Closed Bug 1762769 Opened 2 years ago Closed 2 years ago

Assertion failure: graph().osrBlock(), at js/src/jit/WarpBuilder.cpp:298 or Assertion failure: osrEntryOffset_.isSome(), at jit/shared/CodeGenerator-shared.h:126 or Crash [@ js::jit::CodeGenerator::link]

Categories

(Core :: JavaScript Engine: JIT, defect, P2)

Product:
Core
Component:
JavaScript Engine: JIT
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
101 Branch
Tracking Flags:
Tracking Status
firefox-esr91 --- unaffected
firefox99 --- unaffected
firefox100 --- fixed
firefox101 --- verified

People

(Reporter: decoder, Assigned: iain)

References

(Regression)

Details

(4 keywords, Whiteboard: [bugmon:bisected,confirmed][fuzzblocker])

Crash Data

Attachments

(3 files)

Detailed Crash Information
1.38 KB, text/plain
Details
Testcase
62 bytes, text/plain
Details
Bug 1762769: Don't mark ops only reachable via retsub as normally reachable r=jandem
48 bytes, text/x-phabricator-request
diannaS
: approval-mozilla-beta+
Details | Review

The following testcase crashes on mozilla-central revision 20220403-b9165a6769de (debug build, run with --fuzzing-safe --ion-offthread-compile=off):

try {
  try {} finally {
    throw a;
  }
} catch {}
for (;;);

Backtrace:

received signal SIGSEGV, Segmentation fault.
#0  0x0000555557769a09 in js::jit::WarpBuilder::build() ()
#1  0x0000555557a5ba7e in js::jit::CompileBackEnd(js::jit::MIRGenerator*, js::jit::WarpSnapshot*) ()
#2  0x0000555557a5d1bc in js::jit::Compile(JSContext*, JS::Handle<JSScript*>, js::jit::BaselineFrame*, unsigned char*) ()
#3  0x0000555557a5dc48 in IonCompileScriptForBaseline(JSContext*, js::jit::BaselineFrame*, unsigned char*) ()
#4  0x0000555557a5e37a in js::jit::IonCompileScriptForBaselineOSR(JSContext*, js::jit::BaselineFrame*, unsigned int, unsigned char*, js::jit::IonOsrTempData**) ()
#5  0x00002873171f2dd7 in ?? ()
#6  0x0000000000000000 in ?? ()
rax	0x555555842841	93824995305537
rbx	0x7fffffffb620	140737488336416
rcx	0x5555581b3898	93825038760088
rdx	0x0	0
rsi	0x7ffff7105770	140737338431344
rdi	0x7ffff7104540	140737338426688
rbp	0x7fffffffb600	140737488336384
rsp	0x7fffffffb5f0	140737488336368
r8	0x7ffff7105770	140737338431344
r9	0x7ffff7f99840	140737353717824
r10	0x0	0
r11	0x0	0
r12	0x7ffff4ead178	140737302417784
r13	0x7ffff4ead2f8	140737302418168
r14	0x7ffff4ead2f8	140737302418168
r15	0x7fffffffb998	140737488337304
rip	0x555557769a09 <js::jit::WarpBuilder::build()+265>
=> 0x555557769a09 <_ZN2js3jit11WarpBuilder5buildEv+265>:	movl   $0x12a,0x0
   0x555557769a14 <_ZN2js3jit11WarpBuilder5buildEv+276>:	callq  0x555556b76777 <abort>

S-s until triaged because this is a JIT assert.

Attached file Testcase 

    
  
Crash Signature: [@ js::jit::CodeGenerator::link]
Summary: Assertion failure: graph().osrBlock(), at js/src/jit/WarpBuilder.cpp:298 → Assertion failure: graph().osrBlock(), at js/src/jit/WarpBuilder.cpp:298 or Assertion failure: osrEntryOffset_.isSome(), at jit/shared/CodeGenerator-shared.h:126 or Crash [@ js::jit::CodeGenerator::link]

    
  
Whiteboard: [bugmon:update,bisect] → [bugmon:update,bisect[fuzzblocker]

    
    

    
  
Bugmon Analysis

Verified bug as reproducible on mozilla-central 20220403215202-2d8724cbbddd.

The bug appears to have been introduced in the following build range:




Start: 60080026a143c4f4515557c1704b0b3775607001 (20220330234750)

End: 3358bc3f9c0891fd1e14c7b9903085be32818646 (20220330235837)

Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=60080026a143c4f4515557c1704b0b3775607001&tochange=3358bc3f9c0891fd1e14c7b9903085be32818646




Whiteboard: [bugmon:update,bisect[fuzzblocker] → [bugmon:update,bisect[fuzzblocker,bisected,confirmed]

    
    

    
  
We try to trigger OSR for the infinite loop, but Warp must think the loop is unreachable and doesn't add the OSR block.


(The CodeGenerator release assertion probably saves us here, security-wise..)


Flags: needinfo?(iireland)
Regressed by: 885514
Has Regression Range: --- → yes

    
    

    
  
Yeah, the problem here is that BytecodeAnalysis assumes that if a JSOp::ResumeIndex (which pushes the resume address for a finally) is normally reachable, then so is that resume address. This is false if the finally block unconditionally throws, because we won't reach the end of the finally block.


I'll have to think a bit about the best way to fix this.


Flags: needinfo?(iireland)
Severity: -- → S4
Priority: -- → P2

    
    

    
  
Going to tag this sec-moderate for now because of the uncertainty that the release assert "probably" saves us


Keywords: sec-moderate
Whiteboard: [bugmon:update,bisect[fuzzblocker,bisected,confirmed] → [bugmon:bisected,confirmed][fuzzblocker]
Assignee: nobody → iireland
Status: NEW → ASSIGNED

    
    

    
  
Don't mark ops only reachable via retsub as normally reachable r=jandem

https://hg.mozilla.org/integration/autoland/rev/0ba054ab33393a437711d2746a2111206b08e0db

https://hg.mozilla.org/mozilla-central/rev/0ba054ab3339


Group: javascript-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 2 years ago

          status-firefox101:
          --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 101 Branch

    
    

    
  
Bugmon Analysis

Verified bug as fixed on rev mozilla-central 20220412035701-0bcad14b3c3a.

Removing bugmon keyword as no further action possible.  Please review the bug and re-add the keyword for further analysis.


Status: RESOLVED → VERIFIED

          status-firefox101:
          fixedverified
Keywords: bugmon

    
    

    
  
The patch also fixes another assertion found via fuzzing: Assertion failure: !returns.empty(), at js/src/jit/WarpBuilder.cpp:3401

There the sample, just in case you're interested:


function v5() {
    try {
        if (v4) {
            throw RegExp;
        } else {
            try {
            } finally {
                throw 1;
            }
        }
    } catch(v8) {
    }
}

function main() {
    for (let v4 = 0; v4 < 40; v4++) {
        const v9 = v5();
    }
}
main();



invoked as: obj-x86_64-pc-linux-gnu/dist/bin/js --fast-warmup --no-threads --cpu-count=1 --ion-offthread-compile=off --fuzzing-safe --differential-testing



    
    

    
  
The patch landed in nightly and beta is affected.

:iain, is this bug important enough to require an uplift?

If not please set status_beta to wontfix.


For more information, please visit auto_nag documentation.


Flags: needinfo?(iireland)

    
    

    
  
Comment on attachment 9271163 [details]

Bug 1762769: Don't mark ops only reachable via retsub as normally reachable r=jandem


Beta/Release Uplift Approval Request


    

  • User impact if declined: Easily triggered crashes from JS
    • 

  • Is this code covered by automated tests?: Yes
    • 

  • Has the fix been verified in Nightly?: Yes
    • 

  • Needs manual test from QE?: Yes
    • 

  • If yes, steps to reproduce:
    • 

  • List of other uplifts needed: None
    • 

  • Risk to taking this patch: Low
    • 

  • Why is the change risky/not risky? (and alternatives if risky): This is a well-understood one-line fix to a recently introduced bug.
    • 



Crash stats isn't showing any crashes in the wild yet, so it might also be reasonable to let this ride the trains.


    

  • String changes made/needed:
    • 



Flags: needinfo?(iireland)

        Attachment #9271163 -
        Flags: approval-mozilla-beta?

    
    

    
  
Comment on attachment 9271163 [details]

Bug 1762769: Don't mark ops only reachable via retsub as normally reachable r=jandem


Approved for 100.0b7



        Attachment #9271163 -
        Flags: approval-mozilla-beta? → approval-mozilla-beta+
Group: core-security-release

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: