Closed Bug 801156 Opened 7 years ago Closed 7 years ago

IonMonkey: Assertion failure: def->range()->lower() <= def->range()->upper(), at ion/RangeAnalysis.cpp:487

Categories

(Core :: JavaScript Engine, defect, critical)

x86
All
defect
Not set
critical

Tracking

()

RESOLVED DUPLICATE of bug 766592

People

(Reporter: decoder, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [ion:p1] [jsbugmon:])

Attachments

(1 file)

The following testcase asserts on mozilla-central revision 90857937b601 (run with --ion-eager):


test();
function test() {
    var i=0;
    var j=0;
    var limit=0;
    for (i = 3; i<= n; i+=2) {
    limit = 1;
    for (j = 3; j < limit; j+=2)
      if (i % j == 0) {}
    }
}
S-s due to range assertion, feel free to unhide if this is not dangerous in any way :)
Blocks: IonFuzz
Whiteboard: [jsbugmon:update,bisect]
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   109621:c0b305197227
user:        Marty Rosenberg
date:        Tue Oct 02 04:34:28 2012 -0400
summary:     Teach RangeAnalysis how to deal with unreachable blocks (bug 765119, r=dvander)

This iteration took 0.506 seconds to run.
Whiteboard: [jsbugmon:update] → [jsbugmon:update][ion:p1]
Marty, are these range assertions dangerous in any way? If so, can you suggest a security-rating?
Flags: needinfo?(mrosenberg)
they aren't dangerous, it probably means that I just messed up somewhere
In this case, it may be getting nervous that we're attempting to evaluate foo % 0. Not sure if that is the case, but I know there have been problems with blocks that are guaranteed unreachable in the past.
Group: core-security
Flags: needinfo?(mrosenberg)
As expected, it was a silly bug with a simple fix.  I also fixed a whitespace typo.
Attachment #674309 - Flags: review?(jdemooij)
Comment on attachment 674309 [details] [diff] [review]
/home/mrosenberg/patches/fixMMod-r0.patch

Review of attachment 674309 [details] [diff] [review]:
-----------------------------------------------------------------

r=me with the testcase added.

Slightly related, but it would be really good to have debug-only runtime range checks, probably behind a pref.
Attachment #674309 - Flags: review?(jdemooij) → review+
Whiteboard: [jsbugmon:update][ion:p1] → [ion:p1] [jsbugmon:update,ignore]
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 6eca73d185d0).
Whiteboard: [ion:p1] [jsbugmon:update,ignore] → [ion:p1] [jsbugmon:bisectfix]
Whiteboard: [ion:p1] [jsbugmon:bisectfix] → [ion:p1] [jsbugmon:]
JSBugMon: Fix Bisection requested, failed due to error (try manually).
I rebooted the machine as it was behaving weirdly. Let's see if that helps.
Whiteboard: [ion:p1] [jsbugmon:] → [ion:p1] [jsbugmon:bisectfix]
Whiteboard: [ion:p1] [jsbugmon:bisectfix] → [ion:p1] [jsbugmon:]
JSBugMon: Fix Bisection requested, failed due to error (try manually).
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   109621:c0b305197227
user:        Marty Rosenberg
date:        Tue Oct 02 04:34:28 2012 -0400
summary:     Teach RangeAnalysis how to deal with unreachable blocks (bug 765119, r=dvander)
Blocks: 765119
Keywords: regression
OS: Linux → All
This is likely fixed by:

autoBisect shows this is probably related to the following changeset:

The first good revision is:
changeset:   114092:89e5db8cf62f
user:        Brian Hackett
date:        Fri Nov 23 23:23:03 2012 -0500
summary:     Add symbolic range analysis for loop induction variables, bug 766592. r=mjrosenb

Brian, do you think this is possible?
Flags: needinfo?(bhackett1024)
Yeah, this made a bunch of changes to the range analysis which could have fixed this assert.
Flags: needinfo?(bhackett1024)
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 766592
You need to log in before you can comment on or make changes to this bug.