Closed
Bug 1334356
Opened 7 years ago
Closed 7 years ago
Crash [@ js::jit::IonCannon] or Assertion failure: Should have monitored undefined result, at js/src/jit/MacroAssembler.cpp:1597
Categories
(Core :: JavaScript Engine, defect, P1)
Tracking
()
RESOLVED
FIXED
mozilla54
Tracking | Status | |
---|---|---|
firefox-esr45 | --- | unaffected |
firefox51 | --- | unaffected |
firefox52 | --- | unaffected |
firefox53 | --- | wontfix |
firefox54 | --- | fixed |
People
(Reporter: gkw, Assigned: jandem)
References
Details
(Keywords: assertion, bugmon, testcase, Whiteboard: [jsbugmon:update])
Crash Data
Attachments
(3 files)
The following testcase crashes on mozilla-central revision d92fd6b6d6bf (build with --enable-debug --enable-more-deterministic, run with --fuzzing-safe --no-threads --ion-eager): // jsfunfuzz-generated setJitCompilerOption('ion.forceinlineCaches', 1); try { Object.defineProperty(this, "x", { get: function () { Array.prototype.slice; } }); // Adapted from randomly chosen test: js/src/tests/js1_8_1/extensions/strict-warning.js options('strict'); options('werror'); // jsfunfuzz-generated x.u; } catch (e) {} try { delete Array.prototype.slice; x; } catch (e) {} x; Backtrace: 0 ??? 0x000000010679ee0e 0 + 4403621390 1 js-dbg-64-dm-clang-darwin-d92fd6b6d6bf 0x00000001045998da js::jit::IonCannon(JSContext*, js::RunState&) + 874 (Ion.cpp:2901) 2 js-dbg-64-dm-clang-darwin-d92fd6b6d6bf 0x000000010442e4da js::RunScript(JSContext*, js::RunState&) + 378 (Interpreter.cpp:386) 3 js-dbg-64-dm-clang-darwin-d92fd6b6d6bf 0x000000010443eb0c js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) + 604 (Interpreter.cpp:478) 4 js-dbg-64-dm-clang-darwin-d92fd6b6d6bf 0x000000010443fb0a js::CallGetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) + 154 (Interpreter.cpp:524) /snip For detailed crash information, see attachment. Setting s-s because the assert sounds scary, and deletion of Arrays are involved.
Reporter | ||
Comment 1•7 years ago
|
||
Reporter | ||
Comment 2•7 years ago
|
||
autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/547a8c1acff1 user: Jan de Mooij date: Fri Dec 23 08:34:03 2016 +0100 summary: Bug 1322093 part 19 - Enable the new IonGetPropertyIC that's based on CacheIR. r=h4writer Jan, is bug 1322093 a likely regressor?
Blocks: 1322093
Flags: needinfo?(jdemooij)
Reporter | ||
Comment 3•7 years ago
|
||
The testcase also crashes at a weird memory address with js::jit::IonCannon on the stack, on opt builds. Assuming sec-critical.
Crash Signature: [@ js::jit::IonCannon]
Keywords: sec-critical
Summary: Assertion failure: Should have monitored undefined result, at js/src/jit/MacroAssembler.cpp:1597 → Crash [@ js::jit::IonCannon] or Assertion failure: Should have monitored undefined result, at js/src/jit/MacroAssembler.cpp:1597
Reporter | ||
Comment 4•7 years ago
|
||
The program counter seems to be loading an arbitrary address 0x1031c4cd0 into the instruction pointer.
Reporter | ||
Comment 5•7 years ago
|
||
At least Fx53 is also affected, not sure about earlier branches.
status-firefox53:
--- → affected
Assignee | ||
Updated•7 years ago
|
Assignee | ||
Comment 6•7 years ago
|
||
Funny bug. When both the extra-warnings + warnings-as-errors options are enabled, we may throw an exception instead of returning undefined when a property is missing, so we shouldn't attach a missing-property stub. Probably a pre-existing bug, or at least it was a correctness issue. Not s-s in any way because both of these options are disabled by default.
Comment 7•7 years ago
|
||
Comment on attachment 8831137 [details] [diff] [review] Patch Review of attachment 8831137 [details] [diff] [review]: ----------------------------------------------------------------- Good catch
Attachment #8831137 -
Flags: review?(hv1989) → review+
Comment 8•7 years ago
|
||
Crash volume for signature 'js::jit::IonCannon': - nightly (version 54): 0 crashes from 2017-01-23. - aurora (version 53): 0 crashes from 2017-01-23. - beta (version 52): 1 crash from 2017-01-23. - release (version 51): 236 crashes from 2017-01-16. - esr (version 45): 1349 crashes from 2016-08-03. Crash volume on the last weeks (Week N is from 01-30 to 02-05): W. N-1 W. N-2 W. N-3 W. N-4 W. N-5 W. N-6 W. N-7 - nightly 0 - aurora 0 - beta 1 - release 115 0 - esr 76 69 65 71 48 73 63 Affected platforms: Windows, Mac OS X, Linux Crash rank on the last 7 days: Browser Content Plugin - nightly - aurora - beta - release #235 #82 - esr #217
status-firefox51:
--- → affected
status-firefox52:
--- → affected
status-firefox-esr45:
--- → affected
Assignee | ||
Comment 9•7 years ago
|
||
The Release Management Bot setting status flags is the worst. These crashes are totally unrelated to this mostly-shell-only bug.
Comment 10•7 years ago
|
||
Pushed by jandemooij@gmail.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/2c7238d4ab0a Don't attach a missing-property stub if extra warnings are enabled. r=h4writer
Comment 11•7 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/2c7238d4ab0a
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla54
You need to log in
before you can comment on or make changes to this bug.
Description
•