1928401 - Assertion failure: isLowered(), at js/src/jit/MIR.h:850

Status: NEW

(Core :: JavaScript Engine: JIT, defect, P5)

Description

[Nils Bars]

Steps to reproduce:

Version: 4f44c14a73993e4490646bde47eacbf2b9d267aa
Args: js --ion-sink=on --fuzzing-safe --ion-offthread-compile=off --ion-eager <test-case>

Test case:

for (a = 0; ; a++) {
    b = "0x7fffffff"
    const c = -b
    try { } catch { }
    [c]
    if (a)
        function d() { }
}

Actual results:

Assertion failure: isLowered(), at js/src/jit/MIR.h:850

#0 0x55f131dc2303 in js::jit::MDefinition::virtualRegister() const js/src/jit/MIR.h:850:5
#1 0x55f131dc2303 in js::jit::LIRGeneratorShared::use(js::jit::MDefinition*, js::jit::LUse) js/src/jit/shared/Lowering-shared-inl.h:34:34
#2 0x55f131dbf4ef in js::jit::LIRGeneratorShared::useKeepalive(js::jit::MDefinition*) js/src/jit/shared/Lowering-shared-inl.h:571:10
#3 0x55f131dbf4ef in js::jit::LIRGeneratorShared::useKeepaliveOrConstant(js::jit::MDefinition*) js/src/jit/shared/Lowering-shared-inl.h:578:10
#4 0x55f131dbf4ef in js::jit::LIRGeneratorShared::buildSnapshot(js::jit::MResumePoint*, js::jit::BailoutKind) js/src/jit/shared/Lowering-shared.cpp:269:10
#5 0x55f131dbf95e in js::jit::LIRGeneratorShared::assignSnapshot(js::jit::LInstruction*, js::jit::BailoutKind) js/src/jit/shared/Lowering-shared.cpp:282:25
#6 0x55f131e49fd0 in js::jit::LIRGeneratorX86Shared::lowerMulI(js::jit::MMul*, js::jit::MDefinition*, js::jit::MDefinition*) js/src/jit/x86-shared/Lowering-x86-shared.cpp:176:5
#7 0x55f132304b78 in js::jit::LIRGenerator::visitMul(js::jit::MMul*) js/src/jit/Lowering.cpp:2248:5
#8 0x55f13237d787 in js::jit::LIRGenerator::visitInstruction(js::jit::MInstruction*) js/src/jit/Lowering.cpp:7885:3
#9 0x55f13237e61f in js::jit::LIRGenerator::visitBlock(js::jit::MBasicBlock*) js/src/jit/Lowering.cpp:7955:10
#10 0x55f13237eb54 in js::jit::LIRGenerator::generate() js/src/jit/Lowering.cpp:8029:10
#11 0x55f132212b22 in js::jit::GenerateLIR(js::jit::MIRGenerator*) js/src/jit/Ion.cpp:1548:17
#12 0x55f132213537 in js::jit::CompileBackEnd(js::jit::MIRGenerator*, js::jit::WarpSnapshot*) js/src/jit/Ion.cpp:1637:19
#13 0x55f1322151f3 in js::jit::IonCompile(JSContext*, JS::Handle<JSScript*>, unsigned char*) js/src/jit/Ion.cpp:1768:38
#14 0x55f1322151f3 in js::jit::Compile(JSContext*, JS::Handle<JSScript*>, js::jit::BaselineFrame*, unsigned char*) js/src/jit/Ion.cpp:1922:24
#15 0x55f132216356 in BaselineCanEnterAtBranch(JSContext*, JS::Handle<JSScript*>, js::jit::BaselineFrame*, unsigned char*) js/src/jit/Ion.cpp:2123:25
#16 0x55f132216356 in IonCompileScriptForBaseline(JSContext*, js::jit::BaselineFrame*, unsigned char*) js/src/jit/Ion.cpp:2175:12
#17 0x55f132216ddb in js::jit::IonCompileScriptForBaselineOSR(JSContext*, js::jit::BaselineFrame*, unsigned int, unsigned char*, js::jit::IonOsrTempData**) js/src/jit/Ion.cpp:2287:8
#18 0x224bd68d1fc5  (<unknown module>)

Comment 1

[Bryan Thrall [:bthrall]]

Iain, how serious do you think this is?

Comment 2

[Iain Ireland [:iain]]

It only fails with -ion-sink=on, which has been disabled for years, so it's not possible to trigger this in the browser.

The problem happens while lowering a Mul (for -b, which is implemented as b * -1). To build a snapshot for the Mul, we iterate over RecoverInfo derived from a resume point. The resume point has an MArrayState as an associated store. The MArrayState captures the Mul. As a result, we treat the Mul as an operand for its own snapshot, which asserts because we haven't finished lowering it yet.

In a release build, we instead assign a virtual register of 0, which will eventually crash safely here. So I think it is safe to open this up.

nbp, can you take a look? I think you originally wrote most of this code.

Comment 3

[Nicolas B. Pierron [:nbp]]

As expected, --ion-sink=on is not part of the fuzz-flags.

At the moment, I have higher priorities. Thus I will skip this bug until we decide to revisit the second half of the Sink phase.