Closed Bug 827821 Opened 11 years ago Closed 11 years ago

IonMonkey: Assertion failure: type == MIRType_Boolean || type == MIRType_Int32 || type == MIRType_Double || type == MIRType_String || type == MIRType_Object, at ion/MIR.h:1557

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla21
Tracking Flags:
Tracking Status
firefox18 --- unaffected
firefox19 --- unaffected
firefox20 + fixed
firefox21 + fixed

People

(Reporter: decoder, Assigned: h4writer)

References

Details

(Keywords: assertion, crash, testcase, Whiteboard: [jsbugmon:update])

Crash Data

Attachments

(1 file, 1 obsolete file)

Create this at callee side, when failing at caller side
1.17 KB, patch
jandem
: review+
lsblakk
: approval-mozilla-aurora+
Details | Diff | Splinter Review 
The following testcase asserts on mozilla-central revision 795632f0e4fe (run with --ion-eager):


var lfcode = new Array();
lfcode.push("3");
lfcode.push("\
	gczeal(2);\
	for (let q = 0; q < 50; ++q) {\
		var w = \"r\".match(/r/);\
	}\
	let (eval) (function  (a) {\
		Function = gczeal;\
	})();\
	// .js\
");
lfcode.push(" // .js");
lfcode.push(" // .js");
lfcode.push(" // .js");
while (true) {
	var file = lfcode.shift(); if (file == undefined) { break; }
        loadFile(file)
}
function loadFile(lfVarx) {
    try {
        if (lfVarx.substr(-3) == ".js") {
	    uneval("foo");
            switch (lfRunTypeId) {
                case 3: function newFunc(x) { new Function(x)(); }; newFunc(lfVarx); break;
                case 4: eval("(function() { " + lfVarx + " })();"); break;
            }
        } else if (!isNaN(lfVarx)) {
            lfRunTypeId = parseInt(lfVarx);
	}
    } catch (lfVare) {}
}
Marked s-s because this involves gczeal and looks like it could be some sort of type mismatch.
Blocks: IonFuzz
Whiteboard: [jsbugmon:update,bisect]
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   117618:67e44e98555c
user:        Hannes Verschore
date:        Fri Jan 04 17:11:32 2013 +0100
summary:     Bug 825705: Creating this on caller-side shouldn't query prototype for unknown objects, r=jandem

This iteration took 75.578 seconds to run.
Needinfo from Hannes, based on comment 2 :)
Flags: needinfo?(hv1989)
Got a similar one  with the same assert but that crashes in js::ion::LIRGeneratorX86::visitUnbox with a write to a null address.
Crash Signature: [@ js::ion::LIRGeneratorX86::visitUnbox]
Sorry about the delay, but I was on vacation.

The problem here is that pushTypeBarrier doesn't handle "JSVAL_TYPE_MAGIC" correctly and tries to unbox it. (What is impossible in IM.). The added code should handle that. Fixes the asserts.
Assignee: general → hv1989
Attachment #701762 - Flags: review?(jdemooij)
Flags: needinfo?(hv1989)
Attachment #701762 - Flags: review?(jdemooij)
Previous patch was merely fighting symptoms. This is the real deal. During the VMCall we need to create this at callee side if it failed / is impossible at caller side.
Attachment #701762 - Attachment is obsolete: true
Attachment #701850 - Flags: review?(jdemooij)
Based on discussion with Hannes on IRC, this bug can only lead to crashes due to reads/writes near null. Removing s-s.
Group: core-security
Keywords: crash
Comment on attachment 701850 [details] [diff] [review]
Create this at callee side, when failing at caller side

Review of attachment 701850 [details] [diff] [review]:
-----------------------------------------------------------------

r=me with the testcases in comment 0 and bug 827882 comment 0 added to jit-tests.
Attachment #701850 - Flags: review?(jdemooij) → review+
(In reply to Jan de Mooij [:jandem] from comment #9)
> Comment on attachment 701850 [details] [diff] [review]
> Create this at callee side, when failing at caller side
> 
> Review of attachment 701850 [details] [diff] [review]:
> -----------------------------------------------------------------
> 
> r=me with the testcases in comment 0 and bug 827882 comment 0 added to
> jit-tests.

You might want to add bug 827882 comment 5 as well. It crashes and asserts, whereas the one in comment 0 only asserts.
https://hg.mozilla.org/mozilla-central/rev/6c1387877737
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla21
Comment on attachment 701850 [details] [diff] [review]
Create this at callee side, when failing at caller side

[Approval Request Comment]
Bug caused by (feature/regressing bug #): #825705

User impact if declined: Possible crashes at 0x0 - 0x11

Testing completed (on m-c, etc.): m-c for a week, testcases fixed

Risk to taking this patch (and alternatives if risky): 
Low. The fix is using a code path that used to get taken before the changes in #825705. Well tested in FF18 and FF19.

String or UUID changes made by this patch: /
Attachment #701850 - Flags: approval-mozilla-aurora?
Comment on attachment 701850 [details] [diff] [review]
Create this at callee side, when failing at caller side

approving low risk fix for aurora to help mitigate potential crashes.
Attachment #701850 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Automatically extracted testcase for this bug was committed:

https://hg.mozilla.org/mozilla-central/rev/2e891e0db397
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: