Closed
Bug 1492685
Opened 7 years ago
Closed 7 years ago
Assertion failure: val->type() == MIRType::Int32, at js/src/jit/IonBuilder.cpp:12987
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
mozilla64
| Tracking | Status | |
|---|---|---|
| firefox-esr60 | --- | unaffected |
| firefox62 | --- | unaffected |
| firefox63 | --- | unaffected |
| firefox64 | + | verified |
People
(Reporter: gkw, Assigned: terpri)
References
Details
(4 keywords, Whiteboard: [jsbugmon:update])
Attachments
(2 files)
|
6.94 KB,
text/plain
|
Details | |
|
2.58 KB,
patch
|
jandem
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision ac9f1219d11b (build with --enable-debug, run with --fuzzing-safe --no-threads --ion-eager):
function f(x, ...y) {
x &= y;
}
f();
Backtrace:
#0 0x000055c975f37a56 in js::jit::IonBuilder::jsop_setarg (this=0x7f7965195220, arg=0) at js/src/jit/IonBuilder.cpp:12987
#1 0x000055c975f2fa66 in js::jit::IonBuilder::inspectOpcode (this=0x7f7965195220, op=JSOP_SETARG) at js/src/jit/IonBuilder.cpp:2040
#2 0x000055c975f2ec95 in js::jit::IonBuilder::visitBlock (this=0x7f7965195220, cfgblock=0x7f79651821c8, mblock=<optimized out>) at js/src/jit/IonBuilder.cpp:1654
#3 0x000055c975f2b85e in js::jit::IonBuilder::traverseBytecode (this=0x7f7965195220) at js/src/jit/IonBuilder.cpp:1568
#4 0x000055c975f25714 in js::jit::IonBuilder::build (this=0x7f7965195220) at js/src/jit/IonBuilder.cpp:908
#5 0x000055c975f1e72c in js::jit::IonCompile (cx=<optimized out>, osrPc=<optimized out>, optimizationLevel=<optimized out>, script=<optimized out>, baselineFrame=<optimized out>, recompile=<optimized out>) at js/src/jit/Ion.cpp:2136
/snip
For detailed crash information, see attachment.
Setting s-s as a start because MIR is involved.
|
Reporter | |
Comment 1•7 years ago
|
||
|
|
Reporter | |
Comment 2•7 years ago
|
||
autobisectjs shows this is probably related to the following changeset:
The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/d5c22661c860
user: Robin Templeton
date: Tue Sep 18 04:04:53 2018 +0000
summary: bug 1490387 - Part 3: Implement BigInt support for bitwise operators. r=jandem
Robin/Jan, is bug 1490387 a likely regressor?
|
||
Comment 3•7 years ago
|
||
Robin, can you look at this?
It might be okay to just remove this whole optimization in IonBuilder::jsop_setarg, it was meant to optimize asm.js-like code.
Also, next time please don't make non-trivial changes to a patch without requesting re-review. For instance MBinaryBitwiseInstruction's constructor now has an unused |type| argument - I would have pointed that out in a review.
Flags: needinfo?(jdemooij)
|
||
Updated•7 years ago
|
|
Assignee | |
Comment 4•7 years ago
|
||
IonBuilder::jsop_setarg optimizes asm.js-style argument coercions
using JSOP_BITAND, JSOP_BITOR, or JSOP_POS. The optimization
assumes that bitwise operations always produce Int32 results, but
they may produce Value results due to BigInt-related changes in
bug 1490387.
Attachment #9011049 -
Flags: review?(nth10sd)
Attachment #9011049 -
Flags: review?(jdemooij)
|
|
Assignee | |
Comment 5•7 years ago
|
||
Yes, this looks like a consequence of #1490387. Removing the special case for bitops/mul would be the easiest solution; the optimization won't necessarily be valid once BigInts are available, and I think asm.js coercions are still optimized without it.
I attached a patch that fixes this particular crash, but if it seems at all questionable we should just revert part 3 of #1490387 for now, which would restore the previous definitions for bitwise operations. (And in the future I'll be more careful about requesting re-reviews; clearly I was a bit too optimistic about a seemingly minor change being 'trivial' in the context of Ion :))
Flags: needinfo?(robin)
|
|
Reporter | |
Comment 6•7 years ago
|
||
Comment on attachment 9011049 [details] [diff] [review]
Remove obsolete Ion optimization for JSOP_SETARG.
Jan is the right reviewer for this.
Also, it should be safe to land a test as well since this is nightly-only, so sec-approval should not be required.
Attachment #9011049 -
Flags: review?(nth10sd)
|
|
||
Comment 7•7 years ago
|
||
Comment on attachment 9011049 [details] [diff] [review]
Remove obsolete Ion optimization for JSOP_SETARG.
Review of attachment 9011049 [details] [diff] [review]:
-----------------------------------------------------------------
Yeah this LGTM, thanks! We can see how it affects benchmarks on AWFY/Perfherder after it lands.
Attachment #9011049 -
Flags: review?(jdemooij) → review+
|
|
Assignee | |
Updated•7 years ago
|
Keywords: checkin-needed
|
||
Comment 8•7 years ago
|
||
Assignee: nobody → robin
status-firefox62:
--- → unaffected
tracking-firefox64:
--- → +
Keywords: checkin-needed
|
|
||
Comment 9•7 years ago
|
||
Group: javascript-core-security → core-security-release
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla64
|
||
Updated•7 years ago
|
Status: RESOLVED → VERIFIED
|
|
||
Comment 10•7 years ago
|
||
JSBugMon: This bug has been automatically verified fixed.
|
||
Updated•5 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•