Closed Bug 1117099 Opened 5 years ago Closed 5 years ago

Assertion failure: mir->type() == MIRType_Value, at js/src/jit/x64/Lowering-x64.cpp:21

Categories

(Core :: JavaScript Engine, defect, critical)

x86_64
Linux
defect
Not set
critical

Tracking

()

VERIFIED FIXED
mozilla37
Tracking Status
firefox36 --- unaffected
firefox37 --- verified
firefox-esr31 --- unaffected

People

(Reporter: decoder, Assigned: jandem)

References

(Blocks 1 open bug)

Details

(4 keywords, Whiteboard: [jsbugmon:update,ignore])

Attachments

(1 file)

The following testcase crashes on mozilla-central revision 13fe5ad0364d (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --enable-debug, run with --fuzzing-safe --thread-count=2 --ion-eager):

function reportCompare (expected, actual, description) {
  if (expected != actual) {}
}
reportCompare(1);
addThis();
function addThis() {
  for (var i=0; i<UBound; i++)
    reportCompare( true | this && this );
}



Backtrace:

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7ffff6857700 (LWP 11794)]
0x00000000008a50e0 in js::jit::LIRGeneratorX64::useBox (this=0x7ffff6855f50, lir=0x1b5d3a8, n=0, mir=0x1b57800, policy=<optimized out>, useAtStart=<optimized out>) at js/src/jit/x64/Lowering-x64.cpp:21
21	    MOZ_ASSERT(mir->type() == MIRType_Value);
#0  0x00000000008a50e0 in js::jit::LIRGeneratorX64::useBox (this=0x7ffff6855f50, lir=0x1b5d3a8, n=0, mir=0x1b57800, policy=<optimized out>, useAtStart=<optimized out>) at js/src/jit/x64/Lowering-x64.cpp:21
#1  0x000000000072c5a9 in js::jit::LIRGenerator::visitTest (this=0x7ffff6855f50, test=0x1b587c8) at js/src/jit/Lowering.cpp:736
#2  0x00000000006dc62f in js::jit::LIRGenerator::visitInstruction (this=0x7ffff6855f50, ins=0x1b587c8) at js/src/jit/Lowering.cpp:4106
#3  0x00000000007111a1 in visitInstruction (ins=0x1b587c8, this=0x7ffff6855f50) at js/src/jit/Lowering.cpp:4104
#4  js::jit::LIRGenerator::visitBlock (this=0x7ffff6855f50, block=0x1b57cb8) at js/src/jit/Lowering.cpp:4206
#5  0x00000000007114bb in js::jit::LIRGenerator::generate (this=0x7ffff6855f50) at js/src/jit/Lowering.cpp:4249
#6  0x00000000007587e7 in js::jit::GenerateLIR (mir=0x1b51218) at js/src/jit/Ion.cpp:1621
#7  0x0000000000768299 in js::jit::CompileBackEnd (mir=0x1b51218) at js/src/jit/Ion.cpp:1730
#8  0x0000000000a3cf68 in js::HelperThread::handleIonWorkload (this=0x1a065b0) at js/src/vm/HelperThreads.cpp:1075
#9  0x0000000000a3e829 in js::HelperThread::threadLoop (this=0x1a065b0) at js/src/vm/HelperThreads.cpp:1371
#10 0x0000000000ab5df1 in nspr::Thread::ThreadRoutine (arg=0x1a0a370) at js/src/vm/PosixNSPR.cpp:45
#11 0x00007ffff7bc4e9a in start_thread () from /lib/x86_64-linux-gnu/libpthread.so.0
#12 0x00007ffff6cc4ccd in clone () from /lib/x86_64-linux-gnu/libc.so.6
#13 0x0000000000000000 in ?? ()
rax	0x0	0
rbx	0x1b5d3a8	28693416
rcx	0x7ffff6cb792d	140737333917997
rdx	0x0	0
rsi	0x7ffff6f8baa0	140737336883872
rdi	0x7ffff6f8a180	140737336877440
rbp	0x7ffff6855a20	140737329322528
rsp	0x7ffff68559e0	140737329322464
r8	0x7ffff6857700	140737329329920
r9	0x72746e65632d616c	8247338199356891500
r10	0x72732f736a2f6c61	8246987515394747489
r11	0x0	0
r12	0x0	0
r13	0x7ffff6855f50	140737329323856
r14	0x1b57800	28669952
r15	0x1b58298	28672664
rip	0x8a50e0 <js::jit::LIRGeneratorX64::useBox(js::jit::LInstruction*, unsigned long, js::jit::MDefinition*, js::jit::LUse::Policy, bool)+320>
=> 0x8a50e0 <js::jit::LIRGeneratorX64::useBox(js::jit::LInstruction*, unsigned long, js::jit::MDefinition*, js::jit::LUse::Policy, bool)+320>:	movl   $0x7b,0x0
   0x8a50eb <js::jit::LIRGeneratorX64::useBox(js::jit::LInstruction*, unsigned long, js::jit::MDefinition*, js::jit::LUse::Policy, bool)+331>:	callq  0x4049f0 <abort@plt>


Marking this s-s because the assertion can indicate type confusions and was previously associated with sec-high/critical bugs.
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/f8e5c5ed14cb
user:        Jan de Mooij
date:        Sat Dec 27 13:55:06 2014 +0100
summary:     Bug 1114574 - Refactor and improve MCompare::tryFold. r=h4writer

This iteration took 326.183 seconds to run.
Attached patch PatchSplinter Review
Lowering Compare_Null/Compare_Undefined expects the LHS to be either a Value or object. Bug 1114574 broke this because operandMightEmulateUndefined() can be true even if the operand can't be an object (see also bug 1109054).

Simplest fix for now is to check operandMightEmulateUndefined() only if the LHS might be an object.
Assignee: nobody → jdemooij
Status: NEW → ASSIGNED
Attachment #8543334 - Flags: review?(hv1989)
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 57e4e9c33bef).
Attachment #8543334 - Flags: review?(hv1989) → review+
(and sorry about the delay)
Marking sec-high because it looks like some kind of type confusion.
Keywords: sec-high
https://hg.mozilla.org/mozilla-central/rev/3e1dac3caabe
Status: ASSIGNED → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla37
Status: RESOLVED → VERIFIED
JSBugMon: This bug has been automatically verified fixed.
Group: core-security
You need to log in before you can comment on or make changes to this bug.