737737 - IonMonkey: Crash [@ js::ion::LinearScanAllocator::populateSafepoints] or [@ js::ion::LIRGenerator::visitToInt32] or "Assertion failure: b.rval == MIRType_Int32 || b.rval == MIRType_Double,"

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

function b(z) {
  switch (z) {
  default:
    primarySandbox = newGlobal("new-compartment")
  }
  return function(f, code) {
    try {
      evalcx(code, primarySandbox)
    } catch (e) {}
  }
}
function a(code) {
  gc();
  f = Function(code)
  c(f, code)
}
c = b()
a("\
  f2 = (function() {\
    a0 + o2.m;\
    a2.shift()\
  });\
  a2 = new Array;\
  Object.defineProperty(a2, 0, {\
    get: f2\
  });\
  o2 = {};\
  a0 = [];\
  a2.shift();\
  var x;\
")
a("a0 = x")
a("a2.shift()")


asserts js debug shell on IonMonkey changeset e96d5b1f47b8 with --ion and -n at Assertion failure: b.rval == MIRType_Int32 || b.rval == MIRType_Double, and crashes js opt shell at js::ion::LinearScanAllocator::populateSafepoints

( Tested with a 32-bit opt shell compiled with --enable-more-deterministic )

Comment 1

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Attachment: stacks

The stacks are not infinite, but around 600-700+ lines long, nonetheless attaching the top 20 lines of both debug and opt shell stacks.

Comment 2

[Christian Holler (:decoder)]

With the test in comment 0, I am only getting this assertion now:

Assertion failure: unexpected type, at js/src/ion/Lowering.cpp:822

And it also pops up in optimized builds (it's a JS_NOT_REACHED).

Gary, can you confirm that?

Comment 3

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

On Mac 10.7 32-bit debug js shells, with --ion -n, I still get:

Assertion failure: rval == MIRType_Int32 || rval == MIRType_Double,

and I still crash at js::ion::LinearScanAllocator::populateSafepoints in 32-bit opt builds.

Comment 4

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

> and I still crash at js::ion::LinearScanAllocator::populateSafepoints in
> 32-bit opt builds.

Likely a null deref:

(gdb) x/i $pc
0x251e1b <_ZN2js3ion19LinearScanAllocator18populateSafepointsEv+379>:	mov    0x1c(%esi),%eax
(gdb) x/b $esi
0x0:	Cannot access memory at address 0x0
(gdb) x/b $eax
0x16:	Cannot access memory at address 0x16

Comment 5

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Instead of the signature in comment 0, the 32-bit js opt shell crash signature is now at:

js::ion::LIRGenerator::visitToInt32

Comment 6

[Kannan Vijayan [:djvj]]

Attachment: Tentative patch

The problem is that the rval may possibly end up being MIRType_Value (in this test case, anyway), and the code simply asserts that rval is one of Int32 or Double, without allowing for other possibilities.

Small patch to check for non-Int32-or-Double MIRTypes, choosing not to specialize in that case.

Comment 7

[Jan de Mooij [:jandem]]

Comment on attachment 624179 [details] [diff] [review]
Tentative patch

Review of attachment 624179 [details] [diff] [review]:
-----------------------------------------------------------------

::: js/src/ion/MIR.cpp
@@ +910,5 @@
>      }
>  
>      MIRType rval = MIRTypeFromValueType(b.outTypes->getKnownTypeTag(cx));
>  
> +    // Don't specialize for non-integer results.

Nit: integer or double?

Comment 8

[Kannan Vijayan [:djvj]]

https://hg.mozilla.org/projects/ionmonkey/rev/e14efc51f562

Comment 9

[Christian Holler (:decoder)]

Automatically extracted testcase for this bug was committed:

https://hg.mozilla.org/mozilla-central/rev/2e891e0db397