Closed
Bug 1315634
Opened 8 years ago
Closed 7 years ago
Assertion failure: resumePointsEmpty(), at js/src/jit/MIRGraph.cpp:998
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
Tracking | Status | |
---|---|---|
firefox52 | --- | verified |
People
(Reporter: gkw, Unassigned)
References
Details
(Keywords: assertion, sec-other, testcase, Whiteboard: [jsbugmon:update][adv-main52-])
Attachments
(2 files)
42.48 KB,
text/plain
|
Details | |
1.89 KB,
patch
|
h4writer
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision 908557c762f7 (build with --enable-debug --enable-more-deterministic, run with --fuzzing-safe --baseline-eager): setJitCompilerOption('ion.forceinlineCaches', 1); function g(f, x) { for (var j = 0; j < 3; ++j) for (var k = 0; k < 21; ++k) try { f(x[k]); } catch (e) {} } a0 = y = []; function f2() { f1() }; function f1() { switch (abs(abs(3187503207)(134217728) | 0) | 0) { case -2: this.y.splice(NaN, 2, x({}) = 4277) } return 4006901336 | 0 } g(f1, []); g(f2, []); f1 = (function() { function f() { a0.splice(NaN, 0); } return f; })(); g(f2, []); Backtrace: 0 js-dbg-64-dm-clang-darwin-908557c762f7 0x00000001039ee459 js::jit::MIRGraph::removeBlock(js::jit::MBasicBlock*) + 745 (MIRGraph.cpp:998) 1 js-dbg-64-dm-clang-darwin-908557c762f7 0x00000001039f6b1a js::jit::MBasicBlock::BackupPoint::restore() + 650 (InlineList.h:425) 2 js-dbg-64-dm-clang-darwin-908557c762f7 0x00000001038f1d19 js::jit::IonBuilder::inlineScriptedCall(js::jit::CallInfo&, JSFunction*) + 1801 (IonBuilder.cpp:5255) 3 js-dbg-64-dm-clang-darwin-908557c762f7 0x00000001038f4cbc js::jit::IonBuilder::inlineCalls(js::jit::CallInfo&, mozilla::Vector<JSObject*, 4ul, js::jit::JitAllocPolicy> const&, mozilla::Vector<bool, 4ul, js::jit::JitAllocPolicy>&, js::jit::MGetPropertyCache*) + 3308 (IonBuilder.cpp:6073) /snip For detailed crash information, see attachment. Setting s-s as a start because MIR seems involved.
Reporter | ||
Comment 1•8 years ago
|
||
Reporter | ||
Comment 2•8 years ago
|
||
autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/47e4fb57325d user: Nicolas B. Pierron date: Fri Oct 28 12:45:31 2016 +0000 summary: Bug 1303399 part 2 - IonMonkey: Fallback when we fail to inline an uninlinable function. r=h4writer Nicolas, is bug 1303399 a likely regressor?
Blocks: 1303399
Flags: needinfo?(nicolas.b.pierron)
Comment 3•8 years ago
|
||
Ok, Looking into this, for the moment this does not sounds like a security issue, but only a sanity issue as we create extra resume points when we attempt to inline, which are made to fallback to before the GetPropertyCache which is loading the JSFunction's target. I already faced this issue a while back when adding this assertion. I will try to come-up with a patch tomorrow.
Comment 4•8 years ago
|
||
Idempotent MGetPropertyCache get attach a resume point which is used as a fallback for targets that we cannot inline. This resume point is already being discarded by MWrapMGetPropertyCache when it is not needed after the end of the inlining. This patch also removes this resume point it we fail sooner than the MWrapMGetPropertyCache, or if getInlineableGetPropertyCache fails to return the last MGetPropertyCache.
Attachment #8808701 -
Flags: review?(hv1989)
Updated•8 years ago
|
Attachment #8808701 -
Flags: review?(hv1989) → review+
Comment 5•8 years ago
|
||
Nicolas is in PTO till Monday. In order to still get this in without uplift, I pushed it. https://hg.mozilla.org/integration/mozilla-inbound/rev/3930bf2158788bc3681992d61cc0d26614c8b388
Flags: needinfo?(nicolas.b.pierron)
Updated•7 years ago
|
Status: RESOLVED → VERIFIED
Comment 8•7 years ago
|
||
JSBugMon: This bug has been automatically verified fixed.
Updated•7 years ago
|
Group: javascript-core-security → core-security-release
Updated•7 years ago
|
Whiteboard: [jsbugmon:update] → [jsbugmon:update][adv-main52-]
Updated•7 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•