Closed Bug 844059 Opened 11 years ago Closed 11 years ago

IonMonkey: Assertion failure: isFloat(), at ../ion/RegisterSets.h:59

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla22
Tracking Flags:
Tracking Status
firefox21 --- unaffected
firefox22 --- fixed
firefox-esr17 --- unaffected
b2g18 --- disabled

People

(Reporter: decoder, Assigned: nbp)

References

Details

(Keywords: assertion, testcase, Whiteboard: [jsbugmon:update][adv-main22-])

Attachments

(1 file)

Prevent int-specialized GetElementIC to produce stub for float typed arrays.
3.25 KB, patch
dvander
: review+
Details | Diff | Splinter Review 
The following testcase asserts on mozilla-central revision 885cde564ff3 (run with --ion-eager):


function assertArraysEqual(a, b) {
    assertEq(a[i], b[i]);
}
function check(b) {
    var a = deserialize(serialize(b));
    assertArraysEqual(a, b);
}
var ctors = [ Int8Array, Float64Array ];
for (var i = 0; i < ctors.length; i++) {
    var ctor = ctors[i];
    b = ctor(100);
    check(b);
}
S-s because this seems to confuse data types. Backtrace:

Program received signal SIGSEGV, Segmentation fault.
0x0000000000bdef9b in js::ion::AnyRegister::fpu (this=0x7fffffff4810) at ../ion/RegisterSets.h:59
59              JS_ASSERT(isFloat());
(gdb) bt
#0  0x0000000000bdef9b in js::ion::AnyRegister::fpu (this=0x7fffffff4810) at ../ion/RegisterSets.h:59
#1  0x0000000000c92105 in js::ion::MacroAssembler::loadFromTypedArray<js::ion::BaseIndex> (this=0x7fffffff4af0, arrayType=7, src=..., dest=..., temp=..., fail=0x7fffffff49d0)
    at /srv/repos/mozilla-central/js/src/ion/IonMacroAssembler.cpp:194
#2  0x0000000000c77d0a in js::ion::GetElementIC::attachTypedArrayElement (this=0x1447570, cx=0x13bfe90, ion=0x14474e0, obj=(JSObject *) 0x7ffff603fac0 [object Float64Array], idval=...)
    at /srv/repos/mozilla-central/js/src/ion/IonCaches.cpp:1666
#3  0x0000000000c79fd0 in js::ion::GetElementIC::update (cx=0x13bfe90, cacheIndex=0, obj=(JSObject * const) 0x7ffff603fac0 [object Float64Array], idval=$jsval(1), res=JSVAL_VOID)
    at /srv/repos/mozilla-central/js/src/ion/IonCaches.cpp:1726
#4  0x00007ffff7fe9d90 in ?? ()
Blocks: IonFuzz
Summary: Assertion failure: isFloat(), at ../ion/RegisterSets.h:59 → IonMonkey: Assertion failure: isFloat(), at ../ion/RegisterSets.h:59
Whiteboard: [jsbugmon:update,bisect]
Assignee: general → nicolas.b.pierron
This is likely caused by the changed I made on Bug 840696.
Blocks: 840696
Status: NEW → ASSIGNED
Guard against Float typed arrays if the output is not specialized as a Value, knowing that IonBuilder jsop_getelem filter out Double specialization for now.
Attachment #717315 - Flags: review?(dvander)
Comment on attachment 717315 [details] [diff] [review]
Prevent int-specialized GetElementIC to produce stub for float typed arrays.

Review of attachment 717315 [details] [diff] [review]:
-----------------------------------------------------------------

::: js/src/ion/IonCaches.cpp
@@ +1728,5 @@
>              if (!cache.attachDenseElement(cx, ion, obj, idval))
>                  return false;
>              attachedStub = true;
>          } else if (obj->isTypedArray() && idval.isInt32()) {
> +            int arrayType = obj->getClass() - &TypedArray::classes[0];

Is there a helper method somewhere to hide this implementation detail?
Attachment #717315 - Flags: review?(dvander) → review+
(In reply to David Anderson [:dvander] from comment #4)
> Comment on attachment 717315 [details] [diff] [review]
> Prevent int-specialized GetElementIC to produce stub for float typed arrays.
> 
> Review of attachment 717315 [details] [diff] [review]:
> -----------------------------------------------------------------
> 
> ::: js/src/ion/IonCaches.cpp
> @@ +1728,5 @@
> >              if (!cache.attachDenseElement(cx, ion, obj, idval))
> >                  return false;
> >              attachedStub = true;
> >          } else if (obj->isTypedArray() && idval.isInt32()) {
> > +            int arrayType = obj->getClass() - &TypedArray::classes[0];
> 
> Is there a helper method somewhere to hide this implementation detail?

Looking deeper, I found the following static function (TypedArray::type), it does not use the same logic but it should work the same way.

I will use it in both places and check if this is still working fine.
https://hg.mozilla.org/mozilla-central/rev/729d41f6743b
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla22
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
Status: RESOLVED → VERIFIED
JSBugMon: This bug has been automatically verified fixed.
Whiteboard: [jsbugmon:update] → [jsbugmon:update][adv-main22-]
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: