Closed
Bug 827821
Opened 13 years ago
Closed 13 years ago
IonMonkey: Assertion failure: type == MIRType_Boolean || type == MIRType_Int32 || type == MIRType_Double || type == MIRType_String || type == MIRType_Object, at ion/MIR.h:1557
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla21
| Tracking | Status | |
|---|---|---|
| firefox18 | --- | unaffected |
| firefox19 | --- | unaffected |
| firefox20 | + | fixed |
| firefox21 | + | fixed |
People
(Reporter: decoder, Assigned: h4writer)
References
Details
(Keywords: assertion, crash, testcase, Whiteboard: [jsbugmon:update])
Crash Data
Attachments
(1 file, 1 obsolete file)
|
1.17 KB,
patch
|
jandem
:
review+
lsblakk
:
approval-mozilla-aurora+
|
Details | Diff | Splinter Review |
The following testcase asserts on mozilla-central revision 795632f0e4fe (run with --ion-eager):
var lfcode = new Array();
lfcode.push("3");
lfcode.push("\
gczeal(2);\
for (let q = 0; q < 50; ++q) {\
var w = \"r\".match(/r/);\
}\
let (eval) (function (a) {\
Function = gczeal;\
})();\
// .js\
");
lfcode.push(" // .js");
lfcode.push(" // .js");
lfcode.push(" // .js");
while (true) {
var file = lfcode.shift(); if (file == undefined) { break; }
loadFile(file)
}
function loadFile(lfVarx) {
try {
if (lfVarx.substr(-3) == ".js") {
uneval("foo");
switch (lfRunTypeId) {
case 3: function newFunc(x) { new Function(x)(); }; newFunc(lfVarx); break;
case 4: eval("(function() { " + lfVarx + " })();"); break;
}
} else if (!isNaN(lfVarx)) {
lfRunTypeId = parseInt(lfVarx);
}
} catch (lfVare) {}
}
|
Reporter | |
Comment 1•13 years ago
|
||
Marked s-s because this involves gczeal and looks like it could be some sort of type mismatch.
Blocks: IonFuzz
Whiteboard: [jsbugmon:update,bisect]
|
|
Reporter | |
Updated•13 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
|
|
Reporter | |
Comment 2•13 years ago
|
||
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: 117618:67e44e98555c
user: Hannes Verschore
date: Fri Jan 04 17:11:32 2013 +0100
summary: Bug 825705: Creating this on caller-side shouldn't query prototype for unknown objects, r=jandem
This iteration took 75.578 seconds to run.
|
|
Reporter | |
Comment 3•13 years ago
|
||
Needinfo from Hannes, based on comment 2 :)
Flags: needinfo?(hv1989)
|
|
Reporter | |
Comment 4•13 years ago
|
||
Got a similar one with the same assert but that crashes in js::ion::LIRGeneratorX86::visitUnbox with a write to a null address.
Crash Signature: [@ js::ion::LIRGeneratorX86::visitUnbox]
|
Assignee | |
Comment 5•13 years ago
|
||
Sorry about the delay, but I was on vacation.
The problem here is that pushTypeBarrier doesn't handle "JSVAL_TYPE_MAGIC" correctly and tries to unbox it. (What is impossible in IM.). The added code should handle that. Fixes the asserts.
|
|
Assignee | |
Updated•13 years ago
|
Attachment #701762 -
Flags: review?(jdemooij)
|
|
Assignee | |
Comment 7•13 years ago
|
||
Previous patch was merely fighting symptoms. This is the real deal. During the VMCall we need to create this at callee side if it failed / is impossible at caller side.
Attachment #701762 -
Attachment is obsolete: true
Attachment #701850 -
Flags: review?(jdemooij)
|
|
Reporter | |
Comment 8•13 years ago
|
||
Based on discussion with Hannes on IRC, this bug can only lead to crashes due to reads/writes near null. Removing s-s.
Group: core-security
Keywords: crash
|
||
Comment 9•13 years ago
|
||
Comment on attachment 701850 [details] [diff] [review]
Create this at callee side, when failing at caller side
Review of attachment 701850 [details] [diff] [review]:
-----------------------------------------------------------------
r=me with the testcases in comment 0 and bug 827882 comment 0 added to jit-tests.
Attachment #701850 -
Flags: review?(jdemooij) → review+
|
||
Comment 10•13 years ago
|
||
(In reply to Jan de Mooij [:jandem] from comment #9)
> Comment on attachment 701850 [details] [diff] [review]
> Create this at callee side, when failing at caller side
>
> Review of attachment 701850 [details] [diff] [review]:
> -----------------------------------------------------------------
>
> r=me with the testcases in comment 0 and bug 827882 comment 0 added to
> jit-tests.
You might want to add bug 827882 comment 5 as well. It crashes and asserts, whereas the one in comment 0 only asserts.
|
|
Assignee | |
Comment 11•13 years ago
|
||
|
|
||
Comment 12•13 years ago
|
||
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla21
|
|
Assignee | |
Comment 13•13 years ago
|
||
Comment on attachment 701850 [details] [diff] [review]
Create this at callee side, when failing at caller side
[Approval Request Comment]
Bug caused by (feature/regressing bug #): #825705
User impact if declined: Possible crashes at 0x0 - 0x11
Testing completed (on m-c, etc.): m-c for a week, testcases fixed
Risk to taking this patch (and alternatives if risky):
Low. The fix is using a code path that used to get taken before the changes in #825705. Well tested in FF18 and FF19.
String or UUID changes made by this patch: /
Attachment #701850 -
Flags: approval-mozilla-aurora?
|
||
Comment 14•13 years ago
|
||
Comment on attachment 701850 [details] [diff] [review]
Create this at callee side, when failing at caller side
approving low risk fix for aurora to help mitigate potential crashes.
Attachment #701850 -
Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
|
|
||
Updated•13 years ago
|
status-firefox18:
--- → unaffected
status-firefox19:
--- → unaffected
status-firefox20:
--- → affected
status-firefox21:
--- → fixed
tracking-firefox20:
--- → +
tracking-firefox21:
--- → +
|
||
Comment 15•13 years ago
|
||
|
|
Reporter | |
Comment 16•13 years ago
|
||
Automatically extracted testcase for this bug was committed:
https://hg.mozilla.org/mozilla-central/rev/2e891e0db397
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•