If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

Assertion failure: false (MOZ_ASSUME_UNREACHABLE(Modified registers between VM call and OsiPoint)), at jit/shared/CodeGenerator-shared.cpp:536

RESOLVED FIXED in mozilla31

Status

()

Core
JavaScript Engine: JIT
--
critical
RESOLVED FIXED
4 years ago
4 years ago

People

(Reporter: decoder, Assigned: h4writer)

Tracking

(Blocks: 1 bug, {assertion, sec-other, testcase})

Trunk
mozilla31
x86
Linux
assertion, sec-other, testcase
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [jsbugmon:update])

Attachments

(1 attachment)

(Reporter)

Description

4 years ago
The following testcase asserts on mozilla-central revision 1e9f169c9715 (run with --fuzzing-safe --ion-eager --ion-regalloc=backtracking):


enableOsiPointRegisterChecks();
eval('(function () {\
var s = "{}";\
for (var i = 0; i < 19; i++)\
    s += s;\
    eval(s);\
})();\
');
Flags: needinfo?(jdemooij)
(Reporter)

Comment 1

4 years ago
This problem could be related to --ion-regalloc=backtracking only, then it wouldn't be a security problem. Locking s-s until this is confirmed.
(Reporter)

Updated

4 years ago
Whiteboard: [jsbugmon:update,bisect]
I'm unable to reproduce this with the revision + shell flags in comment 0, x86 debug build on OS X.

NI from decoder, this one shouldn't be too hard to figure out once I have access to a machine where this reproduces.
Flags: needinfo?(choller)

Updated

4 years ago
Flags: needinfo?(jdemooij)
Keywords: sec-other
(Reporter)

Comment 3

4 years ago
This still reproduces easily for me. Jan can you try the following config flags on a 32 bit Linux?

--disable-threadsafe --enable-debug --enable-optimize --enable-valgrind (+ 32 bit stuff)
Flags: needinfo?(choller)

Updated

4 years ago
Flags: needinfo?(jdemooij)
(Reporter)

Updated

4 years ago
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
(Reporter)

Comment 4

4 years ago
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   http://hg.mozilla.org/mozilla-central/rev/f030f97fcf10
user:        Dan Gohman
date:        Thu Oct 24 20:34:54 2013 -0700
summary:     Bug 875656 - IonMonkey: Juggle registers around to reduce the number of temporaries needed by LConcat. r=bhackett

This iteration took 380.333 seconds to run.
(Reporter)

Comment 5

4 years ago
Needinfo from :sunfish based on comment 4 :)
Flags: needinfo?(dgohman)
Looks like a backtracking allocator bug. I'll investigate.
Assignee: nobody → sunfish
Flags: needinfo?(sunfish)
This also needs --ion-parallel-compile=off to reproduce reliably. It does appear to be backtracking only.

Here's a simplified testcase that also fails with --ion-eager --ion-regalloc=backtracking --ion-parallel-compile=off on x86 linux:

(function () {
var s = "{}";
for (var i = 0; i < 19; i++)
    s += s;
    eval(s);
})();

The OsiPoint that triggers this error is the one immediately after the Concat. The mismatch is with %edx, which is Concat's output register.
(Assignee)

Updated

4 years ago
Blocks: 983580
(Reporter)

Updated

4 years ago
Whiteboard: [jsbugmon:update] → [jsbugmon:]
(Reporter)

Comment 8

4 years ago
JSBugMon: Cannot process bug: Unknown exception (check manually)
(Reporter)

Updated

4 years ago
Whiteboard: [jsbugmon:] → [jsbugmon:update]
(Assignee)

Comment 9

4 years ago
Created attachment 8396528 [details] [diff] [review]
bug968931-backtracking-assert
Assignee: sunfish → hv1989
Attachment #8396528 - Flags: review?(jdemooij)

Updated

4 years ago
Attachment #8396528 - Attachment is patch: true
Comment on attachment 8396528 [details] [diff] [review]
bug968931-backtracking-assert

Review of attachment 8396528 [details] [diff] [review]:
-----------------------------------------------------------------

Thanks for fixing this!

::: js/src/jit/LiveRangeAllocator.h
@@ +689,5 @@
> +        if (interval->index() == 0 && !reg->isTemp()) {
> +#ifdef CHECK_OSIPOINT_REGISTERS
> +            // We don't add the output register to the safepoint,
> +            // but it still might get added as one of the inputs.
> +            // So eagerly add this reg to the safepoint clobbered register.

Nit: s/clobbered register/clobbered registers

@@ +691,5 @@
> +            // We don't add the output register to the safepoint,
> +            // but it still might get added as one of the inputs.
> +            // So eagerly add this reg to the safepoint clobbered register.
> +            LSafepoint *safepoint = reg->ins()->safepoint();
> +            if (safepoint)

Nit: if (LSafepoint *safepoint = reg->ins()->safepoint())

::: js/src/jit/shared/CodeGenerator-shared.cpp
@@ +564,2 @@
>      // temps after calling into the VM. This is fine because no other
> +    // instructions (including this OsiPoint) will depend on them. The same

Nit: finish last sentence
Attachment #8396528 - Flags: review?(jdemooij) → review+

Updated

4 years ago
Flags: needinfo?(jdemooij)
(Assignee)

Comment 11

4 years ago
Opening the bug, since this is a assertion is over-restrictive.
Group: core-security
(Assignee)

Comment 12

4 years ago
https://hg.mozilla.org/integration/mozilla-inbound/rev/2dc1dab474ab
https://hg.mozilla.org/mozilla-central/rev/2dc1dab474ab
Status: NEW → RESOLVED
Last Resolved: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla31
(Assignee)

Updated

4 years ago
Duplicate of this bug: 977882
You need to log in before you can comment on or make changes to this bug.