Closed
Bug 1175714
Opened 9 years ago
Closed 9 years ago
Assertion failure: !CurrentThreadIsIonCompilingSafeForMinorGC(), at jit/shared/Assembler-shared.h:228 or Assertion failure: !IsInsideNursery(&lir->object()->toConstant()->toObject()), at jit/CodeGenerator.cpp:2743
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
mozilla42
Tracking | Status | |
---|---|---|
firefox39 | --- | unaffected |
firefox40 | --- | unaffected |
firefox41 | + | verified |
firefox42 | + | verified |
firefox-esr31 | --- | unaffected |
firefox-esr38 | --- | unaffected |
b2g-v2.0 | --- | unaffected |
b2g-v2.0M | --- | unaffected |
b2g-v2.1 | --- | unaffected |
b2g-v2.1S | --- | unaffected |
b2g-v2.2 | --- | unaffected |
b2g-master | --- | fixed |
People
(Reporter: decoder, Assigned: bhackett1024)
Details
(4 keywords, Whiteboard: [jsbugmon:update][b2g-adv-main2.5-])
Attachments
(1 file)
2.57 KB,
patch
|
jandem
:
review+
abillings
:
approval-mozilla-aurora+
abillings
:
sec-approval+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision d7c148c84594 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe --thread-count=2 --ion-offthread-compile=off --ion-extra-checks): function foo() { var A = {x: 3}; var B = Object.create(A); var C = Object.create(B); for (var i=0; i<30; "}") {} } foo(); Backtrace: Program received signal SIGSEGV, Segmentation fault. 0x00000000008bed78 in js::jit::ImmGCPtr::ImmGCPtr (this=<optimized out>, ptr=<optimized out>) at js/src/jit/shared/Assembler-shared.h:227 #0 0x00000000008bed78 in js::jit::ImmGCPtr::ImmGCPtr (this=<optimized out>, ptr=<optimized out>) at js/src/jit/shared/Assembler-shared.h:227 #1 0x00000000009c68da in js::jit::MacroAssembler::guardObjectType (this=0x7ffff69bc058, obj=obj@entry=..., types=0x7ffff69b52b8, scratch=..., scratch@entry=..., miss=miss@entry=0x7fffffffbfa0) at js/src/jit/MacroAssembler.cpp:178 #2 0x0000000000850fff in js::jit::CodeGenerator::visitTypeBarrierO (this=0x7ffff69bc000, lir=0x7ffff4714c30) at js/src/jit/CodeGenerator.cpp:2659 #3 0x00000000008b569e in js::jit::CodeGenerator::generateBody (this=this@entry=0x7ffff69bc000) at js/src/jit/CodeGenerator.cpp:4103 #4 0x00000000008b5e52 in js::jit::CodeGenerator::generate (this=this@entry=0x7ffff69bc000) at js/src/jit/CodeGenerator.cpp:7779 #5 0x00000000008e2c07 in js::jit::GenerateCode (mir=mir@entry=0x7ffff69b0258, lir=0x7ffff69b7ba0) at js/src/jit/Ion.cpp:1720 #6 0x0000000000947cd1 in js::jit::CompileBackEnd (mir=mir@entry=0x7ffff69b0258) at js/src/jit/Ion.cpp:1742 #7 0x000000000094f635 in js::jit::IonCompile (cx=cx@entry=0x7ffff691b4e0, script=<optimized out>, baselineFrame=baselineFrame@entry=0x7fffffffc718, osrPc=<optimized out>, constructing=<optimized out>, recompile=<optimized out>, optimizationLevel=js::jit::Optimization_Normal) at js/src/jit/Ion.cpp:2074 #8 0x0000000000954de4 in js::jit::Compile (cx=cx@entry=0x7ffff691b4e0, script=..., script@entry=..., osrFrame=osrFrame@entry=0x7fffffffc718, osrPc=osrPc@entry=0x7ffff6926b9c "\343\201V", constructing=<optimized out>, forceRecompile=forceRecompile@entry=false) at js/src/jit/Ion.cpp:2233 #9 0x0000000000955071 in js::jit::CanEnterAtBranch (cx=cx@entry=0x7ffff691b4e0, script=0x7ffff7e5e1f0, osrFrame=osrFrame@entry=0x7fffffffc718, pc=pc@entry=0x7ffff6926b9c "\343\201V") at js/src/jit/Ion.cpp:2315 #10 0x0000000000843006 in EnsureCanEnterIon (stub=<optimized out>, jitcodePtr=<synthetic pointer>, pc=0x7ffff6926b9c "\343\201V", script=..., frame=0x7fffffffc718, cx=0x7ffff691b4e0) at js/src/jit/BaselineIC.cpp:65 #11 js::jit::DoWarmUpCounterFallback (cx=0x7ffff691b4e0, frame=0x7fffffffc718, stub=<optimized out>, infoPtr=0x7fffffffc6d0) at js/src/jit/BaselineIC.cpp:229 #12 0x00007ffff7feffd9 in ?? () #13 0x00007fffffffc758 in ?? () #14 0x00007fffffffc698 in ?? () #15 0x0000000000000008 in ?? () #16 0x0000000001a66480 in js::jit::DoTypeMonitorFallbackInfo () #17 0x00007ffff7e51fa0 in ?? () #18 0x00007ffff7ff2017 in ?? () #19 0x0000000000000302 in ?? () #20 0x00007fffffffc718 in ?? () #21 0x00007ffff6993920 in ?? () #22 0x00007fffffffc6d0 in ?? () #23 0x0000000000000000 in ?? () rax 0x0 0 rbx 0x0 0 rcx 0x7ffff6ca53cd 140737333842893 rdx 0x0 0 rsi 0x7ffff6f7a9d0 140737336814032 rdi 0x7ffff6f791c0 140737336807872 rbp 0x7fffffffbec0 140737488338624 rsp 0x7fffffffbec0 140737488338624 r8 0x7ffff7fe0780 140737354008448 r9 0x6372732f736a2f6c 7165916604736876396 r10 0x7fffffffbc80 140737488338048 r11 0x7ffff6c27960 140737333328224 r12 0x7ffff69b52b8 140737330762424 r13 0x1 1 r14 0x1 1 r15 0x7fffffffbf00 140737488338688 rip 0x8bed78 <js::jit::ImmGCPtr::ImmGCPtr(js::gc::Cell const*)+136> => 0x8bed78 <js::jit::ImmGCPtr::ImmGCPtr(js::gc::Cell const*)+136>: movl $0xe4,0x0 0x8bed83 <js::jit::ImmGCPtr::ImmGCPtr(js::gc::Cell const*)+147>: callq 0x494bd0 <abort()> Marking s-s because GC seems to be involved.
Reporter | ||
Updated•9 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
Reporter | ||
Comment 1•9 years ago
|
||
JSBugMon: Bisection requested, result: === Treeherder Build Bisection Results by autoBisect === The "good" changeset has the timestamp "20150613075443" and the hash "3a994e364343". The "bad" changeset has the timestamp "20150613081143" and the hash "fd36716d1f9d". Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=3a994e364343&tochange=fd36716d1f9d
Comment 2•9 years ago
|
||
ni bhackett based on the regression window in comment 1
Flags: needinfo?(bhackett1024)
Assignee | ||
Comment 3•9 years ago
|
||
Nursery types could get into temporary type sets during IonBuilder when they were read off the baseline frame for OSR.
Assignee: nobody → bhackett1024
Flags: needinfo?(bhackett1024)
Attachment #8628367 -
Flags: review?(jdemooij)
Updated•9 years ago
|
Attachment #8628367 -
Flags: review?(jdemooij) → review+
Assignee | ||
Comment 4•9 years ago
|
||
Comment on attachment 8628367 [details] [diff] [review] patch [Security approval request comment] How easily could an exploit be constructed based on the patch? not easily. Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem? no. Which older supported branches are affected by this flaw? aurora If not all supported branches, which bug introduced the flaw? bug 1162986 Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be? rivial How likely is this patch to cause regressions; how much testing does it need? not at all Approval Request Comment [Feature/regressing bug #]: bug 1162986 [User impact if declined]: exploitable crashes [Describe test coverage new/current, TreeHerder]: none [Risks and why]: none
Attachment #8628367 -
Flags: sec-approval?
Attachment #8628367 -
Flags: approval-mozilla-aurora?
Updated•9 years ago
|
status-b2g-v2.0:
--- → unaffected
status-b2g-v2.0M:
--- → unaffected
status-b2g-v2.1:
--- → unaffected
status-b2g-v2.1S:
--- → unaffected
status-b2g-v2.2:
--- → unaffected
status-b2g-master:
--- → affected
status-firefox39:
--- → unaffected
status-firefox40:
--- → unaffected
status-firefox42:
--- → affected
status-firefox-esr31:
--- → unaffected
status-firefox-esr38:
--- → unaffected
Comment 5•9 years ago
|
||
Comment on attachment 8628367 [details] [diff] [review] patch Approvals given.
Attachment #8628367 -
Flags: sec-approval?
Attachment #8628367 -
Flags: sec-approval+
Attachment #8628367 -
Flags: approval-mozilla-aurora?
Attachment #8628367 -
Flags: approval-mozilla-aurora+
Updated•9 years ago
|
tracking-firefox41:
--- → +
tracking-firefox42:
--- → +
Assignee | ||
Comment 6•9 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/b822456c6e2f
This is apparently causing mass assertion failures like https://treeherder.mozilla.org/logviewer.html#?job_id=11438150&repo=mozilla-inbound Backed out in https://hg.mozilla.org/integration/mozilla-inbound/rev/17f9c8e5c08e
Flags: needinfo?(bhackett1024)
Assignee | ||
Comment 8•9 years ago
|
||
Sorry, I should have used isSingletonUnchecked. https://hg.mozilla.org/integration/mozilla-inbound/rev/54d35cae57d6
Flags: needinfo?(bhackett1024)
Comment 9•9 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/54d35cae57d6
Status: NEW → RESOLVED
Closed: 9 years ago
Flags: in-testsuite?
Resolution: --- → FIXED
Target Milestone: --- → mozilla42
Reporter | ||
Updated•9 years ago
|
Status: RESOLVED → VERIFIED
Reporter | ||
Comment 10•9 years ago
|
||
JSBugMon: This bug has been automatically verified fixed.
Reporter | ||
Updated•9 years ago
|
Reporter | ||
Comment 12•9 years ago
|
||
JSBugMon: This bug has been automatically verified fixed on Fx41
Updated•9 years ago
|
Group: core-security → core-security-release
Updated•9 years ago
|
Group: core-security-release
Updated•9 years ago
|
Whiteboard: [jsbugmon:update] → [jsbugmon:update][b2g-adv-main2.5-]
You need to log in
before you can comment on or make changes to this bug.
Description
•