Closed Bug 1041746 Opened 5 years ago Closed 5 years ago

Assertion failure: !rep->isInWorklist() (Dead value in set), at jit/ValueNumbering.cpp

Categories

(Core :: JavaScript Engine: JIT, defect, critical)

x86_64
macOS
defect
Not set
critical

Tracking

()

VERIFIED FIXED
mozilla34
Tracking Status
firefox32 --- unaffected
firefox33 --- fixed
firefox34 --- verified
firefox-esr24 --- unaffected
firefox-esr31 --- unaffected
b2g-v1.4 --- unaffected
b2g-v2.0 --- unaffected
b2g-v2.1 --- fixed

People

(Reporter: gkw, Assigned: sunfish)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update])

Attachments

(2 files)

Attached file stack
(function() {
    var Infinity = this.Infinity
    var Float32ArrayView = Float32Array(ArrayBuffer)
        function f() {
            (6 ? undefined : d)(Infinity)
            Float32ArrayView[(f ? 4294967295 : 2) - 4294967295 >> 2];
            (1)(0)
        }
    f()
})()

asserts js debug shell on m-c changeset 0894d2cdb16d with --ion-eager --ion-offthread-compile=off at Assertion failure: !rep->isInWorklist() (Dead value in set), at jit/ValueNumbering.cpp

My configure flags are:

CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --enable-optimize --enable-gczeal --enable-debug-symbols --disable-tests --enable-more-deterministic --with-ccache --enable-threadsafe

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/f199144be062
user:        Dan Gohman
date:        Thu Jul 17 11:56:38 2014 -0700
summary:     Bug 1039667 - IonMonkey: Clear the Guard flag when folding away MBoundsCheck instructions r=jandem

Dan, is bug 1039667 a likely regressor?
Flags: needinfo?(sunfish)
Ok. I've been investigating and thinking about bug 1031410 and now I think that having GVN automatically clear IsGuard flags is the right thing to do. That fixes this bug too, it's effectively what the old GVN did, and it's simpler than having foldsTo methods clear IsGuard.
Assignee: nobody → sunfish
Attachment #8459969 - Flags: review?(nicolas.b.pierron)
Flags: needinfo?(sunfish)
Attachment #8459969 - Flags: review?(nicolas.b.pierron) → review+
https://hg.mozilla.org/mozilla-central/rev/cd2bf43234a3
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla34
Group: core-security
Comment on attachment 8459969 [details] [diff] [review]
gvn-clear-isguard.patch

Approval Request Comment
[Feature/regressing bug #]: 1039667
[User impact if declined]: Possible security bug
[Describe test coverage new/current, TBPL]: TBPL
[Risks and why]: 

There's currently no known way to exploit this bug. It's not known if it is actually exploitable. The only known testcase that exposes the bug trips an assertion in debug builds (which is how it got found) and behaves harmlessly in release builds. Attempts at modifying the testcase to make it more dangerous didn't produce anything dangerous.

However, we have a simple fix, so it seems best to take it rather than take the chance.

[String/UUID change made/needed]: none
Attachment #8459969 - Flags: approval-mozilla-aurora?
Attachment #8459969 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Status: RESOLVED → VERIFIED
JSBugMon: This bug has been automatically verified fixed.
Group: core-security
You need to log in before you can comment on or make changes to this bug.