Closed
Bug 844452
Opened 11 years ago
Closed 11 years ago
IonMonkey: Assertion failure: ins->type() == MIRType_Value, at /srv/repos/mozilla-central/js/src/ion/MIR.h:1754 or Crash [@ js::ion::LinearScanAllocator::populateSafepoints] or Crash [@ isTagged]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
mozilla22
| Tracking | Status | |
|---|---|---|
| firefox19 | --- | unaffected |
| firefox20 | --- | unaffected |
| firefox21 | --- | unaffected |
| firefox22 | --- | fixed |
| firefox-esr17 | --- | unaffected |
| b2g18 | --- | unaffected |
| b2g18-v1.0.0 | --- | unaffected |
| b2g18-v1.0.1 | --- | unaffected |
People
(Reporter: decoder, Assigned: nbp)
References
Details
(4 keywords, Whiteboard: [jsbugmon:update][fuzzblocker][adv-main22-])
Crash Data
Attachments
(1 file)
|
1.66 KB,
patch
|
dvander
:
review+
|
Details | Diff | Splinter Review |
The following testcase asserts on mozilla-central revision e162098b76d9 (run with --ion-eager):
function reportCompare (expected, actual) {
if (expected != actual) { }
}
evaluate("\
expect = '';\
try { throw('x'); } catch(ex) {\
actual = ex + '';\
reportCompare(expect, actual);\
}\
", { noScriptRval : true });
evaluate("reportCompare(true, true);", { noScriptRval : true });
|
Reporter | |
Comment 1•11 years ago
|
||
S-s because I don't know if this type-confusion could cause a security problem. A different test also crashes in an opt-build while it asserts with the same message in debug builds:
Program received signal SIGSEGV, Segmentation fault.
0x0837b729 in isTagged (this=0x1c) at /srv/repos/mozilla-central/js/src/ion/LIR.h:90
90 return !!(bits_ & TAG_MASK);
(gdb) bt
#0 0x0837b729 in isTagged (this=0x1c) at /srv/repos/mozilla-central/js/src/ion/LIR.h:90
#1 kind (this=0x1c) at /srv/repos/mozilla-central/js/src/ion/LIR.h:134
#2 isArgument (this=0x1c) at /srv/repos/mozilla-central/js/src/ion/LIR.h:164
#3 js::ion::LinearScanAllocator::populateSafepoints (this=0xffffc75c) at /srv/repos/mozilla-central/js/src/ion/LinearScan.cpp:536
#4 0x0837f45f in js::ion::LinearScanAllocator::go (this=0xffffc75c) at /srv/repos/mozilla-central/js/src/ion/LinearScan.cpp:1169
#5 0x08326be5 in js::ion::GenerateLIR (mir=0x8615c88) at /srv/repos/mozilla-central/js/src/ion/Ion.cpp:1003
#6 0x08328585 in CompileBackEnd (mir=0x8615c88) at /srv/repos/mozilla-central/js/src/ion/Ion.cpp:1066
#7 compile (autoDelete=<synthetic pointer>, builder=0x8615c88, this=<optimized out>, graph=<optimized out>) at /srv/repos/mozilla-central/js/src/ion/Ion.cpp:1262
#8 IonCompile<js::ion::SequentialCompileContext> (compileContext=..., constructing=24, osrPc=0x2 <Address 0x2 out of bounds>, fun=(JSFunction *) 0x85d4790 Cannot access memory at address 0x0,
script=<optimized out>, cx=0x85b8348) at /srv/repos/mozilla-central/js/src/ion/Ion.cpp:1195
#9 js::ion::Compile<js::ion::SequentialCompileContext> (cx=0x85b8348, script=0xf7422200, fun=(JSFunction * const) 0xf7426f40 [object Function "testRegExp"], osrPc=0x85c7fbd "\343V", constructing=false,
compileContext=...) at /srv/repos/mozilla-central/js/src/ion/Ion.cpp:1415
#10 0x0832b69d in js::ion::CanEnterAtBranch (cx=0x85b8348, script=0xf7422200, fp=..., pc=0x85c7fbd "\343V", isConstructing=false) at /srv/repos/mozilla-central/js/src/ion/Ion.cpp:1461
#11 0x080f7aef in js::Interpret (cx=0x85b8348, entryFrame=0xf7698028, interpMode=js::JSINTERP_NORMAL) at /srv/repos/mozilla-central/js/src/jsinterp.cpp:1399
#12 0x080fdb34 in js::RunScript (cx=0x85b8348, fp=0xf7698028) at /srv/repos/mozilla-central/js/src/jsinterp.cpp:324
#13 0x080fee55 in ExecuteKernel (result=0x0, evalInFrame=..., thisv=..., scopeChainArg=..., script=0xf7422100, cx=0x85b8348, type=<optimized out>) at /srv/repos/mozilla-central/js/src/jsinterp.cpp:514
#14 js::Execute (cx=0x85b8348, script=0xf7422100, scopeChainArg=(JSObject &) @0xf741e040 [object global] delegate, rval=0x0) at /srv/repos/mozilla-central/js/src/jsinterp.cpp:554
#15 0x0806a048 in JS_ExecuteScript (cx=0x85b8348, objArg=(JSObject *) 0xf741e040 [object global] delegate, scriptArg=0xf7422100, rval=0x0) at /srv/repos/mozilla-central/js/src/jsapi.cpp:5512
#16 0x080549ee in Process (cx=0x85b8348, obj_=<optimized out>, filename=0xffffd224 "min.js", forceTTY=false) at /srv/repos/mozilla-central/js/src/shell/js.cpp:468
#17 0x0805800e in ProcessArgs (op=0xffffcf70, obj_=(JSObject *) 0xf741e040 [object global] delegate, cx=0x85b8348) at /srv/repos/mozilla-central/js/src/shell/js.cpp:5022
#18 Shell (cx=0x85b8348, op=0xffffcf70, envp=0xffffd094) at /srv/repos/mozilla-central/js/src/shell/js.cpp:5059
#19 0x0804b487 in main (argc=3, argv=0xffffd084, envp=0xffffd094) at /srv/repos/mozilla-central/js/src/shell/js.cpp:5281
(gdb) x /i $pc
=> 0x837b729 <js::ion::LinearScanAllocator::populateSafepoints()+633>: mov 0x1c(%ecx),%eax
(gdb) info reg ecx
ecx 0x0 0Blocks: IonFuzz
Crash Signature: [@ js::ion::LinearScanAllocator::populateSafepoints]
[@ isTagged]
Keywords: crash
Summary: Assertion failure: ins->type() == MIRType_Value, at /srv/repos/mozilla-central/js/src/ion/MIR.h:1754 → IonMonkey: Assertion failure: ins->type() == MIRType_Value, at /srv/repos/mozilla-central/js/src/ion/MIR.h:1754 or Crash [@ js::ion::LinearScanAllocator::populateSafepoints] or Crash [@ isTagged]
Whiteboard: [jsbugmon:update,bisect]
|
|
Reporter | |
Comment 2•11 years ago
|
||
Another larger test also caused: Assertion failure: !types->unknown(), at ion/IonMacroAssembler.cpp:55
|
|
Reporter | |
Comment 3•11 years ago
|
||
Another crash signature:
Program received signal SIGSEGV, Segmentation fault.
0x000000000072603f in getInterval (i=0, this=<optimized out>) at /srv/repos/mozilla-central/js/src/ion/LiveRangeAllocator.h:404
404 return intervals_[i];
(gdb) bt
#0 0x000000000072603f in getInterval (i=0, this=<optimized out>) at /srv/repos/mozilla-central/js/src/ion/LiveRangeAllocator.h:404
#1 js::ion::LiveRangeAllocator<js::ion::LinearScanVirtualRegister>::buildLivenessInfo (this=<optimized out>) at /srv/repos/mozilla-central/js/src/ion/LiveRangeAllocator.cpp:699
#2 0x000000000071eb08 in js::ion::LinearScanAllocator::go (this=0x7fffffffbf60) at /srv/repos/mozilla-central/js/src/ion/LinearScan.cpp:1137
#3 0x00000000006c7f32 in js::ion::GenerateLIR (mir=0xbd4c58) at /srv/repos/mozilla-central/js/src/ion/Ion.cpp:1003
#4 0x00000000006ca6ba in CompileBackEnd (mir=<optimized out>) at /srv/repos/mozilla-central/js/src/ion/Ion.cpp:1066
#5 compile (autoDelete=<synthetic pointer>, builder=<optimized out>, this=<optimized out>, graph=<optimized out>) at /srv/repos/mozilla-central/js/src/ion/Ion.cpp:1262
#6 js::ion::IonCompile<js::ion::SequentialCompileContext> (cx=0xb52c20, script=0x7ffff602d580, fun=0x0, osrPc=0x0, constructing=false, compileContext=...) at /srv/repos/mozilla-central/js/src/ion/Ion.cpp:1195
#7 0x00000000006cad1e in js::ion::Compile<js::ion::SequentialCompileContext> (cx=<optimized out>, script=0x7ffff602d580, fun=..., osrPc=<optimized out>, constructing=<optimized out>, compileContext=...)
at /srv/repos/mozilla-central/js/src/ion/Ion.cpp:1415
#8 0x00000000006cc85f in js::ion::CanEnter
[...]
(gdb) x /i $pc
=> 0x72603f <js::ion::LiveRangeAllocator<js::ion::LinearScanVirtualRegister>::buildLivenessInfo()+2895>: mov (%rax),%rax
(gdb) info reg rax
rax 0x0Crash Signature: [@ js::ion::LinearScanAllocator::populateSafepoints]
[@ isTagged] → [@ js::ion::LinearScanAllocator::populateSafepoints]
[@ isTagged]
[@ getInterval]
|
|
Reporter | |
Updated•11 years ago
|
Crash Signature: [@ js::ion::LinearScanAllocator::populateSafepoints]
[@ isTagged]
[@ getInterval] → [@ js::ion::LinearScanAllocator::populateSafepoints]
[@ isTagged]
[@ getInterval]
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
|
|
Reporter | |
Comment 4•11 years ago
|
||
JSBugMon: Bisection requested, result: Due to skipped revisions, the first bad revision could be any of: changeset: 122584:b831500ca4be user: David Anderson date: Thu Feb 21 13:52:09 2013 -0800 summary: Prevent GC from occuring during IC linking (bug 837714, r=bhackett). changeset: 122585:437c955ff06d user: Nicolas B. Pierron date: Wed Jan 30 07:41:01 2013 -0800 summary: Bug 796114 - Inline with type-checked arguments. r=h4writer changeset: 122586:5054f997ef77 user: Gregory Szorc date: Thu Feb 21 14:11:54 2013 -0800 summary: Bug 841074 - Statically declare fields on FHR measurements; r=rnewman changeset: 122587:6c126d076b0d user: Phil Ringnalda date: Thu Feb 21 14:26:04 2013 -0800 summary: Back out b831500ca4be (bug 837714) for bustage This iteration took 111.787 seconds to run.
|
|
Reporter | |
Comment 5•11 years ago
|
||
Same bisection as bug 844305, might be related. Ccing IonMonkey devs.
Crash Signature: [@ js::ion::LinearScanAllocator::populateSafepoints]
[@ isTagged]
[@ getInterval] → [@ js::ion::LinearScanAllocator::populateSafepoints]
[@ isTagged]
[@ getInterval]
|
||
Comment 6•11 years ago
|
||
bug 844305 is fixed now. If this had the same regression range could it be the same bug? or does this still happen?
Flags: needinfo?(choller)
|
|
Reporter | |
Updated•11 years ago
|
Crash Signature: [@ js::ion::LinearScanAllocator::populateSafepoints]
[@ isTagged]
[@ getInterval] → [@ js::ion::LinearScanAllocator::populateSafepoints]
[@ isTagged]
[@ getInterval]
[@ js::gc::MarkGCThingRoot]
Whiteboard: [jsbugmon:update] → [jsbugmon:update,reconfirm]
|
|
Reporter | |
Updated•11 years ago
|
Crash Signature: [@ js::ion::LinearScanAllocator::populateSafepoints]
[@ isTagged]
[@ getInterval]
[@ js::gc::MarkGCThingRoot] → [@ js::ion::LinearScanAllocator::populateSafepoints]
[@ isTagged]
[@ getInterval]
[@ js::gc::MarkGCThingRoot]
Whiteboard: [jsbugmon:update,reconfirm] → [jsbugmon:update,reconfirm,ignore]
|
|
Reporter | |
Comment 7•11 years ago
|
||
JSBugMon: This bug has been automatically confirmed to be still valid (reproduced on revision 0a91da5f5eab).
Flags: needinfo?(choller)
|
|
Reporter | |
Comment 8•11 years ago
|
||
(In reply to Daniel Veditz [:dveditz] from comment #6) > bug 844305 is fixed now. If this had the same regression range could it be > the same bug? or does this still happen? Negative, see comment 7 :)
Crash Signature: [@ js::ion::LinearScanAllocator::populateSafepoints]
[@ isTagged]
[@ getInterval]
[@ js::gc::MarkGCThingRoot] → [@ js::ion::LinearScanAllocator::populateSafepoints]
[@ isTagged]
[@ getInterval]
[@ js::gc::MarkGCThingRoot]
Whiteboard: [jsbugmon:update,reconfirm,ignore] → [jsbugmon:update]
Nicolas, could you take a look at this for Fx22? I did a manual bisect off comment #4 and it looks like bug 796114 is related.
Assignee: general → nicolas.b.pierron
Status: NEW → ASSIGNED
|
|
Reporter | |
Comment 10•11 years ago
|
||
Calling this a fuzzblocker now, as I found more signatures morphing into this bug.
Whiteboard: [jsbugmon:update] → [jsbugmon:update][fuzzblocker]
|
Assignee | |
Comment 11•11 years ago
|
||
Bug 847045 - http://hg.mozilla.org/integration/mozilla-inbound/rev/1250c1464755 is changing a lot of things around this location, I guess this will change this bug, building & checking right now …
|
|
Assignee | |
Comment 12•11 years ago
|
||
The following testcase asserts on mozilla-inbound revision d7b7c3c502261 (run with --ion-eager):
function reportCompare (expected, actual) {
return expected != actual;
}
function wrap() {
reportCompare(true, true);
}
reportCompare('', '');
wrap();|
|
Reporter | |
Comment 13•11 years ago
|
||
Thanks nbp. Once bug 847045 lands, we can set the whiteboard to [jsbugmon:update,testComment=12] to keep tracking it.
|
|
Assignee | |
Updated•11 years ago
|
Blocks: 796114
status-b2g18:
--- → unaffected
status-b2g18-v1.0.0:
--- → unaffected
status-b2g18-v1.0.1:
--- → unaffected
status-firefox19:
--- → unaffected
status-firefox20:
--- → unaffected
status-firefox21:
--- → unaffected
status-firefox22:
--- → affected
status-firefox-esr17:
--- → unaffected
|
|
Assignee | |
Comment 14•11 years ago
|
||
The problem was subtle. It appears that we can inline a function call even if none of the arguments are matching the type expected for the arguments. As we are not converting the input, bug guarding that the type is correct, the MIR type remain the type of the caller, instead of being the type expected by the callee. Type information tell us that the comparison is a string comparisons, but both operands are booleans. So we should box the booleans to satisfy the adjust input function of comparisons. Ideally we should not inline this function, knowing that the current type information will cause a bailout at the time of execution of the type barriers.
Attachment #722414 -
Flags: review?(dvander)
|
||
Comment 15•11 years ago
|
||
This is similar to bug 839315. That was also caused by inlining a function and therefore knowing what type/constant goes in. And that could be different to the types encountered and reported by TI.
|
||
Updated•11 years ago
|
Attachment #722414 -
Flags: review?(dvander) → review+
|
|
Assignee | |
Comment 16•11 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/501fea96c33a
|
||
Comment 17•11 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/501fea96c33a
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla22
|
|
Reporter | |
Updated•11 years ago
|
Status: RESOLVED → VERIFIED
Crash Signature: [@ js::ion::LinearScanAllocator::populateSafepoints]
[@ isTagged]
[@ getInterval]
[@ js::gc::MarkGCThingRoot] → [@ js::ion::LinearScanAllocator::populateSafepoints]
[@ isTagged]
[@ getInterval]
[@ js::gc::MarkGCThingRoot]
|
|
Reporter | |
Comment 18•11 years ago
|
||
JSBugMon: This bug has been automatically verified fixed.
|
||
Updated•11 years ago
|
Crash Signature: [@ js::ion::LinearScanAllocator::populateSafepoints]
[@ isTagged]
[@ getInterval]
[@ js::gc::MarkGCThingRoot] → [@ js::ion::LinearScanAllocator::populateSafepoints]
[@ isTagged]
[@ getInterval]
[@ js::gc::MarkGCThingRoot]
Whiteboard: [jsbugmon:update][fuzzblocker] → [jsbugmon:update][fuzzblocker][adv-main22-]
|
|
||
Updated•11 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•