If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

TM: Crash [@ js::Interpret] or "Assertion failure: LIR type error (start of writer pipeline): arg 1 of 'ldi' is 'immd' which has type float64 (expected int32)"

VERIFIED FIXED

Status

()

Core
JavaScript Engine
--
critical
VERIFIED FIXED
7 years ago
5 years ago

People

(Reporter: gkw, Assigned: dvander)

Tracking

(Blocks: 1 bug, 4 keywords)

Trunk
x86
Mac OS X
assertion, crash, regression, testcase
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(blocking2.0 betaN+, status1.9.2 unaffected, status1.9.1 unaffected)

Details

(Whiteboard: [ccbr][sg:critical] fixed-in-tracemonkey, crash signature)

Attachments

(2 attachments)

(Reporter)

Description

7 years ago
for (a = 0; a < 4; a++) {
    new Math.round(0).t
}

crashes js opt shell on TM tip with -j at js::Interpret and asserts js debug shell on TM tip with -j at Assertion failure: LIR type error (start of writer pipeline): arg 1 of 'ldi' is 'immd' which has type float64 (expected int32): 0 (../nanojit/LIR.cpp:2783)

s-s because this is an LIR type error.

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_PROTECTION_FAILURE at address: 0x00000004
0x0005da5d in js::Interpret ()
(gdb) bt
#0  0x0005da5d in js::Interpret ()
#1  0x0006e68b in js::Execute ()
#2  0x00014b68 in JS_ExecuteScript ()
#3  0x00005dfc in Process ()
#4  0x00009696 in shell ()
#5  0x00009ba7 in main ()
(gdb) x/i $eip
0x5da5d <_ZN2js9InterpretEP9JSContext+7053>:    cmp    %eax,0x4(%ecx)
(gdb) x/b $eax
0x199020 <js_ArrayClass>:       0xc9
(gdb) x/b $ecx
0x0:    Cannot access memory at address 0x0
(Reporter)

Comment 1

7 years ago
I couldn't use the technique in bug 558633 comment #6 to get more LIR spew, it gives me a Assertion failure: rmask(rr) & FpRegs (../nanojit/Nativei386.cpp:2154)
(Reporter)

Comment 2

7 years ago
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   46286:839073dc9b77
user:        David Anderson
date:        Mon Jun 28 14:49:12 2010 -0500
summary:     Bug 567577 - `new Math.sin` is NaN, not an object, in interpreter only. r=Waldo.
Blocks: 567577
blocking2.0: --- → ?
(In reply to comment #1)
> I couldn't use the technique in bug 558633 comment #6 to get more LIR spew, it
> gives me a Assertion failure: rmask(rr) & FpRegs
> (../nanojit/Nativei386.cpp:2154)

Gary, if you use TMFLAGS=recorder instead of TMFLAGS=readlir that might work.  TMFLAGS=recorder prints out the LIR in an earlier stage of compilation, and that assert occurs during assembly which is the last stage of compilation.
(Reporter)

Comment 4

7 years ago
Created attachment 458247 [details]
Console output

(In reply to comment #3)
> Gary, if you use TMFLAGS=recorder instead of TMFLAGS=readlir that might work. 
> TMFLAGS=recorder prints out the LIR in an earlier stage of compilation, and
> that assert occurs during assembly which is the last stage of compilation.

Thanks for the suggestion, Nick, hope this helps the devs.

Updated

7 years ago
Assignee: general → dvander
blocking2.0: ? → betaN+
status1.9.1: --- → unaffected
status1.9.2: --- → unaffected
Whiteboard: [ccbr] → [ccbr][sg:critical]

Updated

7 years ago
Whiteboard: [ccbr][sg:critical] → [ccbr][sg:critical][critsmash:investigating]

Comment 5

7 years ago
any update on this?
(Assignee)

Comment 6

7 years ago
Created attachment 462650 [details] [diff] [review]
fix

Hrm... looks like some kind of existing bug. It can't be right that these cases are valid for NEW, APPLY.
Attachment #462650 - Flags: review?(jorendorff)
Comment on attachment 462650 [details] [diff] [review]
fix

OK, but please land it on TM (the patch will need a tweak due to recentish changes there).
Attachment #462650 - Flags: review?(jorendorff) → review+
(Assignee)

Comment 8

7 years ago
http://hg.mozilla.org/tracemonkey/rev/0e1d9698a6ac
Whiteboard: [ccbr][sg:critical][critsmash:investigating] → [ccbr][sg:critical] fixed-in-tracemonkey

Comment 9

7 years ago
http://hg.mozilla.org/mozilla-central/rev/0e1d9698a6ac
Status: NEW → RESOLVED
Last Resolved: 7 years ago
Resolution: --- → FIXED
Group: core-security
Crash Signature: [@ js::Interpret]
Tracer has been long gone on trunk, marking verified.
Status: RESOLVED → VERIFIED
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/bug579740.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.