Closed Bug 788822 Opened 12 years ago Closed 12 years ago

Assertion failure: [infer failure] Missing type pushed 0: <0x7f7d5aa09060>, at jsinfer.cpp:328

Categories

(Core :: JavaScript Engine, defect)

x86_64
Linux
defect
Not set
major

Tracking

()

VERIFIED FIXED
mozilla19
Tracking Status
firefox15 --- unaffected
firefox16 --- affected
firefox17 + fixed
firefox18 + fixed
firefox19 --- fixed
firefox-esr10 --- unaffected

People

(Reporter: decoder, Assigned: bhackett1024)

References

Details

(4 keywords, Whiteboard: [ion:p1:fx19] [jsbugmon:origRev=fdfaef738a00][adv-track-main17+])

Attachments

(1 file)

The following testcase asserts on ionmonkey revision 0b296feed34c (run with --ion -n -m --ion-eager -a): function TestCase(n, d, e, a) this.name = n; function reportCompare (expected, actual, description) { var testcase = new TestCase("unknown-test-name", description, expected, actual); } evaluate("reportCompare(true,true);", { noScriptRval: true }); evaluate("( 2 , TestCase ) ();", { noScriptRval: true });
Whiteboard: [jsbugmon:update] → [jsbugmon:update,bisect]
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update,bisect][ion:p1:fx18]
Whiteboard: [jsbugmon:update,bisect][ion:p1:fx18] → [ion:p1:fx18] [jsbugmon:update]
JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: 105607:6cd206b37176 parent: 104959:b63bb39ed1c0 parent: 105606:a0240c1043ee user: David Anderson date: Wed Aug 29 17:51:24 2012 -0700 summary: Merge from mozilla-central. Oops! We didn't test rev b63bb39ed1c0, a parent of the blamed revision! Let's do that now. Rev b63bb39ed1c0: Found cached shell... Testing... Exit status: NORMAL (0.194 seconds) good (not interesting) As expected, the parent's label is the opposite of the blamed rev's label. Oops! We didn't test rev a0240c1043ee, a parent of the blamed revision! Let's do that now. We did not test rev a0240c1043ee because it is not a descendant of either 4ceb3e9961e4 or 0b296feed34c. Rev a0240c1043ee: Found cached shell... Testing... Exit status: ABNORMAL return code 1 (0.111 seconds) good (not interesting) As expected, the parent's label is the opposite of the blamed rev's label.
Whiteboard: [ion:p1:fx18] [jsbugmon:update] → [ion:p1:fx18] [jsbugmon:update,origRev=fdfaef738a00]
Version: Other Branch → Trunk
Reduced to: ----- function TestCase(n) { this.name = n; } new TestCase(22); evaluate("(2, TestCase)(2);", {noScriptRval: true}); ----- Interestingly, it also fails with JM (--no-ion -a): Assertion failure: !fe->isConstant(), at FrameState-inl.h:552 Bus error: 10 Maybe related to bug 763948, not sure yet.
Assignee: general → jdemooij
Status: NEW → ASSIGNED
TI problem. When we have a JSOP_CALLGNAME op, we add a PropagateThis constraint: if (op == JSOP_CALLGNAME) pushed[0].addPropagateThis(cx, script, pc, GetCalleeThisType(pc)); However, if we have for instance: (1, TestCase)(2); JSOP_GETGNAME is emitted instead of JSOP_CALLGNAME, so the constraint is not added and the callee |this| typeset does not contain the right value. 00000: one 00001: pop 00002: getgname "TestCase" 00007: undefined 00008: notearg 00009: int8 2 00011: notearg 00012: call 1 00015: pop
Bisecting JM+TI points to bug 778724.
Blocks: 778724
Summary: IonMonkey: Assertion failure: [infer failure] Missing type pushed 0: <0x7f7d5aa09060>, at jsinfer.cpp:328 → Assertion failure: [infer failure] Missing type pushed 0: <0x7f7d5aa09060>, at jsinfer.cpp:328
Below is another testcase based on bug 763948, here it's JSOP_THIS instead of JSOP_GETGNAME. Bug 763948 was filed in June so the bug was there before bug 778724 landed, but I think bug 778724 made it more likely to fail. function O() { this.x = 10; } new O(); O.foo = function() { this(); } O.foo();
Keywords: regression
The test case in Comment 0 currently fails with a different error, not hitting the error originally found. The new error is: Assertion failure: [infer failure] Missing type pushed 0: <0x7ffff1509060>, at /home/sstangl/dev/mozilla-inbound/js/src/jsinfer.cpp:311 Program received signal SIGSEGV, Segmentation fault. It's likely that something else regressed this; I'm bisecting.
(In reply to Sean Stangl from comment #7) > The test case in Comment 0 currently fails with a different error, not > hitting the error originally found. The new error is: Disregard that -- I mixed up two bugs. All is well.
Whiteboard: [ion:p1:fx18] [jsbugmon:update,origRev=fdfaef738a00] → [ion:p1] [jsbugmon:update,origRev=fdfaef738a00]
Whiteboard: [ion:p1] [jsbugmon:update,origRev=fdfaef738a00] → [ion:p1] [jsbugmon:update,origRev=fdfaef738a00,ignore]
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 2fae8bd461da).
Whiteboard: [ion:p1] [jsbugmon:update,origRev=fdfaef738a00,ignore] → [ion:p1] [jsbugmon:origRev=fdfaef738a00,bisectfix]
Whiteboard: [ion:p1] [jsbugmon:origRev=fdfaef738a00,bisectfix] → [ion:p1] [jsbugmon:origRev=fdfaef738a00]
JSBugMon: Fix Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first good revision is: changeset: 109825:44079242ee9b user: Terrence Cole date: Tue Oct 09 17:26:13 2012 -0700 summary: Bug 799777 - Unravel the threaded interpreter; r=luke This iteration took 138.373 seconds to run.
Assignee: jdemooij → bhackett1024
Attached patch patchSplinter Review
TI is mistaken here in assuming that each JSOP_CALL/JSOP_NEW/etc. has its callee pushed by a JSOP_CALL* opcode (did this change recently?). This behavior is more historical from when the JSOP_CALL* opcodes pushed two values, and isn't really necessary anymore. This patch changes things so that the callee's this type is determined from constraints pushed at the JSOP_CALL, except for JSOP_CALLPROP which needs to correlate different callees and 'this' types.
Attachment #674087 - Flags: review?(jdemooij)
Comment on attachment 674087 [details] [diff] [review] patch Review of attachment 674087 [details] [diff] [review]: ----------------------------------------------------------------- ::: js/src/jsinfer.cpp @@ +4119,5 @@ > + script->code[calleeValue.pushedOffset()] != JSOP_CALLPROP)) > + { > + HandleScript script_ = script; > + calleeTypes->add(cx, cx->analysisLifoAlloc().new_<TypeConstraintPropagateThis> > + (script_, pc, Type::UndefinedType(), callsite->thisTypes)); You can pass "script" directly and use addPropagateThis: calleeTypes->addPropagateThis(cx, script, pc, Type::UndefinedType(), callsite->thisTypes);
Attachment #674087 - Flags: review?(jdemooij) → review+
Btw, looking at the code I doubt Firefox 16 is indeed "unaffected". So the least we should do is land this on aurora and beta and add the test cases after beta moves to stable.
Assuming this is sec-critical due to infer failure. Let me know if that isn't right.
Keywords: sec-critical
Whiteboard: [ion:p1] [jsbugmon:origRev=fdfaef738a00] → [ion:p1:fx19] [jsbugmon:origRev=fdfaef738a00]
(In reply to Brian Hackett (:bhackett) [mostly gone until mid-November] from comment #15) > https://hg.mozilla.org/integration/mozilla-inbound/rev/ca391c7bceb8 Now that this has landed on m-i, we'll want to get uplift nominations as soon as possible.
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Flags: in-testsuite?
Resolution: --- → FIXED
Target Milestone: --- → mozilla19
Status: RESOLVED → VERIFIED
JSBugMon: This bug has been automatically verified fixed.
This appears to have fixed a regression on Nightly which still exists on Aurora. http://gojs.net/latest/samples/flowchart.html Assertion failure: false (could not find use), at c:/work/mozilla/builds/aurora/mozilla/js/src/ion/MIR.cpp:256 Found regression between 20120910183953-20120911183952 Pushlog: http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=96287ad60bef&tochange=6e78c3efd115 http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2012/09/2012-09-11-mozilla-central-debug/firefox-18.0a1.en-US.debug-mac64.dmg http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2012/09/2012-09-12-mozilla-central-debug/firefox-18.0a1.en-US.debug-mac64.dmg Found fix between 20121022184211-20121024022814 Pushlog: http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=48502b61a63e&tochange=b06ee7ea6ba0 http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2012/10/2012-10-23-mozilla-central-debug/firefox-19.0a1.en-US.debug-mac64.dmg http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2012/10/2012-10-24-mozilla-central-debug/firefox-19.0a1.en-US.debug-mac64.dmg Found regression between 20121008021134-20121008142135 Pushlog: http://hg.mozilla.org/releases/mozilla-aurora/pushloghtml?fromchange=c7c6f2aa37b6&tochange=7588306df29e http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2012/10/2012-10-08-mozilla-aurora-debug/firefox-17.0a2.en-US.debug-mac64.dmg http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2012/10/2012-10-09-mozilla-aurora-debug/firefox-18.0a2.en-US.debug-mac64.dmg The first good revision is: changeset: 111161:ca391c7bceb8 user: Brian Hackett <bhackett1024@gmail.com> date: Tue Oct 23 09:05:27 2012 -0700 summary: Propagate callee 'this' types more often, bug 788822. r=jandem
(In reply to Bob Clary [:bc:] from comment #19) > This appears to have fixed a regression on Nightly which still exists on > Aurora. > > http://gojs.net/latest/samples/flowchart.html > > Assertion failure: false (could not find use), at > c:/work/mozilla/builds/aurora/mozilla/js/src/ion/MIR.cpp:256 The first bad revision is: changeset: 106790:ca3fa3fbe62a parent: 106789:01f6ddbb6542 parent: 104782:d042ad078f43 user: David Anderson <danderson@mozilla.com> date: Tue Sep 11 10:25:14 2012 -0700 summary: Merge IonMonkey to mozilla-central. a=arewefastyet My question is did https://hg.mozilla.org/mozilla-central/rev/ca391c7bceb8 fix Assertion failure: false (could not find use) or did it just hide it?
Comment on attachment 674087 [details] [diff] [review] patch [Approval Request Comment] Bug caused by (feature/regressing bug #): bug 778724 User impact if declined: potential security bug Testing completed (on m-c, etc.): yes Risk to taking this patch (and alternatives if risky): Low risk, this changes some details in TI constraints, designed only to affect very esoteric code. Typical risks apply otherwise (could introduce new bugs or not fully fix the existing bug). String or UUID changes made by this patch:
Attachment #674087 - Flags: approval-mozilla-beta?
Attachment #674087 - Flags: approval-mozilla-aurora?
Attachment #674087 - Flags: approval-mozilla-beta?
Attachment #674087 - Flags: approval-mozilla-beta+
Attachment #674087 - Flags: approval-mozilla-aurora?
Attachment #674087 - Flags: approval-mozilla-aurora+
Needs landing for aurora/beta.
Keywords: checkin-needed
Whiteboard: [ion:p1:fx19] [jsbugmon:origRev=fdfaef738a00] → [ion:p1:fx19] [jsbugmon:origRev=fdfaef738a00][adv-track-main17+]
Keywords: verifyme
Keywords: verifyme
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: