Closed Bug 1148375 Opened 5 years ago Closed 5 years ago

Assertion failure: this->is<MIRType>(), at js/src/jit/MIR.h:774 with TypedObject


(Core :: JavaScript Engine, defect, critical)

Not set



Tracking Status
firefox38 --- unaffected
firefox39 --- fixed
firefox40 --- verified
firefox-esr31 --- unaffected
firefox-esr38 --- unaffected
b2g-v1.4 --- unaffected
b2g-v2.0 --- unaffected
b2g-v2.0M --- unaffected
b2g-v2.1 --- unaffected
b2g-v2.1S --- unaffected
b2g-v2.2 --- unaffected
b2g-master --- fixed


(Reporter: decoder, Assigned: sstangl)


(Blocks 1 open bug)


(4 keywords, Whiteboard: [jsbugmon:update])


(1 file)

The following testcase crashes on mozilla-central revision 37d3dcbf23a9 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe --no-threads --ion-eager):

var T = TypedObject;
var AT = new T.ArrayType(T.Any,0x6d);
var v = new AT();
for ( var i=0 ; i < 1000 ; i++ )
  if (v[2] !== undefined) {}


Program received signal SIGSEGV, Segmentation fault.
0x000000000093e79d in to<js::jit::MStoreElementHole> (this=<optimized out>) at js/src/jit/MIR.h:774
#0  0x000000000093e79d in to<js::jit::MStoreElementHole> (this=<optimized out>) at js/src/jit/MIR.h:774
#1  toStoreElementHole (this=<optimized out>) at js/src/jit/MIR.h:787
#2  GetStoreObject (store=<optimized out>) at js/src/jit/MIR.cpp:4211
#3  GenericLoadMightAlias (elementsOrObj=0x7ffff69a6160, store=<optimized out>) at js/src/jit/MIR.cpp:4233
#4  0x00000000007cfd77 in js::jit::AliasAnalysis::analyze (this=this@entry=0x7fffffffc930) at js/src/jit/AliasAnalysis.cpp:223
#5  0x000000000090dd69 in js::jit::OptimizeMIR (mir=mir@entry=0x7ffff69a0258) at js/src/jit/Ion.cpp:1298
#6  0x000000000090e7e4 in js::jit::CompileBackEnd (mir=mir@entry=0x7ffff69a0258) at js/src/jit/Ion.cpp:1616
#7  0x000000000090f31f in js::jit::IonCompile (cx=cx@entry=0x7ffff691b4e0, script=<optimized out>, baselineFrame=baselineFrame@entry=0x7fffffffcef8, osrPc=<optimized out>, constructing=<optimized out>, recompile=<optimized out>, optimizationLevel=js::jit::Optimization_Normal) at js/src/jit/Ion.cpp:1985
#8  0x000000000090f7c4 in js::jit::Compile (cx=cx@entry=0x7ffff691b4e0, script=..., script@entry=..., osrFrame=0x7fffffffcef8, osrPc=osrPc@entry=0x7ffff5340fa3 "ず", constructing=<optimized out>, forceRecompile=<optimized out>) at js/src/jit/Ion.cpp:2140
#9  0x000000000090fa24 in js::jit::CanEnterAtBranch (cx=cx@entry=0x7ffff691b4e0, script=0x7ffff7e5e128, osrFrame=osrFrame@entry=0x7fffffffcef8, pc=pc@entry=0x7ffff5340fa3 "ず") at js/src/jit/Ion.cpp:2222
#10 0x0000000000812c96 in EnsureCanEnterIon (stub=<optimized out>, jitcodePtr=<synthetic pointer>, pc=0x7ffff5340fa3 "ず", script=..., frame=0x7fffffffcef8, cx=0x7ffff691b4e0) at js/src/jit/BaselineIC.cpp:779
#11 js::jit::DoWarmUpCounterFallback (cx=0x7ffff691b4e0, stub=<optimized out>, frame=0x7fffffffcef8, infoPtr=0x7fffffffced0) at js/src/jit/BaselineIC.cpp:943
#12 0x00007ffff7fefe49 in ?? ()
#23 0x0000000000000000 in ?? ()
rax	0x0	0
rbx	0x7ffff69a6160	140737330700640
rcx	0x7ffff6ca53b0	140737333842864
rdx	0x0	0
rsi	0x7ffff6f7a9d0	140737336814032
rdi	0x7ffff6f791c0	140737336807872
rbp	0x7fffffffc3a0	140737488339872
rsp	0x7fffffffc380	140737488339840
r8	0x7ffff7fe0780	140737354008448
r9	0x6372732f736a2f6c	7165916604736876396
r10	0x7fffffffc140	140737488339264
r11	0x7ffff6c27960	140737333328224
r12	0x7ffff69a4868	140737330694248
r13	0x7ffff69a6160	140737330700640
r14	0x1	1
r15	0x7fffffffc538	140737488340280
rip	0x93e79d <GenericLoadMightAlias(js::jit::MDefinition const*, js::jit::MDefinition const*)+461>
=> 0x93e79d <GenericLoadMightAlias(js::jit::MDefinition const*, js::jit::MDefinition const*)+461>:	movl   $0x306,0x0
   0x93e7a8 <GenericLoadMightAlias(js::jit::MDefinition const*, js::jit::MDefinition const*)+472>:	callq  0x423010 <abort@plt>

S-s because this assertion was an indicator for security problems before.
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result:
=== Treeherder Build Bisection Results by autoBisect ===

The "good" changeset has the timestamp "20150317140144" and the hash "c5af69669855".
The "bad" changeset has the timestamp "20150317140145" and the hash "5c0bd25d0a24".

Likely regression window:
Likely regressed by bug 1038839, needinfo from sstangl based on that.
Flags: needinfo?(sstangl)
There are yet more MIR returned by elements(): MTypedArrayElements and MTypedObjectElements. This patch handles them by assuming that they always alias.
Flags: needinfo?(sstangl)
Attachment #8585678 - Flags: review?(jdemooij)
Regressor is indeed Bug 1038839 per Comment 2.
Assignee: nobody → sstangl
Comment on attachment 8585678 [details] [diff] [review]

Review of attachment 8585678 [details] [diff] [review]:

::: js/src/jit/MIR.cpp
@@ +4231,5 @@
>      if (elements)
>          return elements->mightAlias(store);
> +    // Unhandled Elements kind.
> +    if (!elements && elementsOrObj->type() != MIRType_Object)

Nit: !elements is always true after the |if (elements) return| above.
Attachment #8585678 - Flags: review?(jdemooij) → review+

Please nominate this for Aurora uplift when you get a chance.
Closed: 5 years ago
Flags: needinfo?(sstangl)
Flags: in-testsuite?
Resolution: --- → FIXED
Target Milestone: --- → mozilla40
JSBugMon: This bug has been automatically verified fixed.
Comment on attachment 8585678 [details] [diff] [review]

Approval Request Comment
[Feature/regressing bug #]: Bug 1038839
[User impact if declined]: Random browser crashes.
[Describe test coverage new/current, TreeHerder]: Simple fix, landed on Nightly for the last month.
[Risks and why]: No risk.
[String/UUID change made/needed]: None
Attachment #8585678 - Flags: approval-mozilla-aurora?
Comment on attachment 8585678 [details] [diff] [review]

Approved for uplift to aurora; this has been on m-c for weeks and is a fix for a sec-high bug.
Attachment #8585678 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Group: core-security
You need to log in before you can comment on or make changes to this bug.