Assertion failure: !outerScript->failedBoundsCheck(), at jit/BaselineBailouts.cpp:2045
Categories
(Core :: JavaScript Engine: JIT, defect, P1)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox-esr78 | --- | unaffected |
| firefox87 | --- | unaffected |
| firefox88 | --- | unaffected |
| firefox89 | --- | verified |
People
(Reporter: decoder, Assigned: iain)
References
(Regression)
Details
(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:update,bisected,confirmed])
Attachments
(2 files)
The following testcase crashes on mozilla-central revision 20210401-5c46535ee223 (debug build, run with --fuzzing-safe --no-threads --fast-warmup):
g = newGlobal();
g["eval"] = this["eval"].bind(this);
g["bailAfter"] = this["bailAfter"].bind(this);
g.evaluate(`
for(c of [,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, function(){}]) {
bailAfter(2);
eval('', this.x);
}
`)
Backtrace:
received signal SIGSEGV, Segmentation fault.
#0 0x00005555575d30fb in js::jit::FinishBailoutToBaseline(js::jit::BaselineBailoutInfo*) ()
#1 0x000013d9969e91e7 in ?? ()
[...]
#18 0x0000000000000000 in ?? ()
rax 0x55555571cca4 93824994102436
rbx 0x1e 30
rcx 0x5555580034c8 93825036989640
rdx 0x0 0
rsi 0x7ffff7105770 140737338431344
rdi 0x7ffff7104540 140737338426688
rbp 0x7fffffffa450 140737488331856
rsp 0x7fffffffa2f0 140737488331504
r8 0x7ffff7105770 140737338431344
r9 0x7ffff7f99840 140737353717824
r10 0x58 88
r11 0x0 0
r12 0x2 2
r13 0x7ffff6026000 140737320738816
r14 0x0 0
r15 0x1 1
rip 0x5555575d30fb <js::jit::FinishBailoutToBaseline(js::jit::BaselineBailoutInfo*)+5627>
=> 0x5555575d30fb <_ZN2js3jit23FinishBailoutToBaselineEPNS0_19BaselineBailoutInfoE+5627>: movl $0x7fd,0x0
0x5555575d3106 <_ZN2js3jit23FinishBailoutToBaselineEPNS0_19BaselineBailoutInfoE+5638>: callq 0x555556a8185f <abort>
Marking s-s since this is a JIT assert.
|
Reporter | |
Comment 1•4 years ago
|
||
|
||
Comment 2•4 years ago
|
||
Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20210401094845-6159d3fc46c6.
The bug appears to have been introduced in the following build range:
Start: 7b19f4ed5182b81f3ec3f3dee1989d306c00f7e7 (20210323184817)
End: a2e2f181d82070e6bc3a9950a535f29da2fb1813 (20210323184849)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=7b19f4ed5182b81f3ec3f3dee1989d306c00f7e7&tochange=a2e2f181d82070e6bc3a9950a535f29da2fb1813
|
||
Updated•4 years ago
|
|
Assignee | |
Comment 3•4 years ago
|
||
Not s-s. The bailout loop code asserts that we don't repeatedly trigger bailouts by optimistically hoisting bounds checks, and enforces this by marking bounds checks as not movable in WarpBuilder. However, scalar replacement of arguments can generate new bounds checks after WarpBuilder, and they aren't marked.
The fuzzbug relies on the bailAfter testing function, but here's a testcase that doesn't (with --fast-warmup --no-threads):
function foo() {
if (arguments[0]) {
return arguments[1];
}
}
with ({}) {}
for (var i = 0; i < 100; i++) {
foo(true, 1);
}
for (var i = 0; i < 100; i++) {
foo(false);
}
|
|
Assignee | |
Comment 4•4 years ago
|
||
|
||
Comment 5•4 years ago
|
||
Set release status flags based on info from the regressing bug 1688033
|
||
Updated•4 years ago
|
|
||
Comment 7•4 years ago
|
||
| bugherder | ||
|
|
||
Comment 8•4 years ago
|
||
Bugmon Analysis:
Verified bug as fixed on rev mozilla-central 20210407031944-e06c2941cdfc.
Removing bugmon keyword as no further action possible.
Please review the bug and re-add the keyword for further analysis.
Description
•