Closed Bug 1814746 Opened 2 years ago Closed 2 years ago

Assertion failure: shape != obj, at js/src/jit/MacroAssembler-inl.h:993

Categories

(Core :: JavaScript Engine: JIT, defect)

Product:
Core
Component:
JavaScript Engine: JIT
Platform:
x86
Linux
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
111 Branch
Tracking Flags:
Tracking Status
firefox-esr102 --- unaffected
firefox109 --- unaffected
firefox110 --- unaffected
firefox111 --- verified

People

(Reporter: decoder, Assigned: alexical)

References

(Regression)

Details

(4 keywords, Whiteboard: [bugmon:update,bisected,confirmed])

Attachments

(3 files)

Detailed Crash Information
2.94 KB, text/plain
Details
Testcase
348 bytes, text/plain
Details
Bug 1814746 - Use useFixedAtStart in MegamorphicSetElement lowering r?jandem
48 bytes, text/x-phabricator-request
Details | Review

The following testcase crashes on mozilla-central revision 20230201-dd0fdd1daa69 (debug build, run with --fuzzing-safe --cpu-count=2 --ion-offthread-compile=off):

y6 = function() {};
n93 = 100;
function testBadSetElems(obj, key) {
  while (n93--) {
    nasty = y6;
    nasty.push = testDenseSets;
    nasty.push("a" + n93);
  }
}
function testDenseSets(L80) {
  var obj = [,,,,,,,,,,];
  var T48 = L80;
  var K5 = T48 + 9;
  obj[K5 + 1] = obj;
}
for (var i27 = 0; i27 < 10; i27++) {
  testBadSetElems([], -1);
}

Backtrace:

received signal SIGSEGV, Segmentation fault.
#0  0x58bdf81f in js::jit::MacroAssembler::emitMegamorphicCachedSetSlot(js::jit::ValueOperand, js::jit::Register, js::jit::Register, js::jit::ValueOperand, js::jit::Label*, void (*)(js::jit::MacroAssembler&, js::jit::Address const&, js::jit::MIRType)) ()
#1  0x58a5b532 in js::jit::CodeGenerator::visitMegamorphicSetElement(js::jit::LMegamorphicSetElement*) ()
#2  0x58a264a7 in js::jit::CodeGenerator::generateBody() ()
#3  0x58a82d7a in js::jit::CodeGenerator::generate() ()
#4  0x58abe961 in js::jit::CompileBackEnd(js::jit::MIRGenerator*, js::jit::WarpSnapshot*) ()
#5  0x58abfc6e in js::jit::Compile(JSContext*, JS::Handle<JSScript*>, js::jit::BaselineFrame*, unsigned char*) ()
#6  0x58ac06dc in IonCompileScriptForBaseline(JSContext*, js::jit::BaselineFrame*, unsigned char*) ()
#7  0x58ac0dc7 in js::jit::IonCompileScriptForBaselineOSR(JSContext*, js::jit::BaselineFrame*, unsigned int, unsigned char*, js::jit::IonOsrTempData**) ()
#8  0x40748943 in ?? ()
#9  0x407407f3 in ?? ()
#10 0x58afbea4 in js::jit::MaybeEnterJit(JSContext*, js::RunState&) ()
[...]
#20 0x57b0632e in main ()
eax	0x5684a82a	1451534378
ebx	0x5929ebb8	1495919544
ecx	0x592a06dc	1495926492
edx	0x0	0
esi	0xf67aee08	-159715832
edi	0x3ae3	15075
ebp	0xffffa7a8	4294944680
esp	0xffffa6d0	4294944464
eip	0x58bdf81f <js::jit::MacroAssembler::emitMegamorphicCachedSetSlot(js::jit::ValueOperand, js::jit::Register, js::jit::Register, js::jit::ValueOperand, js::jit::Label*, void (*)(js::jit::MacroAssembler&, js::jit::Address const&, js::jit::MIRType))+2863>
=> 0x58bdf81f <_ZN2js3jit14MacroAssembler28emitMegamorphicCachedSetSlotENS0_12ValueOperandENS0_8RegisterES3_S2_PNS0_5LabelEPFvRS1_RKNS0_7AddressENS0_7MIRTypeEE+2863>:	movl   $0x3e1,0x0
   0x58bdf829 <_ZN2js3jit14MacroAssembler28emitMegamorphicCachedSetSlotENS0_12ValueOperandENS0_8RegisterES3_S2_PNS0_5LabelEPFvRS1_RKNS0_7AddressENS0_7MIRTypeEE+2873>:	call   0x57b8d51f <abort>

Marking s-s because this is a JIT-related assertion in MacroAssembler. This is x86 only.

Attached file Testcase
Flags: needinfo?(dothayer)

The previous patch was just incomplete, turns out.

Assignee: nobody → dothayer
Status: NEW → ASSIGNED

Verified bug as reproducible on mozilla-central 20230202172003-ba5f6662ca80.
The bug appears to have been introduced in the following build range:

Start: 849b9d9a8b6f197d20a2f66addd0e3fc1e54f6d4 (20230119163652)
End: 36cf8390edddbc36217a8fbe306a6d5946a5617e (20230120034623)
Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=849b9d9a8b6f197d20a2f66addd0e3fc1e54f6d4&tochange=36cf8390edddbc36217a8fbe306a6d5946a5617e

Whiteboard: [bugmon:update,bisect] → [bugmon:update,bisected,confirmed]

Based on comment #4, this bug contains a bisection range found by bugmon. However, the Regressed by field is still not filled.

:dthayer, if possible, could you fill the Regressed by field and investigate this regression?

For more information, please visit auto_nag documentation.

Flags: needinfo?(dothayer)

https://hg.mozilla.org/mozilla-central/rev/dbe95581bb15

Group: javascript-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 2 years ago
status-firefox111: affectedfixed
Flags: needinfo?(dothayer)
Flags: in-testsuite+
Regressed by: 1809359
Resolution: --- → FIXED
Target Milestone: --- → 111 Branch

Verified bug as fixed on rev mozilla-central 20230204091116-193873a76970.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Status: RESOLVED → VERIFIED
status-firefox111: fixedverified
Keywords: bugmon
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: