshot. In this testcase, i67 is implicitly defined at global scope, so range analysis is conservative, exposing the bug.

Flags: needinfo?(iireland)
Group: javascript-core-security
Severity: S2 → S4
Assignee: nobody → iireland
Status: NEW → ASSIGNED

Set release status flags based on info from the regressing bug 1700398

status-firefox94: --- → unaffected
status-firefox-esr91: --- → unaffected
Pushed by iireland@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/9e0df43b74e3 Mark add for index as infallible r=anba

https://hg.mozilla.org/mozilla-central/rev/9e0df43b74e3

Status: ASSIGNED → RESOLVED
Closed: 4 years ago
status-firefox96: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 96 Branch

Bugmon Analysis
Verified bug as fixed on rev mozilla-central 20211119041143-f3f6b5125ed7.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Status: RESOLVED → VERIFIED
status-firefox96: fixedverified
Keywords: bugmon
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: