Closed
Bug 1005590
Opened 10 years ago
Closed 10 years ago
Crash [@ js::jit::MacroAssembler::branchIfTrueBool] or Assertion failure: lir->mir()->operand()->mightBeType(MIRType_Object), at jit/CodeGenerator.cpp
Categories
(Core :: JavaScript Engine: JIT, defect)
Tracking
()
VERIFIED
FIXED
mozilla32
Tracking | Status | |
---|---|---|
firefox29 | --- | unaffected |
firefox30 | --- | unaffected |
firefox31 | --- | unaffected |
firefox32 | --- | verified |
firefox-esr24 | --- | unaffected |
b2g-v1.2 | --- | unaffected |
b2g-v1.3 | --- | unaffected |
b2g-v1.4 | --- | unaffected |
b2g-v2.0 | --- | fixed |
People
(Reporter: gkw, Assigned: bzbarsky)
References
Details
(6 keywords, Whiteboard: [jsbugmon:update])
Crash Data
Attachments
(3 files)
function f(x) { "use asm" return !(1 || x) } for (var j = 0; j < 1; j++) { (function(x) { +f(+x) })() } asserts js debug shell on m-c changeset 3285e030d9c0 with --ion-eager --ion-parallel-compile=off at Assertion failure: lir->mir()->operand()->mightBeType(MIRType_Object), at jit/CodeGenerator.cpp (it goes away with --no-asmjs) My configure flags are: CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-optimize --enable-debug --enable-profiling --enable-gczeal --enable-debug-symbols --disable-tests --with-ccache --enable-threadsafe <other NSPR options> autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: http://hg.mozilla.org/mozilla-central/rev/4c874962ee02 user: Boris Zbarsky date: Sat May 03 01:08:13 2014 -0400 summary: Bug 1004198. Improve codegen in testValueTruthyKernel to emit as few tests as we can get away with given our type inference information. r=jandem bz, is bug 1004198 a likely regressor? (s-s and assuming sec-high first due to this being LIR / MIR-related.)
Flags: needinfo?(bzbarsky)
Reporter | ||
Comment 1•10 years ago
|
||
This crashes opt shell at js::jit::MacroAssembler::branchIfTrueBool and seems to access weird memory addresses. Configuration for opt shell: CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-optimize --disable-debug --enable-profiling --enable-gczeal --enable-debug-symbols --disable-tests --enable-more-deterministic --with-ccache --enable-threadsafe <other NSPR options>
Reporter | ||
Comment 2•10 years ago
|
||
> This crashes opt shell at js::jit::MacroAssembler::branchIfTrueBool and
> seems to access weird memory addresses.
-> 0x10019fafc: movl (%r13), %eax
0x10019fb00: leal (%rax,%rax), %ebx
0x10019fb03: sarl %ebx
0x10019fb05: testl %eax, %eax
(lldb) x/b $r13
error: memory read failed for 0x7463656a624f5e00
(lldb) x/b $eax
error: memory read failed for 0x200
(lldb)
Let's assume sec-critical for now.
Crash Signature: [@ js::jit::MacroAssembler::branchIfTrueBool]
status-firefox29:
--- → unaffected
status-firefox30:
--- → unaffected
status-firefox31:
--- → unaffected
status-firefox32:
--- → affected
status-firefox-esr24:
--- → unaffected
Summary: OdinMonkey: Assertion failure: lir->mir()->operand()->mightBeType(MIRType_Object), at jit/CodeGenerator.cpp → OdinMonkey: Crash [@ js::jit::MacroAssembler::branchIfTrueBool] or Assertion failure: lir->mir()->operand()->mightBeType(MIRType_Object), at jit/CodeGenerator.cpp
Assignee | ||
Comment 3•10 years ago
|
||
> bz, is bug 1004198 a likely regressor?
Yes.
This looks like the same issue I ran into with MTest: we start off with an MPhi between an MConstant and an MParameter, then someone swizzles it out from under us.
Assignee: nobody → bzbarsky
Flags: needinfo?(bzbarsky)
Assignee | ||
Comment 4•10 years ago
|
||
Jan, what's the right way to add this crashtest to our JS tests?
Attachment #8417029 -
Flags: review?(jdemooij)
Comment 5•10 years ago
|
||
Comment on attachment 8417029 [details] [diff] [review] MNot can also end up with a known-not-object type even while we think it might emulate undefined. Guard against that Review of attachment 8417029 [details] [diff] [review]: ----------------------------------------------------------------- Thanks for fixing this so quickly. (In reply to Boris Zbarsky [:bz] from comment #4) > Jan, what's the right way to add this crashtest to our JS tests? Copy the testcase in comment 0 (or a better one) to js/src/jit-test/tests/ion/bug1005590.js, and make sure the following command shows test failures without the patch: jit_test.py --tbpl $path-to-js bug1005590 --tbpl runs jit-tests also with "--ion-eager --ion-parallel-compile=off" so you should get at least one failure.
Attachment #8417029 -
Flags: review?(jdemooij) → review+
Assignee | ||
Comment 6•10 years ago
|
||
Perfect, thanks. https://hg.mozilla.org/integration/mozilla-inbound/rev/fbe9c7cc085d
Updated•10 years ago
|
Crash Signature: [@ js::jit::MacroAssembler::branchIfTrueBool] → [@ js::jit::MacroAssembler::branchIfTrueBool]
[@ js::jit::AssemblerX86Shared::jSrc(js::jit::AssemblerX86Shared::Condition, js::jit::Label*)]
[@ js::jit::AssemblerX86Shared::j(js::jit::AssemblerX86Shared::Condition, js::jit::Label*)]
Keywords: topcrash
Comment 8•10 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/fbe9c7cc085d
Status: NEW → RESOLVED
Closed: 10 years ago
status-b2g-v1.2:
--- → unaffected
status-b2g-v1.3:
--- → unaffected
status-b2g-v1.4:
--- → unaffected
status-b2g-v2.0:
--- → fixed
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla32
Updated•10 years ago
|
Status: RESOLVED → VERIFIED
Crash Signature: [@ js::jit::MacroAssembler::branchIfTrueBool]
[@ js::jit::AssemblerX86Shared::jSrc(js::jit::AssemblerX86Shared::Condition, js::jit::Label*)]
[@ js::jit::AssemblerX86Shared::j(js::jit::AssemblerX86Shared::Condition, js::jit::Label*)] → [@ js::jit::MacroAssembler::branchIfTrueBool]
[@ js::jit::AssemblerX86Shared::jSrc(js::jit::AssemblerX86Shared::Condition, js::jit::Label*)]
[@ js::jit::AssemblerX86Shared::j(js::jit::AssemblerX86Shared::Condition, js::jit::Label*)]
Comment 9•10 years ago
|
||
JSBugMon: This bug has been automatically verified fixed.
Assignee | ||
Comment 10•10 years ago
|
||
Gary, does this need to remain security-sensitive?
Crash Signature: [@ js::jit::MacroAssembler::branchIfTrueBool]
[@ js::jit::AssemblerX86Shared::jSrc(js::jit::AssemblerX86Shared::Condition, js::jit::Label*)]
[@ js::jit::AssemblerX86Shared::j(js::jit::AssemblerX86Shared::Condition, js::jit::Label*)] → [@ js::jit::MacroAssembler::branchIfTrueBool]
[@ js::jit::AssemblerX86Shared::jSrc(js::jit::AssemblerX86Shared::Condition, js::jit::Label*)]
[@ js::jit::AssemblerX86Shared::j(js::jit::AssemblerX86Shared::Condition, js::jit::Label*)]
Flags: needinfo?(gary)
Reporter | ||
Comment 11•10 years ago
|
||
(In reply to Boris Zbarsky [:bz] from comment #10) > Gary, does this need to remain security-sensitive? Is this likely exploitable? The rating of sec-high was a guess, would something else be a better rating? It can be opened up if it is not a security issue.
Flags: needinfo?(gary) → needinfo?(bzbarsky)
Assignee | ||
Comment 12•10 years ago
|
||
> Is this likely exploitable?
I don't know. All the crash-stats crashes are at 0x4 or 0xffffffff, looks like.
More importantly, this was nightly-only and is fixed...
Flags: needinfo?(bzbarsky)
Updated•10 years ago
|
Summary: OdinMonkey: Crash [@ js::jit::MacroAssembler::branchIfTrueBool] or Assertion failure: lir->mir()->operand()->mightBeType(MIRType_Object), at jit/CodeGenerator.cpp → Crash [@ js::jit::MacroAssembler::branchIfTrueBool] or Assertion failure: lir->mir()->operand()->mightBeType(MIRType_Object), at jit/CodeGenerator.cpp
Updated•10 years ago
|
Crash Signature: [@ js::jit::MacroAssembler::branchIfTrueBool]
[@ js::jit::AssemblerX86Shared::jSrc(js::jit::AssemblerX86Shared::Condition, js::jit::Label*)]
[@ js::jit::AssemblerX86Shared::j(js::jit::AssemblerX86Shared::Condition, js::jit::Label*)] → [@ js::jit::MacroAssembler::branchIfTrueBool]
[@ js::jit::AssemblerX86Shared::jSrc(js::jit::AssemblerX86Shared::Condition, js::jit::Label*)]
[@ js::jit::AssemblerX86Shared::j(js::jit::AssemblerX86Shared::Condition, js::jit::Label*)]
Comment 14•10 years ago
|
||
JSBugMon: This bug has been automatically verified fixed on Fx32
Updated•10 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•