Closed Bug 1926238 Opened 1 year ago Closed 11 months ago

Assertion failure: !isTrialInlined && entry->firstStub() == stub->next(), at jit/WarpOracle.cpp:1101

Categories

(Core :: JavaScript Engine: JIT, defect, P1)

Product:
Core
Component:
JavaScript Engine: JIT
Platform:
x86
Linux
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
134 Branch
Tracking Flags:
Tracking Status
firefox-esr115 --- wontfix
firefox-esr128 --- wontfix
firefox132 --- wontfix
firefox133 --- wontfix
firefox134 --- verified

People

(Reporter: decoder, Assigned: jandem)

References

(Blocks 1 open bug, Regression)

Details

(4 keywords, Whiteboard: [bugmon:update,bisected,confirmed])

Attachments

(3 files)

Detailed Crash Information
5.35 KB, text/plain
Details
Testcase
226 bytes, text/plain
Details
Bug 1926238 - Fix assertion in maybeInlineCall to account for a combination of monomorphic and trial inlining. r?iain!
48 bytes, text/x-phabricator-request
Details | Review

The following testcase crashes on mozilla-central revision 20241022-c47ccf99a981 (debug build, run with --fuzzing-safe --cpu-count=2 --ion-offthread-compile=off):

class C54 {
  constructor(n60) {
    b89(n60);
    super[this];
  }
}
function b89(n60) {
  if (n60 > 0) {
    new C54(n60-1);
  }
}
n60 = undefined;
for (var i50 = undefined - n60 ==  (this); i50 < 1000; i50++) {
  b89(10);
}

Backtrace:

received signal SIGSEGV, Segmentation fault.
#0  0x58bab05a in WarpScriptOracle::maybeInlineCall(mozilla::LinkedList<js::jit::WarpOpSnapshot>&, js::BytecodeLocation, js::jit::ICCacheIRStub*, js::jit::ICFallbackStub*, unsigned char*) ()
#1  0x58ba8cee in WarpScriptOracle::maybeInlineIC(mozilla::LinkedList<js::jit::WarpOpSnapshot>&, js::BytecodeLocation) ()
#2  0x58ba516b in WarpScriptOracle::createScriptSnapshot() ()
#3  0x58baaa51 in WarpScriptOracle::maybeInlineCall(mozilla::LinkedList<js::jit::WarpOpSnapshot>&, js::BytecodeLocation, js::jit::ICCacheIRStub*, js::jit::ICFallbackStub*, unsigned char*) ()
#4  0x58ba8cee in WarpScriptOracle::maybeInlineIC(mozilla::LinkedList<js::jit::WarpOpSnapshot>&, js::BytecodeLocation) ()
#5  0x58ba516b in WarpScriptOracle::createScriptSnapshot() ()
#6  0x58baaa51 in WarpScriptOracle::maybeInlineCall(mozilla::LinkedList<js::jit::WarpOpSnapshot>&, js::BytecodeLocation, js::jit::ICCacheIRStub*, js::jit::ICFallbackStub*, unsigned char*) ()
#7  0x58ba8cee in WarpScriptOracle::maybeInlineIC(mozilla::LinkedList<js::jit::WarpOpSnapshot>&, js::BytecodeLocation) ()
#8  0x58ba516b in WarpScriptOracle::createScriptSnapshot() ()
#9  0x58baaa51 in WarpScriptOracle::maybeInlineCall(mozilla::LinkedList<js::jit::WarpOpSnapshot>&, js::BytecodeLocation, js::jit::ICCacheIRStub*, js::jit::ICFallbackStub*, unsigned char*) ()
#10 0x58ba8cee in WarpScriptOracle::maybeInlineIC(mozilla::LinkedList<js::jit::WarpOpSnapshot>&, js::BytecodeLocation) ()
#11 0x58ba516b in WarpScriptOracle::createScriptSnapshot() ()
#12 0x58baaa51 in WarpScriptOracle::maybeInlineCall(mozilla::LinkedList<js::jit::WarpOpSnapshot>&, js::BytecodeLocation, js::jit::ICCacheIRStub*, js::jit::ICFallbackStub*, unsigned char*) ()
#13 0x58ba8cee in WarpScriptOracle::maybeInlineIC(mozilla::LinkedList<js::jit::WarpOpSnapshot>&, js::BytecodeLocation) ()
#14 0x58ba516b in WarpScriptOracle::createScriptSnapshot() ()
#15 0x58baaa51 in WarpScriptOracle::maybeInlineCall(mozilla::LinkedList<js::jit::WarpOpSnapshot>&, js::BytecodeLocation, js::jit::ICCacheIRStub*, js::jit::ICFallbackStub*, unsigned char*) ()
#16 0x58ba8cee in WarpScriptOracle::maybeInlineIC(mozilla::LinkedList<js::jit::WarpOpSnapshot>&, js::BytecodeLocation) ()
#17 0x58ba516b in WarpScriptOracle::createScriptSnapshot() ()
#18 0x58baaa51 in WarpScriptOracle::maybeInlineCall(mozilla::LinkedList<js::jit::WarpOpSnapshot>&, js::BytecodeLocation, js::jit::ICCacheIRStub*, js::jit::ICFallbackStub*, unsigned char*) ()
#19 0x58ba8cee in WarpScriptOracle::maybeInlineIC(mozilla::LinkedList<js::jit::WarpOpSnapshot>&, js::BytecodeLocation) ()
#20 0x58ba516b in WarpScriptOracle::createScriptSnapshot() ()
#21 0x58ba4944 in js::jit::WarpOracle::createSnapshot() ()
#22 0x58f68064 in js::jit::CreateWarpSnapshot(JSContext*, js::jit::MIRGenerator*, JS::Handle<JSScript*>) ()
#23 0x58f313d2 in js::jit::Compile(JSContext*, JS::Handle<JSScript*>, js::jit::BaselineFrame*, unsigned char*) ()
#24 0x58f3232c in IonCompileScriptForBaseline(JSContext*, js::jit::BaselineFrame*, unsigned char*) ()
#25 0x58f31d93 in js::jit::IonCompileScriptForBaselineAtEntry(JSContext*, js::jit::BaselineFrame*) ()
#26 0x2a14ddb8 in ?? ()
[...]
#38 0x2a1437ed in ?? ()
#39 0x589e1f78 in js::jit::EnterBaselineInterpreterAtBranch(JSContext*, js::InterpreterFrame*, unsigned char*) ()
#40 0x57f3ba40 in js::Interpret(JSContext*, js::RunState&) ()
#41 0x57f3514b in MaybeEnterInterpreterTrampoline(JSContext*, js::RunState&) ()
#42 0x57f34b51 in js::RunScript(JSContext*, js::RunState&) ()
[...]
#50 0x57da360a in main ()
eax	0x567ea4dc	1451140316
ebx	0x597b2370	1501242224
ecx	0x597b802c	1501265964
edx	0x0	0
esi	0xf6e88310	-152534256
edi	0xf5b81350	-172485808
ebp	0xffffac68	4294945896
esp	0xffffab90	4294945680
eip	0x58bab05a <WarpScriptOracle::maybeInlineCall(mozilla::LinkedList<js::jit::WarpOpSnapshot>&, js::BytecodeLocation, js::jit::ICCacheIRStub*, js::jit::ICFallbackStub*, unsigned char*)+2618>
=> 0x58bab05a <_ZN16WarpScriptOracle15maybeInlineCallERN7mozilla10LinkedListIN2js3jit14WarpOpSnapshotEEENS2_16BytecodeLocationEPNS3_13ICCacheIRStubEPNS3_14ICFallbackStubEPh+2618>:	movl   $0x44d,0x0
   0x58bab064 <_ZN16WarpScriptOracle15maybeInlineCallERN7mozilla10LinkedListIN2js3jit14WarpOpSnapshotEEENS2_16BytecodeLocationEPNS3_13ICCacheIRStubEPNS3_14ICFallbackStubEPh+2628>:	call   0x57e39ac0 <abort>

Test only reproduces on 32-bit for me. I thought we already had this on file but couldn't find any related bug.

Attached file Testcase

This only affects 32-bit x86 because we don't support JSOp::GetElemSuper there in Warp. There might be other ways to trigger the same failure on 64-bit platforms though.

Cleaned up test below.

We do recursive inlining of f => Cls constructor => f etc. The call from f to the constructor is trial-inlined. The call from the constructor to f uses monomorphic inlining. The constructor calls f before we abort compilation of it due to the GetElemSuper, so we're pretty deep into this inlining chain when we hit the assertion failure.

I think this is just an invalid assertion: we account for monomorphic inlining here but there's a similar failure case when you mix monomorphic and trial inlining multiple levels deep.

I'll take a closer look later this week. Let's keep this hidden for now.

// --no-threads
class Cls {
  constructor(x) {
    f(x);
    super[this];
  }
}
function f(x) {
  if (x > 0) {
    new Cls(x - 1);
  }
}
function test() {
  for (var i = 0; i < 1000; i++) {
    f(5);
  }
}
test();
Flags: needinfo?(jdemooij)
Blocks: sm-security
Severity: -- → S3
Priority: -- → P1

Verified bug as reproducible on mozilla-central 20241022095236-1fc2a51d27a0.
The bug appears to have been introduced in the following build range:

Start: aff56b190cf1082026365edc2083a84cd6df90eb (20240821221318)
End: 1a4a6fac8bba43bdc17254bc7d70e6c9ef450948 (20240822002450)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=aff56b190cf1082026365edc2083a84cd6df90eb&tochange=1a4a6fac8bba43bdc17254bc7d70e6c9ef450948

Whiteboard: [bugmon:update,bisect] → [bugmon:update,bisected,confirmed]

This assertion was added by Ian when he landed the testcase for bug 1841082 (sec bug fixed in Fx117).
https://hg.mozilla.org/integration/autoland/rev/176b6edd9b7001e16ba0df714b10193fed9bedf0

I don't know if that makes this a regression from 1841082, or evidence for a similar bug triggered in some other way

Flags: needinfo?(iireland)

This bug has been marked as a regression. Setting status flag for Nightly to affected.

status-firefox133: --- → affected

The case where the stub has already been unlinked isn't limited to monomorphic
recursive inlining, but can also happen if the 'inlining stack' has a mix
of monomorphic and trial inlining.

Assignee: nobody → jdemooij
Status: NEW → ASSIGNED
Flags: needinfo?(jdemooij)
Flags: needinfo?(iireland)
Group: javascript-core-security
Pushed by jdemooij@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/34897a2036a6 Fix assertion in maybeInlineCall to account for a combination of monomorphic and trial inlining. r=iain

Based on comment #4, this bug contains a bisection range found by bugmon. However, the Regressed by field is still not filled.

:jandem, if possible, could you fill the Regressed by field and investigate this regression?

For more information, please visit BugBot documentation.

Flags: needinfo?(jdemooij)

https://hg.mozilla.org/mozilla-central/rev/34897a2036a6

Status: ASSIGNED → RESOLVED
Closed: 11 months ago
status-firefox134: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 134 Branch

Verified bug as fixed on rev mozilla-central 20241030155801-ae91dcae58b1.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Status: RESOLVED → VERIFIED
status-firefox134: fixedverified
Keywords: bugmon
Flags: needinfo?(jdemooij)
Regressed by: 1841082
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: