Closed Bug 1761492 Opened 3 years ago Closed 3 years ago

Assertion failure: IsIonInlinableGetterOrSetterOp(op_), at js/src/jit/BaselineBailouts.cpp:775

Categories

(Core :: JavaScript Engine: JIT, defect)

Product:
Core
Component:
JavaScript Engine: JIT
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
100 Branch
Tracking Flags:
Tracking Status
firefox-esr91 --- unaffected
firefox98 --- unaffected
firefox99 --- unaffected
firefox100 --- verified

People

(Reporter: decoder, Assigned: jandem)

References

(Regression)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:update,bisected,confirmed])

Crash Data

Attachments

(3 files, 1 obsolete file)

Detailed Crash Information
1.82 KB, text/plain
Details
Testcase
130 bytes, text/plain
Details
Bug 1761492 - Override ResumeMode for exception bailouts. r?iain!
48 bytes, text/x-phabricator-request
Details | Review

The following testcase crashes on mozilla-central revision 20220325-b94d53ba65d2 (debug build, run with --fuzzing-safe --no-threads --fast-warmup):

for (let v3 = 0; v3 < 100; v3++) {
  for (let v7 = 0; v7 < 100; v7++) {}
  try {
      Array.__proto__ = Array;
  } catch(v9) {}
}

Backtrace:

received signal SIGSEGV, Segmentation fault.
#0  0x00005555576dac3d in BaselineStackBuilder::fixUpCallerArgs(JS::MutableHandle<JS::StackGCVector<JS::Value, js::TempAllocPolicy> >, bool*) ()
#1  0x00005555576ddf66 in BaselineStackBuilder::buildOneFrame() ()
#2  0x00005555576d6959 in js::jit::BailoutIonToBaseline(JSContext*, js::jit::JitActivation*, js::jit::JSJitFrameIter const&, js::jit::BaselineBailoutInfo**, js::jit::ExceptionBailoutInfo const*) ()
#3  0x00005555576d7a27 in js::jit::ExceptionHandlerBailout(JSContext*, js::jit::InlineFrameIterator const&, js::jit::ResumeFromException*, js::jit::ExceptionBailoutInfo const&) ()
#4  0x0000555557a990cb in js::jit::HandleException(js::jit::ResumeFromException*) ()
#5  0x00000713a22e2a46 in ?? ()
#6  0x0000000000000000 in ?? ()
rax	0x55555575a066	93824994353254
rbx	0x7fffffffb101	140737488335105
rcx	0x5555581b18f8	93825038751992
rdx	0x0	0
rsi	0x7ffff7105770	140737338431344
rdi	0x7ffff7104540	140737338426688
rbp	0x7fffffffaf90	140737488334736
rsp	0x7fffffffaf10	140737488334608
r8	0x7ffff7105770	140737338431344
r9	0x7ffff7f99840	140737353717824
r10	0x0	0
r11	0x0	0
r12	0x7fffffffafd0	140737488334800
r13	0x7fffffffb148	140737488335176
r14	0x2	2
r15	0x555558122618	93825038165528
rip	0x5555576dac3d <BaselineStackBuilder::fixUpCallerArgs(JS::MutableHandle<JS::StackGCVector<JS::Value, js::TempAllocPolicy> >, bool*)+2461>
=> 0x5555576dac3d <_ZN20BaselineStackBuilder15fixUpCallerArgsEN2JS13MutableHandleINS0_13StackGCVectorINS0_5ValueEN2js15TempAllocPolicyEEEEEPb+2461>:	movl   $0x307,0x0
   0x5555576dac48 <_ZN20BaselineStackBuilder15fixUpCallerArgsEN2JS13MutableHandleINS0_13StackGCVectorINS0_5ValueEN2js15TempAllocPolicyEEEEEPb+2472>:	callq  0x555556b76557 <abort>

Marking s-s until triaged because this is a JIT-related assertion.

Attached file Testcase

Good find, silly bug.

Assignee: nobody → jdemooij
Status: NEW → ASSIGNED
Regressed by: 1760989

Set release status flags based on info from the regressing bug 1760989

status-firefox98: --- → unaffected
status-firefox99: --- → unaffected
status-firefox-esr91: --- → unaffected

When bailing out to catch an exception, the ResumeMode from the snapshot doesn't
make sense as we're resuming at the start of a catch-block.

Attachment #9269448 - Attachment is obsolete: true

When bailing out to catch an exception, the ResumeMode from the snapshot doesn't
make sense as we're resuming at the start of a catch-block.

Bugmon Analysis
Verified bug as reproducible on mozilla-central 20220325214737-2b624fdb002e.
The bug appears to have been introduced in the following build range:

Start: 828695aa60978c32a4c60dc02b85be1937d118a5 (20220324094556)
End: 72c184ce05af4b5253604efdda866bd57ffef291 (20220324101416)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=828695aa60978c32a4c60dc02b85be1937d118a5&tochange=72c184ce05af4b5253604efdda866bd57ffef291

Whiteboard: [bugmon:update,bisect] → [bugmon:update,bisected,confirmed]

https://hg.mozilla.org/mozilla-central/rev/12d4b2481567

Group: javascript-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 3 years ago
status-firefox100: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 100 Branch
Crash Signature: [@ js::jit::SnapshotIterator::allocationValue(js::jit::RValueAllocation const&, js::jit::SnapshotIterator::ReadMethod)]

Bugmon Analysis
Verified bug as fixed on rev mozilla-central 20220326213356-4c6ce96f7492.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Status: RESOLVED → VERIFIED
status-firefox100: fixedverified
Keywords: bugmon
Has Regression Range: --- → yes
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: