IonMonkey: Assertion failure: !thisv.isPrimitive(), at ion/Bailouts.cpp:138 or Crash [@ GetValueType]

VERIFIED FIXED

Status

()

Core
JavaScript Engine
--
major
VERIFIED FIXED
6 years ago
3 years ago

People

(Reporter: decoder, Assigned: nbp)

Tracking

(Blocks: 1 bug, {assertion, testcase})

Other Branch
x86
Linux
assertion, testcase
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox-esr10 unaffected)

Details

(Whiteboard: [jsbugmon:update][fuzzblocker][ion:p1:fx18], crash signature)

Attachments

(1 attachment)

(Reporter)

Description

6 years ago
The following testcase asserts on ionmonkey revision b46621aba6fd (run with --ion -n -m):


function printStatus (msg) {
  var lines = msg.split ("\n");
}
function enterFunc (funcName)
function GetContext() {}
test();
function test() {
  enterFunc ();
  printStatus ("");
  for (let j = (32); j < 5; ++j) 
	actual && ("0" in [3]);
  new test();
}
(Reporter)

Comment 1

6 years ago
Causing quite a few sigs.
Whiteboard: [jsbugmon:update] → [jsbugmon:update][fuzzblocker]
Whiteboard: [jsbugmon:update][fuzzblocker] → [jsbugmon:update][fuzzblocker][ion:p1:fx18]
(Reporter)

Comment 2

6 years ago
Just found a test (less reduced) that causes the same assert but crashes in opt builds, but only in GDB, not in valgrind:


Program received signal SIGSEGV, Segmentation fault.
GetValueType (cx=0xac4670, script=0x7ffff07072e0, pc=<value optimized out>, rval=<value optimized out>) at ../jsinferinlines.h:110
110             return Type::ObjectType(&val.toObject());
Missing separate debuginfos, use: debuginfo-install zlib-1.2.3-27.el6.x86_64
(gdb) bt 8
#0  GetValueType (cx=0xac4670, script=0x7ffff07072e0, pc=<value optimized out>, rval=<value optimized out>) at ../jsinferinlines.h:110
#1  js::types::TypeMonitorResult (cx=0xac4670, script=0x7ffff07072e0, pc=<value optimized out>, rval=<value optimized out>) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/jsinfer.cpp:4915
#2  0x00000000006b9010 in Monitor (returnData=0x7fff00000002, returnType=0xac4670, returnReg=<value optimized out>, f=<value optimized out>) at ../jsinferinlines.h:758
#3  js_InternalInterpret (returnData=0x7fff00000002, returnType=0xac4670, returnReg=<value optimized out>, f=<value optimized out>)
    at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/methodjit/InvokeHelpers.cpp:1100
#4  0x0000000000625839 in JaegerInterpoline ()
Backtrace stopped: previous frame inner to this frame (corrupt stack?)
(gdb) x /i $pc
=> 0x4846c9 <js::types::TypeMonitorResult(JSContext*, JSScript*, jsbytecode*, JS::Value const&)+313>:   mov    0x8(%r12),%rcx
(gdb) info reg r12 rcx
r12            0x0      0
rcx            0xfffb7fffffffffff       -1266637395197953


Assuming this is some form of memory corruption due to the symptoms, marking S-s.
Group: core-security
Crash Signature: [@ GetValueType]
Summary: IonMonkey: Assertion failure: !thisv.isPrimitive(), at ion/Bailouts.cpp:138 → IonMonkey: Assertion failure: !thisv.isPrimitive(), at ion/Bailouts.cpp:138 or Crash [@ GetValueType]
Assignee: general → nicolas.b.pierron
Status: NEW → ASSIGNED
Created attachment 650358 [details] [diff] [review]
Fix isConstructing when JM is calling Into Ion.
Attachment #650358 - Flags: review?(dvander)
Comment on attachment 650358 [details] [diff] [review]
Fix isConstructing when JM is calling Into Ion.

Review of attachment 650358 [details] [diff] [review]:
-----------------------------------------------------------------

Good catch
Attachment #650358 - Flags: review?(dvander) → review+
Comment on attachment 650358 [details] [diff] [review]
Fix isConstructing when JM is calling Into Ion.

https://hg.mozilla.org/projects/ionmonkey/rev/7fcedafba16d
Attachment #650358 - Flags: checkin+
Status: ASSIGNED → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED
(Reporter)

Updated

6 years ago
Status: RESOLVED → VERIFIED
(Reporter)

Comment 6

6 years ago
JSBugMon: This bug has been automatically verified fixed.
status-firefox-esr10: --- → unaffected
Group: core-security
You need to log in before you can comment on or make changes to this bug.