Closed Bug 1790615 Opened 2 years ago Closed 1 year ago

Assertion failure: cursor_ < buffer_.length(), at /js/src/vm/Xdr.h:133 with asm.js

Categories

(Core :: JavaScript Engine, defect, P3)

x86_64
Linux
defect

Tracking

()

VERIFIED FIXED
110 Branch
Tracking Status
firefox-esr102 --- wontfix
firefox106 --- wontfix
firefox107 --- wontfix
firefox108 --- wontfix
firefox109 --- wontfix
firefox110 --- verified

People

(Reporter: decoder, Assigned: bthrall)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:update,bisected,confirmed])

Attachments

(3 files)

The following testcase crashes on mozilla-central revision 20220912-b66bbbcc4467 (debug build, run with --fuzzing-safe --cpu-count=2 --ion-offthread-compile=off):

function asmCompile() {
    var f = Function.apply(null, arguments);
    return f;
}
var code = asmCompile('glob', 'imp', 'b', `
  "use asm";
  function f(i,j) {
    i=i|0;
    j=j|0;
  }
  return f
`);
let g80 = newGlobal({newCompartment: true});
const bytes = g80.compileToStencilXDR(code, {});
g80.evalStencilXDR(bytes, {});

Backtrace:

received signal SIGSEGV, Segmentation fault.
#0  0x00005555571dd9bb in js::XDRBuffer<(js::XDRMode)1>::read(unsigned long) ()
#1  0x00005555571ddd9b in mozilla::Result<mozilla::Ok, JS::TranscodeResult> js::XDRState<(js::XDRMode)1>::codeUintImpl<unsigned int>(unsigned int*) ()
#2  0x000055555755acb8 in js::XDRStencilDecoder::codeStencil(JS::DecodeOptions const&, js::frontend::CompilationStencil&) ()
#3  0x00005555575322b6 in js::frontend::CompilationStencil::deserializeStencils(JSContext*, js::ErrorContext*, js::frontend::CompilationInput&, mozilla::Range<unsigned char const> const&, bool*) ()
#4  0x000055555721c748 in EvalStencilXDR(JSContext*, unsigned int, JS::Value*) ()
#5  0x0000555556d4739d in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) ()
[...]
#21 0x0000555556b9f654 in main ()
rax	0x5555558315b4	93824995235252
rbx	0x7fffffffb878	140737488337016
rcx	0x5555582cdae8	93825039915752
rdx	0x0	0
rsi	0x7ffff6abd770	140737331844976
rdi	0x7ffff6abc540	140737331840320
rbp	0x7fffffffb770	140737488336752
rsp	0x7fffffffb760	140737488336736
r8	0x7ffff6abd770	140737331844976
r9	0x7ffff7fe3800	140737354020864
r10	0x0	0
r11	0x0	0
r12	0x7fffffffb870	140737488337008
r13	0x7fffffffb870	140737488337008
r14	0x4	4
r15	0x7fffffffb850	140737488336976
rip	0x5555571dd9bb <js::XDRBuffer<(js::XDRMode)1>::read(unsigned long)+171>
=> 0x5555571dd9bb <_ZN2js9XDRBufferILNS_7XDRModeE1EE4readEm+171>:	movl   $0x85,0x0
   0x5555571dd9c6 <_ZN2js9XDRBufferILNS_7XDRModeE1EE4readEm+182>:	callq  0x555556c349f4 <abort>
Attached file Testcase

Bryan, could you help investigate this one to identify why this is happening.

Flags: needinfo?(bthrall)

Bugmon Analysis
Verified bug as reproducible on mozilla-central 20220913154221-26065fde0af4.
Unable to bisect testcase (Testcase reproduces on start build!):

Start: ae68c3ee95d687c7a978ef3e74bb17793daeac61 (20210914143556)
End: b66bbbcc4467d09a1ef10302ee1a085a675966a8 (20220912214055)
BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=False, coverage=False, valgrind=False, no_opt=False, fuzzilli=False, nyx=False)

Whiteboard: [bugmon:update,bisect] → [bugmon:update,bisected,confirmed]

It looks like the crash is happening because the stencil bytes is empty. I expect this should not happen unless there is a problem in compileToStencilXDR() or the asm.js compilation failed without reporting an error.

Severity: -- → S3
Flags: needinfo?(bthrall)
Priority: -- → P3

:sdetar looks like it's too late for 107.
Did Comment 5 progress the investigation?
Leaving 108 status clear, unless you think we should be following this for a fix in 108?

Flags: needinfo?(sdetar)

Bryan, can you help answer Donal's question here?

Flags: needinfo?(sdetar) → needinfo?(bthrall)

Took a quick look at this in rr. The problem appears to be that serializeStencils swallows the error and clears the buffer if there's a transcoding error, and codeStencil returns JS::TranscodeResult::Failure_AsmJSNotSupported for asm.js code, so we end up creating a StencilXDRBufferObject in CompileToStencilXDR with buffer length 0, which evalStencilXDR isn't designed for.

Not sure if this is a general issue with error handling, or only pops up in compileToStencilXDR. Bryan, can you take a look?

I'll take a look

In the other places where codeStencil() is used, the XDRResult is checked against JS::TranscodeResult::Ok, so we don't run into the situation in serializeStencils() where the result is an error but it is swallowed.

It seems like the solution would be to use the succeededOut parameter of serializeStencils() in the two places it is called (here and here to determine if the buffer should be used.

Or, since there is no difference in how serializeStencils() is used between failed-because-transcode and failed-because-other, just have serializeStencils() return false on res.isErr().

Flags: needinfo?(bthrall)

TL;DR yes, the investigation is advancing.

I don't have an opinion on whether or not this should go in 108.

Assignee: nobody → bthrall
Status: NEW → ASSIGNED

I considered removing the succeededOut parameter, since none of the callers
handle failure differently, but then serializeStencil() and
deserializeStencil() would not be as symmetric. It would also remove the
ability in the future for the caller failure handling to be different.

Pushed by bthrall@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/bbdb6fab7a69
Abort stencil creation on encoding failure r=arai

Backed out for causing spidermonkey build bustages.

Push with failures

Failure log

Backout link

[task 2022-12-22T17:09:38.139Z] TEST-PASS | js/src/jit-test/tests/xdr/bug1607895.js | Success (code 0, args "--blinterp-eager") [0.0 s]
[task 2022-12-22T17:09:38.139Z] /builds/worker/checkouts/gecko/js/src/jit-test/lib/../../tests/non262/shell.js:149:13 Error: Assertion failed: expected exception Error, no exception thrown
[task 2022-12-22T17:09:38.139Z] Stack:
[task 2022-12-22T17:09:38.139Z]   assertThrowsInstanceOf@/builds/worker/checkouts/gecko/js/src/jit-test/lib/../../tests/non262/shell.js:149:13
[task 2022-12-22T17:09:38.139Z]   @/builds/worker/checkouts/gecko/js/src/jit-test/tests/xdr/bug1790615.js:19:23
[task 2022-12-22T17:09:38.139Z] Exit code: 3
[task 2022-12-22T17:09:38.140Z] FAIL - xdr/bug1790615.js
[task 2022-12-22T17:09:38.140Z] TEST-UNEXPECTED-FAIL | js/src/jit-test/tests/xdr/bug1790615.js | /builds/worker/checkouts/gecko/js/src/jit-test/lib/../../tests/non262/shell.js:149:13 Error: Assertion failed: expected exception Error, no exception thrown (code 3, args "--fuzzing-safe --cpu-count=2 --ion-offthread-compile=off") [0.0 s]
[task 2022-12-22T17:09:38.140Z] INFO exit-status     : 3
[task 2022-12-22T17:09:38.140Z] INFO timed-out       : False
[task 2022-12-22T17:09:38.140Z] INFO stderr         2> /builds/worker/checkouts/gecko/js/src/jit-test/lib/../../tests/non262/shell.js:149:13 Error: Assertion failed: expected exception Error, no exception thrown
[task 2022-12-22T17:09:38.140Z] INFO stderr         2> Stack:
[task 2022-12-22T17:09:38.140Z] INFO stderr         2> assertThrowsInstanceOf@/builds/worker/checkouts/gecko/js/src/jit-test/lib/../../tests/non262/shell.js:149:13
[task 2022-12-22T17:09:38.140Z] INFO stderr         2> @/builds/worker/checkouts/gecko/js/src/jit-test/tests/xdr/bug1790615.js:19:23
[task 2022-12-22T17:09:38.150Z] /builds/worker/checkouts/gecko/js/src/jit-test/lib/../../tests/non262/shell.js:149:13 Error: Assertion failed: expected exception Error, no exception thrown
[task 2022-12-22T17:09:38.150Z] Stack:
[task 2022-12-22T17:09:38.150Z]   assertThrowsInstanceOf@/builds/worker/checkouts/gecko/js/src/jit-test/lib/../../tests/non262/shell.js:149:13
[task 2022-12-22T17:09:38.150Z]   @/builds/worker/checkouts/gecko/js/src/jit-test/tests/xdr/bug1790615.js:19:23
[task 2022-12-22T17:09:38.150Z] Exit code: 3
[task 2022-12-22T17:09:38.150Z] FAIL - xdr/bug1790615.js
[task 2022-12-22T17:09:38.150Z] TEST-UNEXPECTED-FAIL | js/src/jit-test/tests/xdr/bug1790615.js | /builds/worker/checkouts/gecko/js/src/jit-test/lib/../../tests/non262/shell.js:149:13 Error: Assertion failed: expected exception Error, no exception thrown (code 3, args "--fuzzing-safe --cpu-count=2 --ion-offthread-compile=off --ion-eager --ion-offthread-compile=off --more-compartments") [0.0 s]
[task 2022-12-22T17:09:38.150Z] INFO exit-status     : 3
[task 2022-12-22T17:09:38.150Z] INFO timed-out       : False
[task 2022-12-22T17:09:38.150Z] INFO stderr         2> /builds/worker/checkouts/gecko/js/src/jit-test/lib/../../tests/non262/shell.js:149:13 Error: Assertion failed: expected exception Error, no exception thrown
[task 2022-12-22T17:09:38.150Z] INFO stderr         2> Stack:
[task 2022-12-22T17:09:38.150Z] INFO stderr         2> assertThrowsInstanceOf@/builds/worker/checkouts/gecko/js/src/jit-test/lib/../../tests/non262/shell.js:149:13
[task 2022-12-22T17:09:38.150Z] INFO stderr         2> @/builds/worker/checkouts/gecko/js/src/jit-test/tests/xdr/bug1790615.js:19:23
[task 2022-12-22T17:09:38.150Z] /builds/worker/checkouts/gecko/js/src/jit-test/lib/../../tests/non262/shell.js:149:13 Error: Assertion failed: expected exception Error, no exception thrown
[task 2022-12-22T17:09:38.150Z] Stack:
[task 2022-12-22T17:09:38.150Z]   assertThrowsInstanceOf@/builds/worker/checkouts/gecko/js/src/jit-test/lib/../../tests/non262/shell.js:149:13
[task 2022-12-22T17:09:38.150Z]   @/builds/worker/checkouts/gecko/js/src/jit-test/tests/xdr/bug1790615.js:19:23
[task 2022-12-22T17:09:38.150Z] Exit code: 3
[task 2022-12-22T17:09:38.150Z] FAIL - xdr/bug1790615.js
[task 2022-12-22T17:09:38.150Z] TEST-UNEXPECTED-FAIL | js/src/jit-test/tests/xdr/bug1790615.js | /builds/worker/checkouts/gecko/js/src/jit-test/lib/../../tests/non262/shell.js:149:13 Error: Assertion failed: expected exception Error, no exception thrown (code 3, args "--fuzzing-safe --cpu-count=2 --ion-offthread-compile=off --ion-eager --ion-offthread-compile=off --ion-check-range-analysis --ion-extra-checks --no-sse3 --no-threads") [0.0 s]
[task 2022-12-22T17:09:38.150Z] INFO exit-status     : 3
[task 2022-12-22T17:09:38.150Z] INFO timed-out       : False
[task 2022-12-22T17:09:38.150Z] INFO stderr         2> /builds/worker/checkouts/gecko/js/src/jit-test/lib/../../tests/non262/shell.js:149:13 Error: Assertion failed: expected exception Error, no exception thrown
[task 2022-12-22T17:09:38.150Z] INFO stderr         2> Stack:
[task 2022-12-22T17:09:38.150Z] INFO stderr         2> assertThrowsInstanceOf@/builds/worker/checkouts/gecko/js/src/jit-test/lib/../../tests/non262/shell.js:149:13
<...>
Flags: needinfo?(bthrall)

It appears that builds with --disable-jit handle asmjs differently, so the test designed to verify this bug is fixed isn't passing. I need to investigate further.

Flags: needinfo?(bthrall)
Pushed by bthrall@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/4077f0f8d131
Abort stencil creation on encoding failure r=arai
Status: ASSIGNED → RESOLVED
Closed: 1 year ago
Resolution: --- → FIXED
Target Milestone: --- → 110 Branch

Verified bug as fixed on rev mozilla-central 20230104042941-616a6f1689dc.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Status: RESOLVED → VERIFIED
Keywords: bugmon
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: