1115665 - Crash at SIGTRAP or Assertion failure: Incorrect range for Value., at jit/MacroAssembler.cpp

Status: VERIFIED FIXED

(Core :: JavaScript Engine, defect)

Description

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

// Randomly chosen test: js/src/jit-test/tests/ion/bug836705.js
Object.prototype[3] = 3
// Randomly chosen test: js/src/jit-test/tests/jaeger/loops/bug658290.js
x = Array()
function f() {
    for (i = 0; i < 9; i++) {
        if (Object[x++] != 0) {}
    }
}
f()

asserts js debug shell on m-c changeset 986ef444a8bb with --fuzzing-safe --no-threads --ion-eager --ion-check-range-analysis at Assertion failure: Incorrect range for Value., at jit/MacroAssembler.cpp.

Debug configure options:

CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --enable-optimize --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests

This was found by combining random js tests together with jsfunfuzz, the specific file(s) is/are:

http://hg.mozilla.org/mozilla-central/file/986ef444a8bb/js/src/jit-test/tests/ion/bug836705.js
http://hg.mozilla.org/mozilla-central/file/986ef444a8bb/js/src/jit-test/tests/jaeger/loops/bug658290.js

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/0b155176f4eb
user:        Hannes Verschore
date:        Wed Dec 24 15:01:03 2014 +0100
summary:     Bug 1107328 - IonMonkey: Also check for boxed constants when checking for constants, r=jandem

(Setting s-s because this causes a SIGTRAP and fuzzblocker because it crashes in optimized builds without any signature, which makes it hard to ignore)

Hannes, is bug 1107328 a likely regressor?

Comment 1

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Attachment: stack

The attachment shows the stack for debug builds, while the following is for opt builds:

Process 628 stopped
* thread #1: tid = 0x82523, 0x00000001016dd08a, queue = 'com.apple.main-thread', stop reason = EXC_BREAKPOINT (code=EXC_I386_BPT, subcode=0x0)
    frame #0: 0x00000001016dd08a
-> 0x1016dd08a:  movabsq $0x10235e060, %rax
   0x1016dd094:  movq   0x10(%rax), %rax
   0x1016dd098:  movl   0x9a0(%rax), %ecx
   0x1016dd09e:  addl   $0x1, %ecx
(lldb) bt
* thread #1: tid = 0x82523, 0x00000001016dd08a, queue = 'com.apple.main-thread', stop reason = EXC_BREAKPOINT (code=EXC_I386_BPT, subcode=0x0)
  * frame #0: 0x00000001016dd08a
(lldb)

Comment 2

[Hannes Verschore [:h4writer]]

(In reply to Gary Kwong [:gkw] [:nth10sd] from comment #0)
> Hannes, is bug 1107328 a likely regressor?

Very possibly. Fixed a similar issue before pushing. The codebase is too used that a constant value means we can do optimizations without doing specific checks. (Which happens to mostly work, since we would box inputs for un-optimizable cases).

Taking

Comment 3

[Hannes Verschore [:h4writer]]

Attachment: Don't do beta optimizations for Compare_Value compares

Comment 4

[Hannes Verschore [:h4writer]]

https://hg.mozilla.org/integration/mozilla-inbound/rev/0c531e14936b

Comment 5

[Wes Kocher (:KWierso) (Not reading bugmail; email directly if needed)]

https://hg.mozilla.org/mozilla-central/rev/0c531e14936b

Comment 6

[Christian Holler (:decoder)]

JSBugMon: This bug has been automatically verified fixed.