Assertion failure: count.as<int32_t>() > 0, at jit/CodeGenerator.cpp:11916
Categories
(Core :: JavaScript Engine: JIT, defect, P1)
Tracking
()
People
(Reporter: decoder, Unassigned)
References
(Blocks 1 open bug, Regression)
Details
(4 keywords, Whiteboard: [bugmon:update,bisected,confirmed][adv-main104+r])
Attachments
(4 files)
The following testcase crashes on mozilla-central revision 20220604-490469b53dbe (debug build, run with --fuzzing-safe --no-threads --fast-warmup --ion-inlining=off):
name = re;
var re = {};
function inner() {
return Array.prototype.slice.call(arguments, 1, name & 1)
}
function outer3() {
trialInline();
return inner(1, 2, 3)
}
for (var i60 = 0; i60 < 50; i60++)
outer3();
Backtrace:
received signal SIGSEGV, Segmentation fault.
#0 0x0000555557a3f9da in js::jit::CodeGenerator::visitInlineArgumentsSlice(js::jit::LInlineArgumentsSlice*) ()
#1 0x0000555557a1f0c6 in js::jit::CodeGenerator::generateBody() ()
#2 0x0000555557a69366 in js::jit::CodeGenerator::generate() ()
#3 0x0000555557aa1eab in js::jit::GenerateCode(js::jit::MIRGenerator*, js::jit::LIRGraph*) ()
#4 0x0000555557aa2128 in js::jit::CompileBackEnd(js::jit::MIRGenerator*, js::jit::WarpSnapshot*) ()
#5 0x0000555557aa349d in js::jit::Compile(JSContext*, JS::Handle<JSScript*>, js::jit::BaselineFrame*, unsigned char*) ()
#6 0x0000555557aa3fbe in IonCompileScriptForBaseline(JSContext*, js::jit::BaselineFrame*, unsigned char*) ()
#7 0x000032f4d5a6ddc5 in ?? ()
[...]
#14 0x0000000000000000 in ?? ()
rax 0x55555576ea4e 93824994437710
rbx 0x3 3
rcx 0x5555581e8838 93825038977080
rdx 0x0 0
rsi 0x7ffff7105770 140737338431344
rdi 0x7ffff7104540 140737338426688
rbp 0x7fffffffb430 140737488335920
rsp 0x7fffffffb330 140737488335664
r8 0x7ffff7105770 140737338431344
r9 0x7ffff7f99840 140737353717824
r10 0x0 0
r11 0x0 0
r12 0x7fffffffb3d0 140737488335824
r13 0x7ffff6028c00 140737320750080
r14 0x7ffff6028000 140737320747008
r15 0x1 1
rip 0x555557a3f9da <js::jit::CodeGenerator::visitInlineArgumentsSlice(js::jit::LInlineArgumentsSlice*)+490>
=> 0x555557a3f9da <_ZN2js3jit13CodeGenerator25visitInlineArgumentsSliceEPNS0_21LInlineArgumentsSliceE+490>: movl $0x2e8c,0x0
0x555557a3f9e5 <_ZN2js3jit13CodeGenerator25visitInlineArgumentsSliceEPNS0_21LInlineArgumentsSliceE+501>: callq 0x555556be1628 <abort>
JIT-related assert, marking s-s until triaged.
Reporter | ||
Comment 1•3 years ago
|
||
Reporter | ||
Comment 2•3 years ago
|
||
Comment 3•3 years ago
|
||
NI anba because this is likely a recent regression from changes in this area.
Comment 4•3 years ago
|
||
Yes, this is a regression from bug 1765397.
This bug can lead to writing a value at NativeObject::elements[0]
in a zero-length array (NewDenseFullyAllocatedArray(cx, 0)
). This shouldn't be exploitable, because GuessArrayGCKind returns gc::AllocKind::OBJECT8
when the array length is zero, which means NativeObject::elements[0]
isn't unallocated memory.
Comment 5•3 years ago
|
||
Don't assume non-zero number of actual arguments means count
must be larger than zero.
Updated•3 years ago
|
Comment 6•3 years ago
|
||
Bugmon Analysis
Verified bug as reproducible on mozilla-central 20220608160129-fab53b92a95d.
The bug appears to have been introduced in the following build range:
Start: e64a440f0c8b9f2cd539929c77e611d2de49c6e2 (20220421083230)
End: 201252c849f427b49422fffea6ca65e36cdade1d (20220421084833)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=e64a440f0c8b9f2cd539929c77e611d2de49c6e2&tochange=201252c849f427b49422fffea6ca65e36cdade1d
Updated•3 years ago
|
Updated•3 years ago
|
Updated•2 years ago
|
Updated•2 years ago
|
Comment 7•2 years ago
|
||
Set release status flags based on info from the regressing bug 1765397
Comment 9•2 years ago
|
||
Correctly handle zero count when inlining slice for inline arguments. r=iain
https://hg.mozilla.org/integration/autoland/rev/46aa13de580938eed6117805519d1da94049a848
https://hg.mozilla.org/mozilla-central/rev/46aa13de5809
Updated•2 years ago
|
Comment 10•2 years ago
|
||
Bugmon Analysis
Verified bug as fixed on rev mozilla-central 20220718184409-e8822bdecf78.
Updated•2 years ago
|
Comment 11•2 years ago
|
||
Updated•2 years ago
|
Updated•2 years ago
|
Description
•