Closed
Bug 968931
Opened 10 years ago
Closed 10 years ago
Assertion failure: false (MOZ_ASSUME_UNREACHABLE(Modified registers between VM call and OsiPoint)), at jit/shared/CodeGenerator-shared.cpp:536
Categories
(Core :: JavaScript Engine: JIT, defect)
Tracking
()
RESOLVED
FIXED
mozilla31
People
(Reporter: decoder, Assigned: h4writer)
References
Details
(Keywords: assertion, sec-other, testcase, Whiteboard: [jsbugmon:update])
Attachments
(1 file)
5.53 KB,
patch
|
jandem
:
review+
|
Details | Diff | Splinter Review |
The following testcase asserts on mozilla-central revision 1e9f169c9715 (run with --fuzzing-safe --ion-eager --ion-regalloc=backtracking): enableOsiPointRegisterChecks(); eval('(function () {\ var s = "{}";\ for (var i = 0; i < 19; i++)\ s += s;\ eval(s);\ })();\ ');
Updated•10 years ago
|
Flags: needinfo?(jdemooij)
Reporter | ||
Comment 1•10 years ago
|
||
This problem could be related to --ion-regalloc=backtracking only, then it wouldn't be a security problem. Locking s-s until this is confirmed.
Reporter | ||
Updated•10 years ago
|
Whiteboard: [jsbugmon:update,bisect]
Comment 2•10 years ago
|
||
I'm unable to reproduce this with the revision + shell flags in comment 0, x86 debug build on OS X. NI from decoder, this one shouldn't be too hard to figure out once I have access to a machine where this reproduces.
Flags: needinfo?(choller)
Updated•10 years ago
|
Flags: needinfo?(jdemooij)
Reporter | ||
Comment 3•10 years ago
|
||
This still reproduces easily for me. Jan can you try the following config flags on a 32 bit Linux? --disable-threadsafe --enable-debug --enable-optimize --enable-valgrind (+ 32 bit stuff)
Flags: needinfo?(choller)
Updated•10 years ago
|
Flags: needinfo?(jdemooij)
Reporter | ||
Updated•10 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
Reporter | ||
Comment 4•10 years ago
|
||
JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: http://hg.mozilla.org/mozilla-central/rev/f030f97fcf10 user: Dan Gohman date: Thu Oct 24 20:34:54 2013 -0700 summary: Bug 875656 - IonMonkey: Juggle registers around to reduce the number of temporaries needed by LConcat. r=bhackett This iteration took 380.333 seconds to run.
Reporter | ||
Comment 5•10 years ago
|
||
Needinfo from :sunfish based on comment 4 :)
Flags: needinfo?(dgohman)
Comment 6•10 years ago
|
||
Looks like a backtracking allocator bug. I'll investigate.
Assignee: nobody → sunfish
Flags: needinfo?(sunfish)
Comment 7•10 years ago
|
||
This also needs --ion-parallel-compile=off to reproduce reliably. It does appear to be backtracking only. Here's a simplified testcase that also fails with --ion-eager --ion-regalloc=backtracking --ion-parallel-compile=off on x86 linux: (function () { var s = "{}"; for (var i = 0; i < 19; i++) s += s; eval(s); })(); The OsiPoint that triggers this error is the one immediately after the Concat. The mismatch is with %edx, which is Concat's output register.
Reporter | ||
Updated•10 years ago
|
Whiteboard: [jsbugmon:update] → [jsbugmon:]
Reporter | ||
Comment 8•10 years ago
|
||
JSBugMon: Cannot process bug: Unknown exception (check manually)
Reporter | ||
Updated•10 years ago
|
Whiteboard: [jsbugmon:] → [jsbugmon:update]
Assignee | ||
Comment 9•10 years ago
|
||
Assignee: sunfish → hv1989
Attachment #8396528 -
Flags: review?(jdemooij)
Updated•10 years ago
|
Attachment #8396528 -
Attachment is patch: true
Comment 10•10 years ago
|
||
Comment on attachment 8396528 [details] [diff] [review] bug968931-backtracking-assert Review of attachment 8396528 [details] [diff] [review]: ----------------------------------------------------------------- Thanks for fixing this! ::: js/src/jit/LiveRangeAllocator.h @@ +689,5 @@ > + if (interval->index() == 0 && !reg->isTemp()) { > +#ifdef CHECK_OSIPOINT_REGISTERS > + // We don't add the output register to the safepoint, > + // but it still might get added as one of the inputs. > + // So eagerly add this reg to the safepoint clobbered register. Nit: s/clobbered register/clobbered registers @@ +691,5 @@ > + // We don't add the output register to the safepoint, > + // but it still might get added as one of the inputs. > + // So eagerly add this reg to the safepoint clobbered register. > + LSafepoint *safepoint = reg->ins()->safepoint(); > + if (safepoint) Nit: if (LSafepoint *safepoint = reg->ins()->safepoint()) ::: js/src/jit/shared/CodeGenerator-shared.cpp @@ +564,2 @@ > // temps after calling into the VM. This is fine because no other > + // instructions (including this OsiPoint) will depend on them. The same Nit: finish last sentence
Attachment #8396528 -
Flags: review?(jdemooij) → review+
Updated•10 years ago
|
Flags: needinfo?(jdemooij)
Assignee | ||
Comment 11•10 years ago
|
||
Opening the bug, since this is a assertion is over-restrictive.
Group: core-security
Assignee | ||
Comment 12•10 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/2dc1dab474ab
https://hg.mozilla.org/mozilla-central/rev/2dc1dab474ab
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla31
You need to log in
before you can comment on or make changes to this bug.
Description
•