Assertion failure: cursor_ < buffer_.length(), at /js/src/vm/Xdr.h:133 with asm.js
Categories
(Core :: JavaScript Engine, defect, P3)
Tracking
()
People
(Reporter: decoder, Assigned: bthrall)
Details
(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:update,bisected,confirmed])
Attachments
(3 files)
The following testcase crashes on mozilla-central revision 20220912-b66bbbcc4467 (debug build, run with --fuzzing-safe --cpu-count=2 --ion-offthread-compile=off):
function asmCompile() {
var f = Function.apply(null, arguments);
return f;
}
var code = asmCompile('glob', 'imp', 'b', `
"use asm";
function f(i,j) {
i=i|0;
j=j|0;
}
return f
`);
let g80 = newGlobal({newCompartment: true});
const bytes = g80.compileToStencilXDR(code, {});
g80.evalStencilXDR(bytes, {});
Backtrace:
received signal SIGSEGV, Segmentation fault.
#0 0x00005555571dd9bb in js::XDRBuffer<(js::XDRMode)1>::read(unsigned long) ()
#1 0x00005555571ddd9b in mozilla::Result<mozilla::Ok, JS::TranscodeResult> js::XDRState<(js::XDRMode)1>::codeUintImpl<unsigned int>(unsigned int*) ()
#2 0x000055555755acb8 in js::XDRStencilDecoder::codeStencil(JS::DecodeOptions const&, js::frontend::CompilationStencil&) ()
#3 0x00005555575322b6 in js::frontend::CompilationStencil::deserializeStencils(JSContext*, js::ErrorContext*, js::frontend::CompilationInput&, mozilla::Range<unsigned char const> const&, bool*) ()
#4 0x000055555721c748 in EvalStencilXDR(JSContext*, unsigned int, JS::Value*) ()
#5 0x0000555556d4739d in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) ()
[...]
#21 0x0000555556b9f654 in main ()
rax 0x5555558315b4 93824995235252
rbx 0x7fffffffb878 140737488337016
rcx 0x5555582cdae8 93825039915752
rdx 0x0 0
rsi 0x7ffff6abd770 140737331844976
rdi 0x7ffff6abc540 140737331840320
rbp 0x7fffffffb770 140737488336752
rsp 0x7fffffffb760 140737488336736
r8 0x7ffff6abd770 140737331844976
r9 0x7ffff7fe3800 140737354020864
r10 0x0 0
r11 0x0 0
r12 0x7fffffffb870 140737488337008
r13 0x7fffffffb870 140737488337008
r14 0x4 4
r15 0x7fffffffb850 140737488336976
rip 0x5555571dd9bb <js::XDRBuffer<(js::XDRMode)1>::read(unsigned long)+171>
=> 0x5555571dd9bb <_ZN2js9XDRBufferILNS_7XDRModeE1EE4readEm+171>: movl $0x85,0x0
0x5555571dd9c6 <_ZN2js9XDRBufferILNS_7XDRModeE1EE4readEm+182>: callq 0x555556c349f4 <abort>
Reporter | ||
Comment 1•2 years ago
|
||
Reporter | ||
Comment 2•2 years ago
|
||
Comment 3•2 years ago
|
||
Bryan, could you help investigate this one to identify why this is happening.
Comment 4•2 years ago
|
||
Bugmon Analysis
Verified bug as reproducible on mozilla-central 20220913154221-26065fde0af4.
Unable to bisect testcase (Testcase reproduces on start build!):
Start: ae68c3ee95d687c7a978ef3e74bb17793daeac61 (20210914143556)
End: b66bbbcc4467d09a1ef10302ee1a085a675966a8 (20220912214055)
BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=False, coverage=False, valgrind=False, no_opt=False, fuzzilli=False, nyx=False)
Assignee | ||
Comment 5•2 years ago
|
||
It looks like the crash is happening because the stencil bytes
is empty. I expect this should not happen unless there is a problem in compileToStencilXDR()
or the asm.js compilation failed without reporting an error.
Updated•2 years ago
|
Comment 6•1 year ago
|
||
:sdetar looks like it's too late for 107.
Did Comment 5 progress the investigation?
Leaving 108 status clear, unless you think we should be following this for a fix in 108?
Comment 7•1 year ago
|
||
Bryan, can you help answer Donal's question here?
Comment 8•1 year ago
|
||
Took a quick look at this in rr. The problem appears to be that serializeStencils swallows the error and clears the buffer if there's a transcoding error, and codeStencil returns JS::TranscodeResult::Failure_AsmJSNotSupported
for asm.js code, so we end up creating a StencilXDRBufferObject in CompileToStencilXDR with buffer length 0, which evalStencilXDR
isn't designed for.
Not sure if this is a general issue with error handling, or only pops up in compileToStencilXDR. Bryan, can you take a look?
Assignee | ||
Comment 9•1 year ago
|
||
I'll take a look
Assignee | ||
Comment 10•1 year ago
|
||
In the other places where codeStencil()
is used, the XDRResult
is checked against JS::TranscodeResult::Ok
, so we don't run into the situation in serializeStencils()
where the result is an error but it is swallowed.
It seems like the solution would be to use the succeededOut
parameter of serializeStencils()
in the two places it is called (here and here to determine if the buffer should be used.
Or, since there is no difference in how serializeStencils()
is used between failed-because-transcode and failed-because-other, just have serializeStencils()
return false
on res.isErr()
.
Assignee | ||
Comment 11•1 year ago
|
||
TL;DR yes, the investigation is advancing.
I don't have an opinion on whether or not this should go in 108.
Assignee | ||
Updated•1 year ago
|
Assignee | ||
Comment 12•1 year ago
|
||
I considered removing the succeededOut
parameter, since none of the callers
handle failure differently, but then serializeStencil()
and
deserializeStencil()
would not be as symmetric. It would also remove the
ability in the future for the caller failure handling to be different.
Comment 13•1 year ago
|
||
Pushed by bthrall@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/bbdb6fab7a69 Abort stencil creation on encoding failure r=arai
Comment 14•1 year ago
|
||
Backed out for causing spidermonkey build bustages.
[task 2022-12-22T17:09:38.139Z] TEST-PASS | js/src/jit-test/tests/xdr/bug1607895.js | Success (code 0, args "--blinterp-eager") [0.0 s]
[task 2022-12-22T17:09:38.139Z] /builds/worker/checkouts/gecko/js/src/jit-test/lib/../../tests/non262/shell.js:149:13 Error: Assertion failed: expected exception Error, no exception thrown
[task 2022-12-22T17:09:38.139Z] Stack:
[task 2022-12-22T17:09:38.139Z] assertThrowsInstanceOf@/builds/worker/checkouts/gecko/js/src/jit-test/lib/../../tests/non262/shell.js:149:13
[task 2022-12-22T17:09:38.139Z] @/builds/worker/checkouts/gecko/js/src/jit-test/tests/xdr/bug1790615.js:19:23
[task 2022-12-22T17:09:38.139Z] Exit code: 3
[task 2022-12-22T17:09:38.140Z] FAIL - xdr/bug1790615.js
[task 2022-12-22T17:09:38.140Z] TEST-UNEXPECTED-FAIL | js/src/jit-test/tests/xdr/bug1790615.js | /builds/worker/checkouts/gecko/js/src/jit-test/lib/../../tests/non262/shell.js:149:13 Error: Assertion failed: expected exception Error, no exception thrown (code 3, args "--fuzzing-safe --cpu-count=2 --ion-offthread-compile=off") [0.0 s]
[task 2022-12-22T17:09:38.140Z] INFO exit-status : 3
[task 2022-12-22T17:09:38.140Z] INFO timed-out : False
[task 2022-12-22T17:09:38.140Z] INFO stderr 2> /builds/worker/checkouts/gecko/js/src/jit-test/lib/../../tests/non262/shell.js:149:13 Error: Assertion failed: expected exception Error, no exception thrown
[task 2022-12-22T17:09:38.140Z] INFO stderr 2> Stack:
[task 2022-12-22T17:09:38.140Z] INFO stderr 2> assertThrowsInstanceOf@/builds/worker/checkouts/gecko/js/src/jit-test/lib/../../tests/non262/shell.js:149:13
[task 2022-12-22T17:09:38.140Z] INFO stderr 2> @/builds/worker/checkouts/gecko/js/src/jit-test/tests/xdr/bug1790615.js:19:23
[task 2022-12-22T17:09:38.150Z] /builds/worker/checkouts/gecko/js/src/jit-test/lib/../../tests/non262/shell.js:149:13 Error: Assertion failed: expected exception Error, no exception thrown
[task 2022-12-22T17:09:38.150Z] Stack:
[task 2022-12-22T17:09:38.150Z] assertThrowsInstanceOf@/builds/worker/checkouts/gecko/js/src/jit-test/lib/../../tests/non262/shell.js:149:13
[task 2022-12-22T17:09:38.150Z] @/builds/worker/checkouts/gecko/js/src/jit-test/tests/xdr/bug1790615.js:19:23
[task 2022-12-22T17:09:38.150Z] Exit code: 3
[task 2022-12-22T17:09:38.150Z] FAIL - xdr/bug1790615.js
[task 2022-12-22T17:09:38.150Z] TEST-UNEXPECTED-FAIL | js/src/jit-test/tests/xdr/bug1790615.js | /builds/worker/checkouts/gecko/js/src/jit-test/lib/../../tests/non262/shell.js:149:13 Error: Assertion failed: expected exception Error, no exception thrown (code 3, args "--fuzzing-safe --cpu-count=2 --ion-offthread-compile=off --ion-eager --ion-offthread-compile=off --more-compartments") [0.0 s]
[task 2022-12-22T17:09:38.150Z] INFO exit-status : 3
[task 2022-12-22T17:09:38.150Z] INFO timed-out : False
[task 2022-12-22T17:09:38.150Z] INFO stderr 2> /builds/worker/checkouts/gecko/js/src/jit-test/lib/../../tests/non262/shell.js:149:13 Error: Assertion failed: expected exception Error, no exception thrown
[task 2022-12-22T17:09:38.150Z] INFO stderr 2> Stack:
[task 2022-12-22T17:09:38.150Z] INFO stderr 2> assertThrowsInstanceOf@/builds/worker/checkouts/gecko/js/src/jit-test/lib/../../tests/non262/shell.js:149:13
[task 2022-12-22T17:09:38.150Z] INFO stderr 2> @/builds/worker/checkouts/gecko/js/src/jit-test/tests/xdr/bug1790615.js:19:23
[task 2022-12-22T17:09:38.150Z] /builds/worker/checkouts/gecko/js/src/jit-test/lib/../../tests/non262/shell.js:149:13 Error: Assertion failed: expected exception Error, no exception thrown
[task 2022-12-22T17:09:38.150Z] Stack:
[task 2022-12-22T17:09:38.150Z] assertThrowsInstanceOf@/builds/worker/checkouts/gecko/js/src/jit-test/lib/../../tests/non262/shell.js:149:13
[task 2022-12-22T17:09:38.150Z] @/builds/worker/checkouts/gecko/js/src/jit-test/tests/xdr/bug1790615.js:19:23
[task 2022-12-22T17:09:38.150Z] Exit code: 3
[task 2022-12-22T17:09:38.150Z] FAIL - xdr/bug1790615.js
[task 2022-12-22T17:09:38.150Z] TEST-UNEXPECTED-FAIL | js/src/jit-test/tests/xdr/bug1790615.js | /builds/worker/checkouts/gecko/js/src/jit-test/lib/../../tests/non262/shell.js:149:13 Error: Assertion failed: expected exception Error, no exception thrown (code 3, args "--fuzzing-safe --cpu-count=2 --ion-offthread-compile=off --ion-eager --ion-offthread-compile=off --ion-check-range-analysis --ion-extra-checks --no-sse3 --no-threads") [0.0 s]
[task 2022-12-22T17:09:38.150Z] INFO exit-status : 3
[task 2022-12-22T17:09:38.150Z] INFO timed-out : False
[task 2022-12-22T17:09:38.150Z] INFO stderr 2> /builds/worker/checkouts/gecko/js/src/jit-test/lib/../../tests/non262/shell.js:149:13 Error: Assertion failed: expected exception Error, no exception thrown
[task 2022-12-22T17:09:38.150Z] INFO stderr 2> Stack:
[task 2022-12-22T17:09:38.150Z] INFO stderr 2> assertThrowsInstanceOf@/builds/worker/checkouts/gecko/js/src/jit-test/lib/../../tests/non262/shell.js:149:13
<...>
Assignee | ||
Comment 15•1 year ago
|
||
It appears that builds with --disable-jit
handle asmjs differently, so the test designed to verify this bug is fixed isn't passing. I need to investigate further.
Comment 16•1 year ago
|
||
Pushed by bthrall@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/4077f0f8d131 Abort stencil creation on encoding failure r=arai
Comment 17•1 year ago
|
||
bugherder |
Comment 18•1 year ago
|
||
Verified bug as fixed on rev mozilla-central 20230104042941-616a6f1689dc.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
Updated•1 year ago
|
Description
•