Closed Bug 1057248 Opened 5 years ago Closed 5 years ago

Crash at a weird memory address or Assertion failure: [infer failure] Missing type in object [0x101d9e740] fileName: float,

Categories

(Core :: JavaScript Engine: JIT, defect, critical)

x86_64
macOS
defect
Not set
critical

Tracking

()

VERIFIED FIXED
mozilla34
Tracking Status
firefox31 --- unaffected
firefox32 --- unaffected
firefox33 --- unaffected
firefox34 --- verified
firefox-esr24 --- unaffected
firefox-esr31 --- unaffected
b2g-v1.3 --- unaffected
b2g-v1.3T --- unaffected
b2g-v1.4 --- unaffected
b2g-v2.0 --- unaffected
b2g-v2.1 --- fixed

People

(Reporter: gkw, Assigned: luke)

References

(Blocks 1 open bug)

Details

(5 keywords, Whiteboard: [fuzzblocker])

Attachments

(3 files)

Attached file stack
The upcoming testcase crashes js debug shell on m-c changeset cd2acc7ab2f8 from https://ftp.mozilla.org/pub/mozilla.org/firefox/tinderbox-builds/mozilla-central-macosx64-debug/1408670600/jsshell-mac64.zip

I had 2 bisection results:

=== Tinderbox Build Bisection Results by autoBisect ===

The "good" changeset has the timestamp "20140821115117" and the hash "e4886c5bea1c".
The "bad" changeset has the timestamp "20140821124919" and the hash "d0dd7f70b560".

Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=e4886c5bea1c&tochange=d0dd7f70b560


=== Tinderbox Build Bisection Results by autoBisect ===

The "good" changeset has the timestamp "20140821092014" and the hash "36ffb9b24c56".
The "bad" changeset has the timestamp "20140821095114" and the hash "6b9c89464dc6".

Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=36ffb9b24c56&tochange=6b9c89464dc6

Nicolas / Luke, not sure which changeset is at fault here, any ideas?
Flags: needinfo?(nicolas.b.pierron)
Flags: needinfo?(luke)
Attached file testcase
$ jsshell-mac64/js --ion-eager --ion-offthread-compile=off w90-reduced.js
Segmentation fault: 11
Keywords: assertion
Summary: Crash at a weird memory address involving "use asm" → Crash at a weird memory address involving "use asm" or Assertion failure: [infer failure] Missing type in object [0x101d9e740] fileName: float,
Likely not directly related to asm.js.
Flags: needinfo?(luke)
Jan, :nbp is away for awhile, do you think you're able to take a look?
Flags: needinfo?(jdemooij)
(In reply to Gary Kwong [:gkw] [:nth10sd] work week Aug 18 - 22 from comment #4)
> Jan, :nbp is away for awhile, do you think you're able to take a look?

Yes I'm looking into this now. With --ion-eager --ion-offthread-compile=off it repros about 40% of the time for me. With --ion-eager --no-threads it also repros but a lot less frequently, about 1% of the time.

Stay tuned.
Jan, thanks for looking at this. Unfortunately this is really annoying for the fuzzers (as there has been a deluge of fuzzing issues over the weekend), so setting [fuzzblocker].
Summary: Crash at a weird memory address involving "use asm" or Assertion failure: [infer failure] Missing type in object [0x101d9e740] fileName: float, → Crash at a weird memory address or Assertion failure: [infer failure] Missing type in object [0x101d9e740] fileName: float,
Whiteboard: [fuzzblocker]
Oops, I only saw the first regression range in comment 0, not the second one.  Jan did most of the work to demonstrate that this was an asm.js SharedArrayBuffer-only bug (caused by the second regression range).  Fix in a sec.
Assignee: nobody → luke
Flags: needinfo?(nicolas.b.pierron)
Flags: needinfo?(jdemooij)
Attached patch fix-sab-bugSplinter Review
Attachment #8478290 - Flags: review?(jdemooij)
Attachment #8478290 - Flags: review?(jdemooij) → review+
Assuming sec-critical as this is an type-inference failure, and this seems to be trunk-only (see comment 7), so sec-approval is unlikely to be required.

Thanks for fixing, I hope it's alright for me to help land this to help unbreak the fuzzers for tomorrow.
https://hg.mozilla.org/mozilla-central/rev/2e67ec183732
Status: NEW → RESOLVED
Closed: 5 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Status: RESOLVED → VERIFIED
JSBugMon: This bug has been automatically verified fixed.
Group: javascript-core-security
Group: core-security
You need to log in before you can comment on or make changes to this bug.