Closed Bug 836274 Opened 9 years ago Closed 9 years ago

IonMonkey: Assertion failure: [infer failure] Missing type pushed 0: float, at jsinfer.cpp:318

Categories

(Core :: JavaScript Engine, defect)

x86_64
Linux
defect
Not set
critical

Tracking

()

VERIFIED FIXED
mozilla21
Tracking Status
firefox20 --- unaffected
firefox21 + fixed
firefox22 + fixed
firefox-esr17 --- unaffected
b2g18 --- unaffected

People

(Reporter: decoder, Assigned: h4writer)

References

Details

(4 keywords, Whiteboard: [jsbugmon:update])

Attachments

(1 file)

The following testcase asserts on mozilla-central revision 677e87c11252 (run with --ion-eager):


function dumpArgs6(i) { 
  if (i == 90) 
    return funapply6.arguments.length; 
  return [i]; 
}
function funapply6() {
  return dumpArgs6.apply({}, arguments); 
}
function test6(i) { 
  return funapply6(i,1,2,3); 
}
test6(89)[0]
test6(0.2 )
S-s because infer failures can be security related.
Whiteboard: [jsbugmon:update,bisect]
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   120021:e8578248b798
user:        Hannes Verschore
date:        Sun Jan 27 22:51:41 2013 +0100
summary:     Bug 824473: IonMonkey: Enable inlining of JSOP_FUNAPPLY, r=dvander

This iteration took 107.917 seconds to run.
Blocks: IonFuzz
Summary: Assertion failure: [infer failure] Missing type pushed 0: float, at jsinfer.cpp:318 → IonMonkey: Assertion failure: [infer failure] Missing type pushed 0: float, at jsinfer.cpp:318
Hannes, can you take a look based on comment 2? Also let me know please if this has any security implications (e.g. potential crashes, etc.). If you have any questions regarding that, feel free to ping me on IRC. Thanks!
Flags: needinfo?(hv1989)
Just to inform that I got the needinfo and looking into it. It's the argument type (double) of test6 that doesn't get added. I have actually no idea which implications this has. This is definitely caused by my patch and I'll fix it as soon as possible.
Assignee: general → hv1989
Flags: needinfo?(hv1989)
Keywords: sec-high
Comment on attachment 715116 [details] [diff] [review]
Disable funapply inlining when typeset of callee is tighter than caller

Flipping review to Nicolas
Attachment #715116 - Flags: review?(jdemooij) → review?(nicolas.b.pierron)
Comment on attachment 715116 [details] [diff] [review]
Disable funapply inlining when typeset of callee is tighter than caller

Review of attachment 715116 [details] [diff] [review]:
-----------------------------------------------------------------

::: js/src/ion/IonBuilder.cpp
@@ +3171,5 @@
> +        // doesn't update the types in the "apply" function, resulting in missed types.
> +        if (op == JSOP_FUNAPPLY) {
> +            types::TypeSet *calleeType, *callerType;
> +            for (size_t i = 0; i < target->nargs; i++) {
> +                calleeType = types::TypeScript::ArgTypes(targetScript, i);

I guess we want to use the oracle here:
calleeType = oracle->parameterTypeSet(targetScript, i);
Comment on attachment 715116 [details] [diff] [review]
Disable funapply inlining when typeset of callee is tighter than caller

Review of attachment 715116 [details] [diff] [review]:
-----------------------------------------------------------------

I guess this will have to be removed when support excluded types for FUN_APPLY, right?
Attachment #715116 - Flags: review?(nicolas.b.pierron) → review+
https://hg.mozilla.org/integration/mozilla-inbound/rev/64a2c3fb2052

(In reply to Nicolas B. Pierron [:pierron] [:nbp] from comment #8)
> Comment on attachment 715116 [details] [diff] [review]
> I guess this will have to be removed when support excluded types for
> FUN_APPLY, right?

Doesn't need to, but it could get removed. As long as the types are also seen in the caller script and not only in the callee script. Because now those types are only seen in the callee script and therefore the "apply" function doesn't get the type updates.
https://hg.mozilla.org/mozilla-central/rev/64a2c3fb2052
Status: NEW → RESOLVED
Closed: 9 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla21
Status: RESOLVED → VERIFIED
JSBugMon: This bug has been automatically verified fixed.
Group: core-security
You need to log in before you can comment on or make changes to this bug.