Closed Bug 799907 Opened 12 years ago Closed 12 years ago

IonMonkey: Assertion failure: mir->type() == MIRType_Value, at ../ion/shared/Lowering-shared-inl.h:413 or Crash [@ js::ion::LinearScanAllocator::populateSafepoints]

Categories

(Core :: JavaScript Engine, defect)

x86
Linux
defect
Not set
critical

Tracking

()

VERIFIED FIXED
mozilla19
Tracking Status
firefox18 --- affected
firefox19 --- fixed
firefox-esr10 --- unaffected
firefox-esr17 --- unaffected
b2g18 --- unaffected

People

(Reporter: decoder, Assigned: dvander)

References

Details

(4 keywords, Whiteboard: [jsbugmon:update][ion:p1][adv-main19+])

Crash Data

Attachments

(2 files)

Attached file Testcase for shell
The attached testcase asserts on mozilla-central revision ec10630b1a54 (run with --ion-eager).
Crash trace from opt-build:

==32163== Invalid read of size 4
==32163==    at 0x83890CA: js::ion::LinearScanAllocator::populateSafepoints() (LIR.h:90)
==32163==    by 0x8345128: js::ion::CompileBackEnd(js::ion::IonBuilder*) (Ion.cpp:881)
==32163==    by 0x92C0B07: ???
==32163==    by 0x92BC087: ???
==32163==  Address 0x1c is not stack'd, malloc'd or (recently) free'd


S-s due to GC-relatedness and fragile test.
Blocks: IonFuzz
Crash Signature: [@ js::ion::LinearScanAllocator::populateSafepoints]
Keywords: crash
Summary: Assertion failure: mir->type() == MIRType_Value, at ../ion/shared/Lowering-shared-inl.h:413 or Crash [@ js::ion::LinearScanAllocator::populateSafepoints] → IonMonkey: Assertion failure: mir->type() == MIRType_Value, at ../ion/shared/Lowering-shared-inl.h:413 or Crash [@ js::ion::LinearScanAllocator::populateSafepoints]
Whiteboard: [jsbugmon:update,bisect]
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   109322:825de541f566
user:        Kannan Vijayan
date:        Fri Oct 05 00:28:36 2012 -0400
summary:     Bug 786126 - part 3 - Allow null/undefined in typeset of target object of GetProp ICs. (r=sstangl)

This iteration took 91.551 seconds to run.
Whiteboard: [jsbugmon:update] → [jsbugmon:update][ion:p1]
Attached patch fixSplinter Review
IonMonkey's type information can sometimes be more accurate than TI's; in this case TI's typeset said "value" but Ion said "Object", so the explicit unbox was asserting. GetPropertyCache has an unboxing type policy though, so we can rely on that working instead.
Assignee: general → dvander
Status: NEW → ASSIGNED
Attachment #670163 - Flags: review?
Attachment #670163 - Flags: review? → review?(kvijayan)
Attachment #670163 - Flags: review?(kvijayan) → review+
(In reply to David Anderson [:dvander] from comment #3)
> Created attachment 670163 [details] [diff] [review]
> fix
> 
> IonMonkey's type information can sometimes be more accurate than TI's; in
> this case TI's typeset said "value" but Ion said "Object", so the explicit
> unbox was asserting. GetPropertyCache has an unboxing type policy though, so
> we can rely on that working instead.

Another problem here is that we're looking at obj->type() to determine the type of a MIR node -- when it is actually a redundant MPhi of (Object, Object), but during the IonBuilder phase it is typed as MIRType_Value. It's another one of those situations where we're looking at the MIR in order to build the MIR.

It's safe to just remove the erroneous condition, since it's redundant.
https://hg.mozilla.org/mozilla-central/rev/80482a232127
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla19
Status: RESOLVED → VERIFIED
JSBugMon: This bug has been automatically verified fixed.
Can this be put in testsuite?
Flags: in-testsuite?
This never got a security rating. Can someone suggest one?
Whiteboard: [jsbugmon:update][ion:p1] → [jsbugmon:update][ion:p1][adv-main19+]
This one is not really clear, it's either not exploitable at all or it's sg:critical. I'd just go with sg:critical.
Group: core-security
You need to log in before you can comment on or make changes to this bug.