Closed Bug 1032264 Opened 10 years ago Closed 10 years ago

Assertion failure: end-of-block assumed unreachable, at jit/IonMacroAssembler.cpp:1314 or SIGTRAP

Categories

(Core :: JavaScript Engine: JIT, defect)

Product:
Core
Component:
JavaScript Engine: JIT
Platform:
x86_64
All
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla33
Tracking Flags:
Tracking Status
firefox32 --- unaffected
firefox33 --- verified
firefox-esr24 --- unaffected
firefox-esr31 --- unaffected

People

(Reporter: decoder, Assigned: shu)

References

Details

(4 keywords, Whiteboard: [jsbugmon:update])

Attachments

(1 file)

Fix converting MThrow in ParallelSafetyAnalysis.
929 bytes, patch
sunfish
: review+
Details | Diff | Splinter Review 
The following testcase asserts on mozilla-central revision b6408c32a170 (threadsafe build, run with --fuzzing-safe --thread-count=2):


for (var a = 0; a < 2000; a++) {
  Array.buildPar(500, (function() {
    try {
      throw a;
    } catch (Infinity) {}
  }));
}
This crashes on the heap with SIGTRAP, in debug builds it also emits the mentioned assertion before doing so. Marked s-s because this seems like some out-of-range problem, possibly jumping where we shouldn't. It might be possible to not only hit SIGTRAP but maybe also something useful for exploiting.
status-firefox33: --- → affected
Keywords: crash
Whiteboard: [jsbugmon:update,bisect]
Another testcase without the for loop:

Array.buildPar(16427, function(x) {
    if (x % 633 == 503) {
        throw x;
    }
});

$ ./js-dbg-opt-64-prof-ts-darwin-b6408c32a170 --ion-offthread-compile=off --ion-eager w109-reduced.js
Assertion failure: end-of-block assumed unreachable, at /Users/skywalker/trees/mozilla-central/js/src/jit/IonMacroAssembler.cpp:1314
Trace/BPT trap: 5

Tested on m-c rev b6408c32a170.

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/a0fca95e6e0f
user:        Shu-yu Guo
date:        Fri Jun 20 18:39:14 2014 -0700
summary:     Bug 1019304 - Part 4: Add MUnreachable to end basic blocks that have bails in them. (r=sunfish)

Shu-yu, is bug 1019304 a likely regressor?
Blocks: 1019304
status-firefox32: --- → unaffected
Flags: needinfo?(shu)
Keywords: regression
OS: Linux → All
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
Stupid mistake on my part. Forgot to add the MBail to the bblock.
Attachment #8448243 - Flags: review?(sunfish)
Assignee: nobody → shu
Status: NEW → ASSIGNED
Flags: needinfo?(shu)
Attachment #8448243 - Flags: review?(sunfish) → review+
https://hg.mozilla.org/mozilla-central/rev/9b64b4c85015
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
status-firefox33: affectedfixed
Flags: in-testsuite?
Resolution: --- → FIXED
Target Milestone: --- → mozilla33
Status: RESOLVED → VERIFIED
status-firefox33: fixedverified
JSBugMon: This bug has been automatically verified fixed.
Depends on: 1036792
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: