Closed
Bug 1205842
Opened 9 years ago
Closed 9 years ago
Assertion failure: !iter->hasLiveDefUses(), at jit/IonAnalysis.cpp
Categories
(Core :: JavaScript Engine: JIT, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: gkw, Assigned: bbouvier)
References
Details
(4 keywords, Whiteboard: [jsbugmon:update])
Attachments
(2 files)
3.16 KB,
text/plain
|
Details | |
1.60 KB,
patch
|
nbp
:
review+
|
Details | Diff | Splinter Review |
function f(x) { (function() { x = 0; })(); } for (var k = 0; k < 9; k++) { f(Math.fround(1)); } asserts js debug shell on m-c changeset de0e763b5210 with --fuzzing-safe --no-threads --ion-eager --ion-check-range-analysis at Assertion failure: !iter->hasLiveDefUses(), at jit/IonAnalysis.cpp Configure options: CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests python -u ~/funfuzz/js/compileShell.py -b "--enable-debug --enable-more-deterministic --enable-nspr-build" -r de0e763b5210 autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/fb1f0c400ec0 user: Benjamin Bouvier date: Thu Sep 10 11:58:44 2015 +0200 summary: Bug 1107011: Propagate recovered on bailout flags when converting float32 to doubles; r=nbp Benjamin, is bug 1107011 a likely regressor?
Flags: needinfo?(benj)
Reporter | ||
Comment 1•9 years ago
|
||
(lldb) bt 5 * thread #1: tid = 0x6d94ca, 0x00000001005c0293 js-dbg-64-dm-nsprBuild-darwin-de0e763b5210`js::jit::AssertBasicGraphCoherency(graph=<unavailable>) + 4003 at IonAnalysis.cpp:1954, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0) * frame #0: 0x00000001005c0293 js-dbg-64-dm-nsprBuild-darwin-de0e763b5210`js::jit::AssertBasicGraphCoherency(graph=<unavailable>) + 4003 at IonAnalysis.cpp:1954 frame #1: 0x00000001005c153a js-dbg-64-dm-nsprBuild-darwin-de0e763b5210`js::jit::AssertGraphCoherency(graph=0x00000001028c7040) + 42 at IonAnalysis.cpp:2059 frame #2: 0x00000001005c257d js-dbg-64-dm-nsprBuild-darwin-de0e763b5210`js::jit::AssertExtendedGraphCoherency(graph=0x00000001028c7040) + 45 at IonAnalysis.cpp:2147 frame #3: 0x00000001005bd9b8 js-dbg-64-dm-nsprBuild-darwin-de0e763b5210`js::jit::OptimizeMIR(mir=0x00000001028c7258) + 3672 at Ion.cpp:1695 frame #4: 0x00000001005c7d9f js-dbg-64-dm-nsprBuild-darwin-de0e763b5210`js::jit::CompileBackEnd(mir=0x00000001028c7258) + 63 at Ion.cpp:1967 (lldb)
Reporter | ||
Comment 2•9 years ago
|
||
Setting s-s because potential regressor bug 1107011 is s-s.
Group: javascript-core-security
Assignee | ||
Comment 3•9 years ago
|
||
Range assertions shouldn't be added to instructions that are recovered on bailouts. I think the issue is just a bad assertion and this bug isn't s-s, but considering the previous fiasco on the original bug, I'll let nbp decide.
Assignee: nobody → benj
Status: NEW → ASSIGNED
Flags: needinfo?(benj)
Attachment #8662782 -
Flags: review?(nicolas.b.pierron)
Comment 4•9 years ago
|
||
Comment on attachment 8662782 [details] [diff] [review] fix.patch Review of attachment 8662782 [details] [diff] [review]: ----------------------------------------------------------------- > I think the issue is just a bad assertion and this bug isn't s-s, but considering the previous fiasco on the original bug, I'll let nbp decide. I agree with benjamin, this issue is not security-sensitive, as the MAssertRange MIR node can only be generated by [1] the use of --ion-check-range-analysis in the shell, or in Firefox with the environment variable JIT_OPTION_checkRangeAnalysis. [1] https://dxr.mozilla.org/mozilla-central/search?q=%2Bvar-ref%3Ajs%3A%3Ajit%3A%3AJitOptions%3A%3AcheckRangeAnalysis
Attachment #8662782 -
Flags: review?(nicolas.b.pierron) → review+
Assignee | ||
Comment 5•9 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/90ff8cf0e927
Updated•9 years ago
|
status-firefox42:
--- → affected
Keywords: sec-other
Reporter | ||
Comment 6•9 years ago
|
||
This previously landed: http://hg.mozilla.org/mozilla-central/rev/90ff8cf0e927
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Updated•9 years ago
|
Group: javascript-core-security → core-security-release
Updated•8 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•