Closed Bug 779245 Opened 12 years ago Closed 12 years ago

IonMonkey: Assertion failure: !thisv.isPrimitive(), at ion/Bailouts.cpp:138 or Crash [@ GetValueType]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Version:
Other Branch
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
VERIFIED FIXED
Tracking Flags:
Tracking Status
firefox-esr10 --- unaffected

People

(Reporter: decoder, Assigned: nbp)

References

Details

(Keywords: assertion, testcase, Whiteboard: [jsbugmon:update][fuzzblocker][ion:p1:fx18])

Crash Data

Attachments

(1 file)

Fix isConstructing when JM is calling Into Ion.
1.05 KB, patch
dvander
: review+
nbp
: checkin+
Details | Diff | Splinter Review 
The following testcase asserts on ionmonkey revision b46621aba6fd (run with --ion -n -m):


function printStatus (msg) {
  var lines = msg.split ("\n");
}
function enterFunc (funcName)
function GetContext() {}
test();
function test() {
  enterFunc ();
  printStatus ("");
  for (let j = (32); j < 5; ++j) 
	actual && ("0" in [3]);
  new test();
}
Causing quite a few sigs.
Whiteboard: [jsbugmon:update] → [jsbugmon:update][fuzzblocker]
Whiteboard: [jsbugmon:update][fuzzblocker] → [jsbugmon:update][fuzzblocker][ion:p1:fx18]
Just found a test (less reduced) that causes the same assert but crashes in opt builds, but only in GDB, not in valgrind:


Program received signal SIGSEGV, Segmentation fault.
GetValueType (cx=0xac4670, script=0x7ffff07072e0, pc=<value optimized out>, rval=<value optimized out>) at ../jsinferinlines.h:110
110             return Type::ObjectType(&val.toObject());
Missing separate debuginfos, use: debuginfo-install zlib-1.2.3-27.el6.x86_64
(gdb) bt 8
#0  GetValueType (cx=0xac4670, script=0x7ffff07072e0, pc=<value optimized out>, rval=<value optimized out>) at ../jsinferinlines.h:110
#1  js::types::TypeMonitorResult (cx=0xac4670, script=0x7ffff07072e0, pc=<value optimized out>, rval=<value optimized out>) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/jsinfer.cpp:4915
#2  0x00000000006b9010 in Monitor (returnData=0x7fff00000002, returnType=0xac4670, returnReg=<value optimized out>, f=<value optimized out>) at ../jsinferinlines.h:758
#3  js_InternalInterpret (returnData=0x7fff00000002, returnType=0xac4670, returnReg=<value optimized out>, f=<value optimized out>)
    at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/methodjit/InvokeHelpers.cpp:1100
#4  0x0000000000625839 in JaegerInterpoline ()
Backtrace stopped: previous frame inner to this frame (corrupt stack?)
(gdb) x /i $pc
=> 0x4846c9 <js::types::TypeMonitorResult(JSContext*, JSScript*, jsbytecode*, JS::Value const&)+313>:   mov    0x8(%r12),%rcx
(gdb) info reg r12 rcx
r12            0x0      0
rcx            0xfffb7fffffffffff       -1266637395197953


Assuming this is some form of memory corruption due to the symptoms, marking S-s.
Group: core-security
Crash Signature: [@ GetValueType]
Summary: IonMonkey: Assertion failure: !thisv.isPrimitive(), at ion/Bailouts.cpp:138 → IonMonkey: Assertion failure: !thisv.isPrimitive(), at ion/Bailouts.cpp:138 or Crash [@ GetValueType]
Assignee: general → nicolas.b.pierron
Status: NEW → ASSIGNED
Comment on attachment 650358 [details] [diff] [review]
Fix isConstructing when JM is calling Into Ion.

Review of attachment 650358 [details] [diff] [review]:
-----------------------------------------------------------------

Good catch
Attachment #650358 - Flags: review?(dvander) → review+
Comment on attachment 650358 [details] [diff] [review]
Fix isConstructing when JM is calling Into Ion.

https://hg.mozilla.org/projects/ionmonkey/rev/7fcedafba16d
Attachment #650358 - Flags: checkin+
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Status: RESOLVED → VERIFIED
JSBugMon: This bug has been automatically verified fixed.
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: