Closed Bug 1903324 Opened 7 months ago Closed 7 months ago

Assertion failure: BytecodeOpCanHaveAllocSite(JSOp(*pc_)), at js/src/jit/CacheIR.cpp:276

Categories

(Core :: JavaScript Engine, defect, P3)

x86
Linux
defect

Tracking

()

VERIFIED FIXED
129 Branch
Tracking Status
firefox-esr115 --- unaffected
firefox-esr128 --- unaffected
firefox127 --- unaffected
firefox128 --- unaffected
firefox129 --- verified

People

(Reporter: decoder, Assigned: jandem)

References

(Regression)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:update,bisected,confirmed])

Attachments

(3 files)

The following testcase crashes on mozilla-central revision 20240617-5dabfab7d5a5 (debug build, run with --fuzzing-safe --ion-offthread-compile=off --blinterp-eager test.js):

new Promise(RegExp).finally(Object)

Backtrace:

received signal SIGSEGV, Segmentation fault.
0x58d7c587 in js::jit::IRGenerator::maybeCreateAllocSite() ()
#0  0x58d7c587 in js::jit::IRGenerator::maybeCreateAllocSite() ()
#1  0x58dd8f08 in js::jit::InlinableNativeIRGenerator::tryAttachObjectConstructor() ()
#2  0x58dd4031 in js::jit::InlinableNativeIRGenerator::tryAttachStub() ()
#3  0x58dde24a in js::jit::CallIRGenerator::tryAttachInlinableNative(JS::Handle<JSFunction*>, js::jit::CallFlags) ()
#4  0x58ddfd49 in js::jit::CallIRGenerator::tryAttachCallNative(JS::Handle<JSFunction*>) ()
#5  0x58de185f in js::jit::CallIRGenerator::tryAttachStub() ()
#6  0x58a983f2 in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICFallbackStub*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) ()
#7  0xe8200978 in ?? ()
#8  0xe822a392 in ?? ()
#9  0xe822e2c6 in ?? ()
#10 0xe81fa7ed in ?? ()
#11 0x58fee3ae in js::jit::MaybeEnterJit(JSContext*, js::RunState&) ()
#12 0x5800e553 in js::RunScript(JSContext*, js::RunState&) ()
#13 0x5800f189 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) ()
#14 0x580108ea in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) ()
#15 0x58010ae3 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) ()
#16 0x580a9693 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) ()
#17 0x583347d8 in PromiseReactionJob(JSContext*, unsigned int, JS::Value*) ()
#18 0x5800fb44 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) ()
#19 0x5800f236 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) ()
#20 0x580108ea in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) ()
#21 0x58010ae3 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) ()
#22 0x5817d214 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) ()
#23 0x58248399 in js::InternalJobQueue::runJobs(JSContext*) ()
#24 0x58247dc3 in js::RunJobs(JSContext*) ()
#25 0x57e8ca28 in RunShellJobs(JSContext*) ()
#26 0x57e6ab44 in Shell(JSContext*, js::cli::OptionParser*) ()
#27 0x57e629d4 in main ()
eax	0x56759c0f	1450548239
ebx	0x597d545c	1501385820
ecx	0x597da844	1501407300
edx	0xf7b91cc7	-138863417
esi	0xffb9e488	-4594552
edi	0xffb9e2a0	-4595040
ebp	0xffb9e1f8	4290372088
esp	0xffb9e1d0	4290372048
eip	0x58d7c587 <js::jit::IRGenerator::maybeCreateAllocSite()+727>
=> 0x58d7c587 <_ZN2js3jit11IRGenerator20maybeCreateAllocSiteEv+727>:	movl   $0x114,0x0
   0x58d7c591 <_ZN2js3jit11IRGenerator20maybeCreateAllocSiteEv+737>:	call   0x57ef64e0 <abort>
Attached file Testcase

This looks like it's related to Bug 1902308. Since Jon's out, ni? jandem who reviewed.

Severity: -- → S3
Flags: needinfo?(jdemooij)
Priority: -- → P3

Without looking at it in detail, I expect this to be a call bytecode op that's not JSOp::Call but maybe one of the self-hosted ones. I'll take a closer look tomorrow morning.

Verified bug as reproducible on mozilla-central 20240618094855-1f73c4ee1785.
The bug appears to have been introduced in the following build range:

Start: 305d93ccd56f1640bf8eeae5ea78799e572707bf (20240617053337)
End: 04f40bdacb57fd7507e3ecc9670c6c29ed516142 (20240617084623)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=305d93ccd56f1640bf8eeae5ea78799e572707bf&tochange=04f40bdacb57fd7507e3ecc9670c6c29ed516142

Whiteboard: [bugmon:update,bisect] → [bugmon:update,bisected,confirmed]

We're missing JSOp::CallContent in BytecodeOpCanHaveAllocSite. This means we don't create an allocation site for this op during Baseline compilation (the other place where we call BytecodeOpCanHaveAllocSite) but it's not a security bug.

Assignee: nobody → jdemooij
Group: javascript-core-security
Status: NEW → ASSIGNED
Flags: needinfo?(jdemooij)
Regressed by: 1902308

Set release status flags based on info from the regressing bug 1902308

In BytecodeOpCanHaveAllocSite we were missing JSOp::CallContent used in self-hosted code.

Pushed by jdemooij@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/809557dea97f Ensure BytecodeOpCanHaveAllocSite returns true for all ops that can use InlinableNativeIRGenerator. r=iain
Status: ASSIGNED → RESOLVED
Closed: 7 months ago
Resolution: --- → FIXED
Target Milestone: --- → 129 Branch

Verified bug as fixed on rev mozilla-central 20240620161057-ac120cec791e.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Status: RESOLVED → VERIFIED
Keywords: bugmon

Set release status flags based on info from the regressing bug 1902308

You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: