Beginning on October 25th, 2016, Persona will no longer be an option for authentication on BMO. For more details see Persona Deprecated.
Last Comment Bug 737737 - IonMonkey: Crash [@ js::ion::LinearScanAllocator::populateSafepoints] or [@ js::ion::LIRGenerator::visitToInt32] or "Assertion failure: b.rval == MIRType_Int32 || b.rval == MIRType_Double,"
: IonMonkey: Crash [@ js::ion::LinearScanAllocator::populateSafepoints] or [@ j...
: assertion, crash, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Other Branch
: x86 Mac OS X
: -- critical (vote)
: ---
Assigned To: Kannan Vijayan [:djvj]
: Jason Orendorff [:jorendorff]
Depends on:
Blocks: jsfunfuzz IonFuzz
  Show dependency treegraph
Reported: 2012-03-20 18:59 PDT by Gary Kwong [:gkw] [:nth10sd]
Modified: 2013-02-07 05:20 PST (History)
7 users (show)
choller: in‑testsuite+
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---

stacks (9.70 KB, text/plain)
2012-03-20 19:03 PDT, Gary Kwong [:gkw] [:nth10sd]
no flags Details
Tentative patch (1.47 KB, patch)
2012-05-15 13:55 PDT, Kannan Vijayan [:djvj]
jdemooij: review+
Details | Diff | Splinter Review

Description Gary Kwong [:gkw] [:nth10sd] 2012-03-20 18:59:34 PDT
function b(z) {
  switch (z) {
    primarySandbox = newGlobal("new-compartment")
  return function(f, code) {
    try {
      evalcx(code, primarySandbox)
    } catch (e) {}
function a(code) {
  f = Function(code)
  c(f, code)
c = b()
  f2 = (function() {\
    a0 + o2.m;\
  a2 = new Array;\
  Object.defineProperty(a2, 0, {\
    get: f2\
  o2 = {};\
  a0 = [];\
  var x;\
a("a0 = x")

asserts js debug shell on IonMonkey changeset e96d5b1f47b8 with --ion and -n at Assertion failure: b.rval == MIRType_Int32 || b.rval == MIRType_Double, and crashes js opt shell at js::ion::LinearScanAllocator::populateSafepoints

( Tested with a 32-bit opt shell compiled with --enable-more-deterministic )
Comment 1 Gary Kwong [:gkw] [:nth10sd] 2012-03-20 19:03:20 PDT
Created attachment 607831 [details]

The stacks are not infinite, but around 600-700+ lines long, nonetheless attaching the top 20 lines of both debug and opt shell stacks.
Comment 2 Christian Holler (:decoder) 2012-04-17 12:54:03 PDT
With the test in comment 0, I am only getting this assertion now:

Assertion failure: unexpected type, at js/src/ion/Lowering.cpp:822

And it also pops up in optimized builds (it's a JS_NOT_REACHED).

Gary, can you confirm that?
Comment 3 Gary Kwong [:gkw] [:nth10sd] 2012-04-17 15:53:14 PDT
On Mac 10.7 32-bit debug js shells, with --ion -n, I still get:

Assertion failure: rval == MIRType_Int32 || rval == MIRType_Double,

and I still crash at js::ion::LinearScanAllocator::populateSafepoints in 32-bit opt builds.
Comment 4 Gary Kwong [:gkw] [:nth10sd] 2012-04-17 15:56:31 PDT
> and I still crash at js::ion::LinearScanAllocator::populateSafepoints in
> 32-bit opt builds.

Likely a null deref:

(gdb) x/i $pc
0x251e1b <_ZN2js3ion19LinearScanAllocator18populateSafepointsEv+379>:	mov    0x1c(%esi),%eax
(gdb) x/b $esi
0x0:	Cannot access memory at address 0x0
(gdb) x/b $eax
0x16:	Cannot access memory at address 0x16
Comment 5 Gary Kwong [:gkw] [:nth10sd] 2012-04-23 14:26:53 PDT
Instead of the signature in comment 0, the 32-bit js opt shell crash signature is now at:

Comment 6 Kannan Vijayan [:djvj] 2012-05-15 13:55:20 PDT
Created attachment 624179 [details] [diff] [review]
Tentative patch

The problem is that the rval may possibly end up being MIRType_Value (in this test case, anyway), and the code simply asserts that rval is one of Int32 or Double, without allowing for other possibilities.

Small patch to check for non-Int32-or-Double MIRTypes, choosing not to specialize in that case.
Comment 7 Jan de Mooij [:jandem] 2012-05-16 09:20:33 PDT
Comment on attachment 624179 [details] [diff] [review]
Tentative patch

Review of attachment 624179 [details] [diff] [review]:

::: js/src/ion/MIR.cpp
@@ +910,5 @@
>      }
>      MIRType rval = MIRTypeFromValueType(b.outTypes->getKnownTypeTag(cx));
> +    // Don't specialize for non-integer results.

Nit: integer or double?
Comment 8 Kannan Vijayan [:djvj] 2012-05-16 13:52:03 PDT
Comment 9 Christian Holler (:decoder) 2013-02-07 05:20:48 PST
Automatically extracted testcase for this bug was committed:

Note You need to log in before you can comment on or make changes to this bug.