Assertion failure: [infer failure] Missing type pushed 0: <0x7f7d5aa09060>, at jsinfer.cpp:328

VERIFIED FIXED in Firefox 17

Status

()

Core
JavaScript Engine
--
major
VERIFIED FIXED
6 years ago
5 years ago

People

(Reporter: decoder, Assigned: bhackett)

Tracking

(Blocks: 2 bugs, 4 keywords)

Trunk
mozilla19
x86_64
Linux
assertion, regression, sec-critical, testcase
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite ?

Firefox Tracking Flags

(firefox15 unaffected, firefox16 affected, firefox17+ fixed, firefox18+ fixed, firefox19 fixed, firefox-esr10 unaffected)

Details

(Whiteboard: [ion:p1:fx19] [jsbugmon:origRev=fdfaef738a00][adv-track-main17+])

Attachments

(1 attachment)

(Reporter)

Description

6 years ago
The following testcase asserts on ionmonkey revision 0b296feed34c (run with --ion -n -m --ion-eager -a):


function TestCase(n, d, e, a)
  this.name = n;
function reportCompare (expected, actual, description) {
  var testcase = new TestCase("unknown-test-name", description, expected, actual);
}
evaluate("reportCompare(true,true);", { noScriptRval: true });
evaluate("( 2 , TestCase       ) ();", { noScriptRval: true });
(Reporter)

Updated

6 years ago
Whiteboard: [jsbugmon:update] → [jsbugmon:update,bisect]
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update,bisect][ion:p1:fx18]
(Reporter)

Updated

6 years ago
Whiteboard: [jsbugmon:update,bisect][ion:p1:fx18] → [ion:p1:fx18] [jsbugmon:update]
(Reporter)

Comment 1

6 years ago
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   105607:6cd206b37176
parent:      104959:b63bb39ed1c0
parent:      105606:a0240c1043ee
user:        David Anderson
date:        Wed Aug 29 17:51:24 2012 -0700
summary:     Merge from mozilla-central.

Oops! We didn't test rev b63bb39ed1c0, a parent of the blamed revision! Let's do that now.
Rev b63bb39ed1c0: Found cached shell...    Testing... Exit status: NORMAL (0.194 seconds)
good (not interesting) 
As expected, the parent's label is the opposite of the blamed rev's label.

Oops! We didn't test rev a0240c1043ee, a parent of the blamed revision! Let's do that now.
We did not test rev a0240c1043ee because it is not a descendant of either 4ceb3e9961e4 or 0b296feed34c.
Rev a0240c1043ee: Found cached shell...    Testing... Exit status: ABNORMAL return code 1 (0.111 seconds)
good (not interesting) 
As expected, the parent's label is the opposite of the blamed rev's label.
(Reporter)

Updated

6 years ago
status-firefox-esr10: --- → unaffected
status-firefox15: --- → unaffected
status-firefox16: --- → unaffected
status-firefox17: --- → unaffected
status-firefox18: --- → affected
Whiteboard: [ion:p1:fx18] [jsbugmon:update] → [ion:p1:fx18] [jsbugmon:update,origRev=fdfaef738a00]
Version: Other Branch → Trunk
Reduced to:
-----
function TestCase(n) {
    this.name = n;
}
new TestCase(22);
evaluate("(2, TestCase)(2);", {noScriptRval: true});
-----

Interestingly, it also fails with JM (--no-ion -a):

Assertion failure: !fe->isConstant(), at FrameState-inl.h:552
Bus error: 10

Maybe related to  bug 763948, not sure yet.
Assignee: general → jdemooij
Status: NEW → ASSIGNED
TI problem. When we have a JSOP_CALLGNAME op, we add a PropagateThis constraint:

    if (op == JSOP_CALLGNAME)
        pushed[0].addPropagateThis(cx, script, pc, GetCalleeThisType(pc));

However, if we have for instance:

    (1, TestCase)(2);

JSOP_GETGNAME is emitted instead of JSOP_CALLGNAME, so the constraint is not added and the callee |this| typeset does not contain the right value.

00000:  one
00001:  pop
00002:  getgname "TestCase"
00007:  undefined
00008:  notearg
00009:  int8 2
00011:  notearg
00012:  call 1
00015:  pop
Bisecting JM+TI points to bug 778724.
Blocks: 778724
status-firefox17: unaffected → affected
Summary: IonMonkey: Assertion failure: [infer failure] Missing type pushed 0: <0x7f7d5aa09060>, at jsinfer.cpp:328 → Assertion failure: [infer failure] Missing type pushed 0: <0x7f7d5aa09060>, at jsinfer.cpp:328
Below is another testcase based on bug 763948, here it's JSOP_THIS instead of JSOP_GETGNAME. Bug 763948 was filed in June so the bug was there before bug 778724 landed, but I think bug 778724 made it more likely to fail.

function O() {
    this.x = 10;
}
new O();
O.foo = function() {
    this();
}
O.foo();
tracking-firefox17: --- → +
tracking-firefox18: --- → +
Keywords: regression

Updated

6 years ago
Duplicate of this bug: 792183
The test case in Comment 0 currently fails with a different error, not hitting the error originally found. The new error is:

Assertion failure: [infer failure] Missing type pushed 0: <0x7ffff1509060>, at /home/sstangl/dev/mozilla-inbound/js/src/jsinfer.cpp:311

Program received signal SIGSEGV, Segmentation fault.

It's likely that something else regressed this; I'm bisecting.
(In reply to Sean Stangl from comment #7)
> The test case in Comment 0 currently fails with a different error, not
> hitting the error originally found. The new error is:

Disregard that -- I mixed up two bugs. All is well.
Whiteboard: [ion:p1:fx18] [jsbugmon:update,origRev=fdfaef738a00] → [ion:p1] [jsbugmon:update,origRev=fdfaef738a00]
(Reporter)

Updated

6 years ago
Whiteboard: [ion:p1] [jsbugmon:update,origRev=fdfaef738a00] → [ion:p1] [jsbugmon:update,origRev=fdfaef738a00,ignore]
(Reporter)

Comment 9

6 years ago
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 2fae8bd461da).
(Reporter)

Updated

6 years ago
Whiteboard: [ion:p1] [jsbugmon:update,origRev=fdfaef738a00,ignore] → [ion:p1] [jsbugmon:origRev=fdfaef738a00,bisectfix]
(Reporter)

Updated

6 years ago
Whiteboard: [ion:p1] [jsbugmon:origRev=fdfaef738a00,bisectfix] → [ion:p1] [jsbugmon:origRev=fdfaef738a00]
(Reporter)

Comment 10

6 years ago
JSBugMon: Fix Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first good revision is:
changeset:   109825:44079242ee9b
user:        Terrence Cole
date:        Tue Oct 09 17:26:13 2012 -0700
summary:     Bug 799777 - Unravel the threaded interpreter; r=luke

This iteration took 138.373 seconds to run.
(Assignee)

Updated

6 years ago
Assignee: jdemooij → bhackett1024
(Assignee)

Comment 11

6 years ago
Created attachment 674087 [details] [diff] [review]
patch

TI is mistaken here in assuming that each JSOP_CALL/JSOP_NEW/etc. has its callee pushed by a JSOP_CALL* opcode (did this change recently?).  This behavior is more historical from when the JSOP_CALL* opcodes pushed two values, and isn't really necessary anymore.  This patch changes things so that the callee's this type is determined from constraints pushed at the JSOP_CALL, except for JSOP_CALLPROP which needs to correlate different callees and 'this' types.
Attachment #674087 - Flags: review?(jdemooij)
Comment on attachment 674087 [details] [diff] [review]
patch

Review of attachment 674087 [details] [diff] [review]:
-----------------------------------------------------------------

::: js/src/jsinfer.cpp
@@ +4119,5 @@
> +             script->code[calleeValue.pushedOffset()] != JSOP_CALLPROP))
> +        {
> +            HandleScript script_ = script;
> +            calleeTypes->add(cx, cx->analysisLifoAlloc().new_<TypeConstraintPropagateThis>
> +                                   (script_, pc, Type::UndefinedType(), callsite->thisTypes));

You can pass "script" directly and use addPropagateThis:

calleeTypes->addPropagateThis(cx, script, pc, Type::UndefinedType(), callsite->thisTypes);
Attachment #674087 - Flags: review?(jdemooij) → review+
Btw, looking at the code I doubt Firefox 16 is indeed "unaffected". So the least we should do is land this on aurora and beta and add the test cases after beta moves to stable.
status-firefox16: unaffected → affected
status-firefox19: --- → affected
(Reporter)

Comment 14

6 years ago
Assuming this is sec-critical due to infer failure. Let me know if that isn't right.
Keywords: sec-critical
Whiteboard: [ion:p1] [jsbugmon:origRev=fdfaef738a00] → [ion:p1:fx19] [jsbugmon:origRev=fdfaef738a00]
(In reply to Brian Hackett (:bhackett) [mostly gone until mid-November] from comment #15)
> https://hg.mozilla.org/integration/mozilla-inbound/rev/ca391c7bceb8

Now that this has landed on m-i, we'll want to get uplift nominations as soon as possible.
https://hg.mozilla.org/mozilla-central/rev/ca391c7bceb8

Should this have a test?
Status: ASSIGNED → RESOLVED
Last Resolved: 6 years ago
status-firefox19: affected → fixed
Flags: in-testsuite?
Resolution: --- → FIXED
Target Milestone: --- → mozilla19
(Reporter)

Updated

6 years ago
Status: RESOLVED → VERIFIED
(Reporter)

Comment 18

6 years ago
JSBugMon: This bug has been automatically verified fixed.

Comment 19

6 years ago
This appears to have fixed a regression on Nightly which still exists on Aurora.

http://gojs.net/latest/samples/flowchart.html

Assertion failure: false (could not find use), at c:/work/mozilla/builds/aurora/mozilla/js/src/ion/MIR.cpp:256

Found regression between 20120910183953-20120911183952
Pushlog: http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=96287ad60bef&tochange=6e78c3efd115
http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2012/09/2012-09-11-mozilla-central-debug/firefox-18.0a1.en-US.debug-mac64.dmg
http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2012/09/2012-09-12-mozilla-central-debug/firefox-18.0a1.en-US.debug-mac64.dmg

Found fix between 20121022184211-20121024022814
Pushlog: http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=48502b61a63e&tochange=b06ee7ea6ba0
http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2012/10/2012-10-23-mozilla-central-debug/firefox-19.0a1.en-US.debug-mac64.dmg
http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2012/10/2012-10-24-mozilla-central-debug/firefox-19.0a1.en-US.debug-mac64.dmg

Found regression between 20121008021134-20121008142135
Pushlog: http://hg.mozilla.org/releases/mozilla-aurora/pushloghtml?fromchange=c7c6f2aa37b6&tochange=7588306df29e
http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2012/10/2012-10-08-mozilla-aurora-debug/firefox-17.0a2.en-US.debug-mac64.dmg
http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2012/10/2012-10-09-mozilla-aurora-debug/firefox-18.0a2.en-US.debug-mac64.dmg

The first good revision is:
changeset:   111161:ca391c7bceb8
user:        Brian Hackett <bhackett1024@gmail.com>
date:        Tue Oct 23 09:05:27 2012 -0700
summary:     Propagate callee 'this' types more often, bug 788822. r=jandem

Comment 20

6 years ago
(In reply to Bob Clary [:bc:] from comment #19)
> This appears to have fixed a regression on Nightly which still exists on
> Aurora.
> 
> http://gojs.net/latest/samples/flowchart.html
> 
> Assertion failure: false (could not find use), at
> c:/work/mozilla/builds/aurora/mozilla/js/src/ion/MIR.cpp:256

The first bad revision is:
changeset:   106790:ca3fa3fbe62a
parent:      106789:01f6ddbb6542
parent:      104782:d042ad078f43
user:        David Anderson <danderson@mozilla.com>
date:        Tue Sep 11 10:25:14 2012 -0700
summary:     Merge IonMonkey to mozilla-central. a=arewefastyet

My question is did https://hg.mozilla.org/mozilla-central/rev/ca391c7bceb8 fix Assertion failure: false (could not find use) or did it just hide it?
Comment on attachment 674087 [details] [diff] [review]
patch

[Approval Request Comment]
Bug caused by (feature/regressing bug #): bug 778724
User impact if declined: potential security bug
Testing completed (on m-c, etc.): yes
Risk to taking this patch (and alternatives if risky): Low risk, this changes some details in TI constraints, designed only to affect very esoteric code. Typical risks apply otherwise (could introduce new bugs or not fully fix the existing bug).
String or UUID changes made by this patch:
Attachment #674087 - Flags: approval-mozilla-beta?
Attachment #674087 - Flags: approval-mozilla-aurora?
Attachment #674087 - Flags: approval-mozilla-beta?
Attachment #674087 - Flags: approval-mozilla-beta+
Attachment #674087 - Flags: approval-mozilla-aurora?
Attachment #674087 - Flags: approval-mozilla-aurora+
Needs landing for aurora/beta.
Keywords: checkin-needed
https://hg.mozilla.org/releases/mozilla-aurora/rev/fd0363381c3b

Needed some syntactic changes to apply to mozilla-beta.

https://hg.mozilla.org/releases/mozilla-beta/rev/2c15b22a9ed4
status-firefox17: affected → fixed
status-firefox18: affected → fixed
Keywords: checkin-needed

Updated

6 years ago
Whiteboard: [ion:p1:fx19] [jsbugmon:origRev=fdfaef738a00] → [ion:p1:fx19] [jsbugmon:origRev=fdfaef738a00][adv-track-main17+]
Keywords: verifyme
Keywords: verifyme
Group: core-security
You need to log in before you can comment on or make changes to this bug.