Assertion failure: !iter->hasLiveDefUses(), at jit/IonAnalysis.cpp

RESOLVED FIXED

Status

()

Core
JavaScript Engine: JIT
--
critical
RESOLVED FIXED
3 years ago
2 years ago

People

(Reporter: gkw, Assigned: bbouvier)

Tracking

(Blocks: 1 bug, 4 keywords)

Trunk
x86_64
Mac OS X
assertion, regression, sec-other, testcase
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox42 affected, firefox43 affected)

Details

(Whiteboard: [jsbugmon:update])

Attachments

(2 attachments)

(Reporter)

Description

3 years ago
function f(x) {
    (function() {
        x = 0;
    })();
}
for (var k = 0; k < 9; k++) {
    f(Math.fround(1));
}

asserts js debug shell on m-c changeset de0e763b5210 with --fuzzing-safe --no-threads --ion-eager --ion-check-range-analysis at Assertion failure: !iter->hasLiveDefUses(), at jit/IonAnalysis.cpp

Configure options:

CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests

python -u ~/funfuzz/js/compileShell.py -b "--enable-debug --enable-more-deterministic --enable-nspr-build" -r de0e763b5210

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/fb1f0c400ec0
user:        Benjamin Bouvier
date:        Thu Sep 10 11:58:44 2015 +0200
summary:     Bug 1107011: Propagate recovered on bailout flags when converting float32 to doubles; r=nbp

Benjamin, is bug 1107011 a likely regressor?
Flags: needinfo?(benj)
(Reporter)

Comment 1

3 years ago
Created attachment 8662618 [details]
stack

(lldb) bt 5
* thread #1: tid = 0x6d94ca, 0x00000001005c0293 js-dbg-64-dm-nsprBuild-darwin-de0e763b5210`js::jit::AssertBasicGraphCoherency(graph=<unavailable>) + 4003 at IonAnalysis.cpp:1954, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
  * frame #0: 0x00000001005c0293 js-dbg-64-dm-nsprBuild-darwin-de0e763b5210`js::jit::AssertBasicGraphCoherency(graph=<unavailable>) + 4003 at IonAnalysis.cpp:1954
    frame #1: 0x00000001005c153a js-dbg-64-dm-nsprBuild-darwin-de0e763b5210`js::jit::AssertGraphCoherency(graph=0x00000001028c7040) + 42 at IonAnalysis.cpp:2059
    frame #2: 0x00000001005c257d js-dbg-64-dm-nsprBuild-darwin-de0e763b5210`js::jit::AssertExtendedGraphCoherency(graph=0x00000001028c7040) + 45 at IonAnalysis.cpp:2147
    frame #3: 0x00000001005bd9b8 js-dbg-64-dm-nsprBuild-darwin-de0e763b5210`js::jit::OptimizeMIR(mir=0x00000001028c7258) + 3672 at Ion.cpp:1695
    frame #4: 0x00000001005c7d9f js-dbg-64-dm-nsprBuild-darwin-de0e763b5210`js::jit::CompileBackEnd(mir=0x00000001028c7258) + 63 at Ion.cpp:1967
(lldb)
(Reporter)

Comment 2

3 years ago
Setting s-s because potential regressor bug 1107011 is s-s.
Group: javascript-core-security
(Assignee)

Comment 3

3 years ago
Created attachment 8662782 [details] [diff] [review]
fix.patch

Range assertions shouldn't be added to instructions that are recovered on bailouts.

I think the issue is just a bad assertion and this bug isn't s-s, but considering the previous fiasco on the original bug, I'll let nbp decide.
Assignee: nobody → benj
Status: NEW → ASSIGNED
Flags: needinfo?(benj)
Attachment #8662782 - Flags: review?(nicolas.b.pierron)
Comment on attachment 8662782 [details] [diff] [review]
fix.patch

Review of attachment 8662782 [details] [diff] [review]:
-----------------------------------------------------------------

> I think the issue is just a bad assertion and this bug isn't s-s, but considering the previous fiasco on the original bug, I'll let nbp decide.

I agree with benjamin, this issue is not security-sensitive, as the MAssertRange MIR node can only be generated by [1] the use of --ion-check-range-analysis in the shell, or in Firefox with the environment variable JIT_OPTION_checkRangeAnalysis.

[1] https://dxr.mozilla.org/mozilla-central/search?q=%2Bvar-ref%3Ajs%3A%3Ajit%3A%3AJitOptions%3A%3AcheckRangeAnalysis
Attachment #8662782 - Flags: review?(nicolas.b.pierron) → review+
status-firefox42: --- → affected
Keywords: sec-other
(Reporter)

Comment 6

3 years ago
This previously landed:

http://hg.mozilla.org/mozilla-central/rev/90ff8cf0e927
Status: ASSIGNED → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → FIXED
Group: javascript-core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.