Closed Bug 798913 Opened 8 years ago Closed 8 years ago

IonMonkey: Assertion failure: end <= nformal, at ../ion/IonFrameIterator-inl.h:67

Categories

(Core :: JavaScript Engine, defect, critical)

x86
Linux
defect
Not set
critical

Tracking

()

VERIFIED FIXED
mozilla19
Tracking Status
firefox15 --- unaffected
firefox16 --- unaffected
firefox17 --- unaffected
firefox18 --- fixed
firefox19 --- fixed
firefox-esr10 --- unaffected
firefox-esr17 --- unaffected

People

(Reporter: decoder, Assigned: nbp)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, testcase, Whiteboard: [ion:p1] [jsbugmon:update,ignore][adv-main18-])

Attachments

(1 file)

The following testcase asserts on mozilla-central revision ecd4c4304219 (run with --ion-eager):


function f2() {
  return f2.arguments;
}
actual = (f2() == null);
function f4() {
  f2("");
}
actual = (f4() == null);
Making this s-s because the assertion seems to be a range assertion that could imply an out-of-bounds problem.
Summary: Assertion failure: end <= nformal, at ../ion/IonFrameIterator-inl.h:67 → IonMonkey: Assertion failure: end <= nformal, at ../ion/IonFrameIterator-inl.h:67
Whiteboard: [jsbugmon:update,bisect]
Assignee: general → nicolas.b.pierron
Status: NEW → ASSIGNED
Overflow of arguments were no longer causing failure of inlining, so I just added a check for all of the inlining candidates to make sure we don't inline an overflow of arguments knowing that we have no way to recover them yet.
Attachment #668987 - Flags: review?(dvander)
Attachment #668987 - Flags: review?(dvander) → review+
http://hg.mozilla.org/integration/mozilla-inbound/rev/d9e032542831

Backout for breaking Windows opt toolkit/mozapps/extensions/test/browser/browser_updatessl.js and various other extension tests.   (per philor)
(In reply to Justin Wood (:Callek) from comment #4)
> http://hg.mozilla.org/integration/mozilla-inbound/rev/d9e032542831
> 
> Backout for breaking Windows opt
> toolkit/mozapps/extensions/test/browser/browser_updatessl.js and various
> other extension tests.   (per philor)

It's looking like this was actually from the push prior. eg:
https://tbpl.mozilla.org/?tree=Mozilla-Inbound&jobname=Rev3%20WINNT%206.1%20mozilla-inbound%20opt%20test%20mochitest-other&rev=20899bf87646
(and page down)

Retriggers should confirm; though would be nice to have a Win7 m-oth Try run of this to be sure. Use:
try: -b do -p win32 -u mochitest-o -t none
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   109339:47a17015ef4a
user:        Nicolas B. Pierron
date:        Thu Oct 04 23:13:35 2012 -0700
summary:     Bug 787813 - Argument object, Use StackIter instead of StackFrame. r=luke

This iteration took 87.967 seconds to run.
This just missed the boat to 18, but we should be able to request for approval for aurora later.
This patch got backtout[1] for Win opt failures.  I will send the same patch to Try and see if I can reproduce any of these failures.

[1] https://hg.mozilla.org/integration/mozilla-inbound/rev/d9e032542831
Whiteboard: [jsbugmon:update] → [jsbugmon:update][ion:p1]
(In reply to Ed Morley [:edmorley UTC+1] from comment #5)
> (In reply to Justin Wood (:Callek) from comment #4)
> > http://hg.mozilla.org/integration/mozilla-inbound/rev/d9e032542831
> > 
> > Backout for breaking Windows opt
> > toolkit/mozapps/extensions/test/browser/browser_updatessl.js and various
> > other extension tests.   (per philor)
> 
> It's looking like this was actually from the push prior. eg:
> https://tbpl.mozilla.org/?tree=Mozilla-Inbound&jobname=Rev3%20WINNT%206.
> 1%20mozilla-inbound%20opt%20test%20mochitest-other&rev=20899bf87646
> (and page down)
> 
> Retriggers should confirm; though would be nice to have a Win7 m-oth Try run
> of this to be sure. Use:
> try: -b do -p win32 -u mochitest-o -t none

https://tbpl.mozilla.org/?tree=Try&rev=a8c9fc9862cf
Whiteboard: [jsbugmon:update][ion:p1] → [ion:p1] [jsbugmon:update,ignore]
JSBugMon: The testcase found in this bug no longer reproduces (tried revision dd61540f237c).
https://hg.mozilla.org/mozilla-central/rev/03bc788fd004
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla19
Status: RESOLVED → VERIFIED
JSBugMon: This bug has been automatically verified fixed.
Comment on attachment 668987 [details] [diff] [review]
Prevent inlining of overflow of arguments.

[Approval Request Comment]
Bug caused by (feature/regressing bug #): 787813
User impact if declined: Unexpected memory read, potential SEGV.
Testing completed (on m-c, etc.): landed
Risk to taking this patch (and alternatives if risky): none, it prevents IonMonkey to optimize some cases which are not well handled yet, and fallback on a less optimized & safe version.
String or UUID changes made by this patch: none
Attachment #668987 - Flags: approval-mozilla-aurora?
Comment on attachment 668987 [details] [diff] [review]
Prevent inlining of overflow of arguments.

[Triage Comment]
No risk, early in the cycle. Approving for Aurora 18.
Attachment #668987 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Flags: in-testsuite?
Whiteboard: [ion:p1] [jsbugmon:update,ignore] → [ion:p1] [jsbugmon:update,ignore][adv-main18-]
Group: core-security
You need to log in before you can comment on or make changes to this bug.