IonMonkey: Assertion failure: mir->type() == MIRType_Value, at ../ion/shared/Lowering-shared-inl.h:413 or Crash [@ js::ion::LinearScanAllocator::populateSafepoints]

VERIFIED FIXED in Firefox 19

Status

()

defect
--
critical
VERIFIED FIXED
7 years ago
6 years ago

People

(Reporter: decoder, Assigned: dvander)

Tracking

(Blocks 1 bug, 4 keywords)

Trunk
mozilla19
x86
Linux
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite ?

Firefox Tracking Flags

(firefox18 affected, firefox19 fixed, firefox-esr10 unaffected, firefox-esr17 unaffected, b2g18 unaffected)

Details

(Whiteboard: [jsbugmon:update][ion:p1][adv-main19+], crash signature)

Attachments

(2 attachments)

Posted file Testcase for shell
The attached testcase asserts on mozilla-central revision ec10630b1a54 (run with --ion-eager).
Crash trace from opt-build:

==32163== Invalid read of size 4
==32163==    at 0x83890CA: js::ion::LinearScanAllocator::populateSafepoints() (LIR.h:90)
==32163==    by 0x8345128: js::ion::CompileBackEnd(js::ion::IonBuilder*) (Ion.cpp:881)
==32163==    by 0x92C0B07: ???
==32163==    by 0x92BC087: ???
==32163==  Address 0x1c is not stack'd, malloc'd or (recently) free'd


S-s due to GC-relatedness and fragile test.
Blocks: IonFuzz
Crash Signature: [@ js::ion::LinearScanAllocator::populateSafepoints]
Keywords: crash
Summary: Assertion failure: mir->type() == MIRType_Value, at ../ion/shared/Lowering-shared-inl.h:413 or Crash [@ js::ion::LinearScanAllocator::populateSafepoints] → IonMonkey: Assertion failure: mir->type() == MIRType_Value, at ../ion/shared/Lowering-shared-inl.h:413 or Crash [@ js::ion::LinearScanAllocator::populateSafepoints]
Whiteboard: [jsbugmon:update,bisect]
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   109322:825de541f566
user:        Kannan Vijayan
date:        Fri Oct 05 00:28:36 2012 -0400
summary:     Bug 786126 - part 3 - Allow null/undefined in typeset of target object of GetProp ICs. (r=sstangl)

This iteration took 91.551 seconds to run.
Whiteboard: [jsbugmon:update] → [jsbugmon:update][ion:p1]
Posted patch fixSplinter Review
IonMonkey's type information can sometimes be more accurate than TI's; in this case TI's typeset said "value" but Ion said "Object", so the explicit unbox was asserting. GetPropertyCache has an unboxing type policy though, so we can rely on that working instead.
Assignee: general → dvander
Status: NEW → ASSIGNED
Attachment #670163 - Flags: review?
Attachment #670163 - Flags: review? → review?(kvijayan)
Attachment #670163 - Flags: review?(kvijayan) → review+
(In reply to David Anderson [:dvander] from comment #3)
> Created attachment 670163 [details] [diff] [review]
> fix
> 
> IonMonkey's type information can sometimes be more accurate than TI's; in
> this case TI's typeset said "value" but Ion said "Object", so the explicit
> unbox was asserting. GetPropertyCache has an unboxing type policy though, so
> we can rely on that working instead.

Another problem here is that we're looking at obj->type() to determine the type of a MIR node -- when it is actually a redundant MPhi of (Object, Object), but during the IonBuilder phase it is typed as MIRType_Value. It's another one of those situations where we're looking at the MIR in order to build the MIR.

It's safe to just remove the erroneous condition, since it's redundant.
https://hg.mozilla.org/mozilla-central/rev/80482a232127
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla19
Status: RESOLVED → VERIFIED
JSBugMon: This bug has been automatically verified fixed.
Can this be put in testsuite?
Flags: in-testsuite?
This never got a security rating. Can someone suggest one?
Whiteboard: [jsbugmon:update][ion:p1] → [jsbugmon:update][ion:p1][adv-main19+]
This one is not really clear, it's either not exploitable at all or it's sg:critical. I'd just go with sg:critical.
Group: core-security
You need to log in before you can comment on or make changes to this bug.