Last Comment Bug 747926 - Assertion failure: [infer failure] Missing type pushed 0: void, at jsinfer.cpp:352
: Assertion failure: [infer failure] Missing type pushed 0: void, at jsinfer.cp...
Status: VERIFIED FIXED
[sg:critical] js-triage-needed [advis...
: assertion, regression, sec-critical, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: x86 All
: -- critical (vote)
: mozilla15
Assigned To: Bill McCloskey (:billm)
:
Mentors:
: 746150 747334 748547 (view as bug list)
Depends on:
Blocks: langfuzz 723313
  Show dependency treegraph
 
Reported: 2012-04-23 08:34 PDT by Christian Holler (:decoder)
Modified: 2013-01-14 08:11 PST (History)
7 users (show)
choller: in‑testsuite+
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---
unaffected
+
fixed
+
fixed
+
fixed
unaffected


Attachments
patch (1.80 KB, patch)
2012-04-30 18:06 PDT, Bill McCloskey (:billm)
bhackett1024: review+
lukasblakk+bugs: approval‑mozilla‑aurora+
lukasblakk+bugs: approval‑mozilla‑beta+
Details | Diff | Splinter Review

Description Christian Holler (:decoder) 2012-04-23 08:34:53 PDT
The following test asserts on mozilla-central revision 17af008937e3 (options -m -a -n):


a = 'a';
b = [,];
exhaustiveSliceTest("exhaustive slice test 1", a);
exhaustiveSliceTest("exhaustive slice test 2", b);
function exhaustiveSliceTest(testname, a){
  x = 0
  var y = 0;
  countHeap();
  for (y=a.length; y + a.length; y--) 
    var b  = a.slice(x,y);
}


This one involves the shell-only function "countHeap", but I don't know if this is a shell-only bug or just revealing a real bug. Maybe related to bug 746150? S-s until triaged.
Comment 1 Daniel Veditz [:dveditz] 2012-04-25 10:30:45 PDT
taking a guess that countHeap() shouldn't affect inference correctness and assigning sg:critical
Comment 2 Gary Kwong [:gkw] [:nth10sd] 2012-04-26 13:39:20 PDT
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   86695:fbef6a165cf8
user:        Bill McCloskey
date:        Fri Feb 10 18:32:08 2012 -0800
summary:     Bug 723313 - Stop using conservative stack scanner for VM stack marking (r=luke,bhackett)
Comment 3 Gary Kwong [:gkw] [:nth10sd] 2012-04-26 15:57:59 PDT
Marking flags based on regression window in comment 2.
Comment 4 Bill McCloskey (:billm) 2012-04-30 18:06:17 PDT
Created attachment 619797 [details] [diff] [review]
patch

Here's the scenario:

1. Code sets y to 0.
2. GC happens. y is dead, so we overwrite it with undefined.
3. Code sets y to 1. As an optimization, it doesn't update the type tag. It incorrectly assumes it hasn't changed since step 1.

The easiest thing to do is to leave the type tag alone in step 2 while fixing up any pointers. The only tags we actually need to worry about are object and string. And we can come up with a dummy string and a dummy object as replacements. The only concern is that this code shouldn't cause the dummy object to be leaked. For objects, I used the global as the dummy. Luke says that the stack frame shouldn't outlive its global, so this seems safe.
Comment 5 Bill McCloskey (:billm) 2012-04-30 18:08:28 PDT
*** Bug 746150 has been marked as a duplicate of this bug. ***
Comment 7 Bill McCloskey (:billm) 2012-05-07 18:09:41 PDT
https://hg.mozilla.org/mozilla-central/rev/c296a4cfe0d6
Comment 8 Christian Holler (:decoder) 2012-05-07 18:43:47 PDT
JSBugMon: This bug has been automatically verified fixed.
Comment 9 Bill McCloskey (:billm) 2012-05-09 10:56:42 PDT
Comment on attachment 619797 [details] [diff] [review]
patch

[Approval Request Comment]
Regression caused by (bug #): bug 723313
User impact if declined: This may cause crashes or be exploitable.
Testing completed (on m-c, etc.): On m-c.
Risk to taking this patch (and alternatives if risky): Low. We used to overwrite a stack slot with a dummy value, now we overwrite it with a slightly different dummy value.
String changes made by this patch: None
Comment 11 Christian Holler (:decoder) 2012-08-21 11:35:07 PDT
*** Bug 747334 has been marked as a duplicate of this bug. ***
Comment 12 Christian Holler (:decoder) 2012-08-21 11:35:43 PDT
*** Bug 748547 has been marked as a duplicate of this bug. ***
Comment 13 Christian Holler (:decoder) 2013-01-14 08:11:27 PST
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/bug747926.js.

Note You need to log in before you can comment on or make changes to this bug.