Assertion failure: !needsHoleCheck && knownType == JSVAL_TYPE_DOUBLE, at ion/IonBuilder.cpp:5438

RESOLVED FIXED in mozilla21

Status

()

Core
JavaScript Engine
--
critical
RESOLVED FIXED
5 years ago
5 years ago

People

(Reporter: decoder, Assigned: bhackett)

Tracking

(Blocks: 1 bug, {assertion, testcase})

Trunk
mozilla21
x86
Linux
assertion, testcase
Points:
---
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [jsbugmon:update])

Attachments

(1 attachment)

(Reporter)

Description

5 years ago
The following testcase asserts on mozilla-central revision 20bbf73921f4 (run with --ion-eager):


Object.prototype[3] = 3;
var sjcl = {
    cipher: {},
};
sjcl.cipher.aes = function (a) {
    d = a.slice(0);
    for (a=0; a < 60; a++) {
        c = d[a - 1];
    }
};
new sjcl.cipher.aes([0xffffffff, 0xffffffff]);
(Reporter)

Comment 1

5 years ago
S-s because this seems like a type confusion:

Program received signal SIGSEGV, Segmentation fault.
0x0851fd0d in js::ion::IonBuilder::jsop_getelem_dense (this=0x89d6808) at /srv/repos/mozilla-central/js/src/ion/IonBuilder.cpp:5438
5438            JS_ASSERT(!needsHoleCheck && knownType == JSVAL_TYPE_DOUBLE);
(gdb) p knownType
$1 = JSVAL_TYPE_UNKNOWN
Whiteboard: [jsbugmon:update,bisect]
(Reporter)

Updated

5 years ago
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
(Reporter)

Comment 2

5 years ago
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   120310:d7dd65663469
user:        Brian Hackett
date:        Tue Jan 29 16:20:03 2013 -0700
summary:     Bug 833898 - Allow converting mixed arrays of ints and doubles to uniform doubles, r=jandem.

This iteration took 88.633 seconds to run.
(Reporter)

Comment 3

5 years ago
Brian, can you look at this based on comment 2? Thanks!
Flags: needinfo?(bhackett1024)
(Assignee)

Comment 4

5 years ago
Created attachment 709484 [details] [diff] [review]
patch

Slightly busted logic when seeing if the input to an array load should be converted to a double array.  If the read has observed undefined values but still needs to bail out when reading holes (in this case, because Object.prototype has an indexed property) then the array still could be converted to doubles.  This is fine to do, and a LoadElementV will then be used which will disregard the loadDoubles flag, so this is a bogus assert.  The patch restructures the code to avoid the need for the assert, or for unnecessary calls to oracle->elementReadShouldAlwaysLoadDoubles().
Assignee: general → bhackett1024
Attachment #709484 - Flags: review?(jdemooij)
Flags: needinfo?(bhackett1024)
(Assignee)

Comment 5

5 years ago
Bogus assert, not s-s.
Group: core-security

Updated

5 years ago
Attachment #709484 - Flags: review?(jdemooij) → review+
(Assignee)

Comment 6

5 years ago
https://hg.mozilla.org/integration/mozilla-inbound/rev/8cef88c3bee4
https://hg.mozilla.org/mozilla-central/rev/8cef88c3bee4
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla21
You need to log in before you can comment on or make changes to this bug.