Closed Bug 852140 Opened 11 years ago Closed 11 years ago

IonMonkey: Assertion failure: ins->type() == MIRType_Value, at ion/MIR.h:1848 or Crash [@ getInterval]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla22
Tracking Flags:
Tracking Status
firefox21 --- unaffected
firefox22 --- fixed
firefox-esr17 --- unaffected
b2g18 --- unaffected

People

(Reporter: decoder, Assigned: h4writer)

References

Details

(Keywords: assertion, crash, testcase, Whiteboard: [jsbugmon:update][adv-main22-])

Crash Data

Attachments

(1 file, 1 obsolete file)

Counter proposal
2.25 KB, patch
nbp
: review+
Details | Diff | Splinter Review 
The following testcase asserts on mozilla-central revision b03bb3ce8cee (run with --ion-eager):


function reportCompare (expected, actual) {
  if (expected != actual) {}
}
function exitFunc (funcName)
  reportCompare(undefined, '');
reportCompare('', '');
exitFunc();
Crash trace:

Program received signal SIGSEGV, Segmentation fault.
0x000000000075d3af in getInterval (i=0, this=<optimized out>) at /srv/repos/mozilla-central/js/src/ion/LiveRangeAllocator.h:404
404             return intervals_[i];
(gdb) bt
#0  0x000000000075d3af in getInterval (i=0, this=<optimized out>) at /srv/repos/mozilla-central/js/src/ion/LiveRangeAllocator.h:404
#1  js::ion::LiveRangeAllocator<js::ion::LinearScanVirtualRegister>::buildLivenessInfo (this=<optimized out>) at /srv/repos/mozilla-central/js/src/ion/LiveRangeAllocator.cpp:699
#2  0x0000000000755d88 in js::ion::LinearScanAllocator::go (this=0x7fffffffca60) at /srv/repos/mozilla-central/js/src/ion/LinearScan.cpp:1137
#3  0x0000000000701976 in js::ion::GenerateLIR (mir=0xc59d28, maybeMasm=0x0) at /srv/repos/mozilla-central/js/src/ion/Ion.cpp:1045
#4  0x0000000000703236 in CompileBackEnd (mir=0xc59d28, maybeMasm=<optimized out>) at /srv/repos/mozilla-central/js/src/ion/Ion.cpp:1120
#5  compile (autoDelete=<synthetic pointer>, builder=0xc59d28, this=<optimized out>, graph=<optimized out>) at /srv/repos/mozilla-central/js/src/ion/Ion.cpp:1315
#6  js::ion::IonCompile<js::ion::SequentialCompileContext> (cx=0xbade30, script=0xc59d28, fun=(JSFunction *) 0x7ffff603ce80 [object Function "exitFunc"], osrPc=0x0, constructing=false, compileContext=...)
    at /srv/repos/mozilla-central/js/src/ion/Ion.cpp:1248
#7  0x00000000007038ae in js::ion::Compile<js::ion::SequentialCompileContext> (cx=<optimized out>, script=0x7ffff6032280, fun=..., osrPc=<optimized out>, constructing=<optimized out>, compileContext=...)
    at /srv/repos/mozilla-central/js/src/ion/Ion.cpp:1468
#8  0x0000000000703b65 in js::ion::CanEnter (cx=0xbade30, script=0x7ffff6032280, fp=..., isConstructing=false) at /srv/repos/mozilla-central/js/src/ion/Ion.cpp:1567
#9  0x00000000004b2632 in js::Interpret (cx=0xbade30, entryFrame=0x7ffff62f4038, interpMode=js::JSINTERP_NORMAL) at /srv/repos/mozilla-central/js/src/jsinterp.cpp:2427
#10 0x00000000004b7b6b in js::RunScript (cx=0xbade30, fp=0x7ffff62f4038) at /srv/repos/mozilla-central/js/src/jsinterp.cpp:341
#11 0x00000000004bd8a3 in ExecuteKernel (result=0x0, evalInFrame=..., thisv=..., scopeChainArg=..., script=0x7ffff6032100, cx=0xbade30, type=<optimized out>) at /srv/repos/mozilla-central/js/src/jsinterp.cpp:531
#12 js::Execute (cx=0xbade30, script=0x7ffff6032100, scopeChainArg=..., rval=0x0) at /srv/repos/mozilla-central/js/src/jsinterp.cpp:571
#13 0x0000000000424451 in JS_ExecuteScript (cx=0xbade30, objArg=(JSObject *) 0x7ffff602e060 [object global] delegate, scriptArg=<optimized out>, rval=0x0) at /srv/repos/mozilla-central/js/src/jsapi.cpp:5535
#14 0x000000000040fa1e in Process (cx=0xbade30, obj_=<optimized out>, filename=<optimized out>, forceTTY=<optimized out>) at /srv/repos/mozilla-central/js/src/shell/js.cpp:468
#15 0x0000000000413e94 in ProcessArgs (op=0x7fffffffdbc0, obj_=(JSObject *) 0x7ffff602e060 [object global] delegate, cx=0xbade30) at /srv/repos/mozilla-central/js/src/shell/js.cpp:5030
#16 Shell (cx=0xbade30, op=0x7fffffffdbc0, envp=<optimized out>) at /srv/repos/mozilla-central/js/src/shell/js.cpp:5067
#17 0x000000000040453f in main (argc=<optimized out>, argv=<optimized out>, envp=0x7fffffffdd98) at /srv/repos/mozilla-central/js/src/shell/js.cpp:5291
(gdb) x /i $pc
=> 0x75d3af <js::ion::LiveRangeAllocator<js::ion::LinearScanVirtualRegister>::buildLivenessInfo()+2895>:        mov    (%rax),%rax
(gdb) info reg rax
rax            0x0      0


Looks like a null-deref but filing s-s because the assertion could indicate a security problem.

We already have other bugs on file with this assert, but I'm filing this anyway because this crashes differently and last time we missed at least one of these bugs because we thought they would be the same. If this is a dup to the others, JSBugMon should automatically find out once they are fixed.
Blocks: IonFuzz
Crash Signature: [@ getInterval]
Keywords: crash
Whiteboard: [jsbugmon:update,bisect]
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result:
Due to skipped revisions, the first bad revision could be any of:
changeset:   122584:b831500ca4be
user:        David Anderson
date:        Thu Feb 21 13:52:09 2013 -0800
summary:     Prevent GC from occuring during IC linking (bug 837714, r=bhackett).

changeset:   122585:437c955ff06d
user:        Nicolas B. Pierron
date:        Wed Jan 30 07:41:01 2013 -0800
summary:     Bug 796114 - Inline with type-checked arguments. r=h4writer

changeset:   122586:5054f997ef77
user:        Gregory Szorc
date:        Thu Feb 21 14:11:54 2013 -0800
summary:     Bug 841074 - Statically declare fields on FHR measurements; r=rnewman

changeset:   122587:6c126d076b0d
user:        Phil Ringnalda
date:        Thu Feb 21 14:26:04 2013 -0800
summary:     Back out b831500ca4be (bug 837714) for bustage

This iteration took 78.562 seconds to run.
Likely bug 796114 again, needinfo from Nicolas :)
Flags: needinfo?(nicolas.b.pierron)
(In reply to Christian Holler (:decoder) from comment #3)
> Likely bug 796114 again, needinfo from Nicolas :)

Yes, this is likely.  Taking it and fixing it soonish.
Assignee: general → nicolas.b.pierron
Status: NEW → ASSIGNED
Flags: needinfo?(nicolas.b.pierron)
Blocks: 796114
Attached patch Counter proposalSplinter Review 
The bug is actually fixed by 851067. But we had an interim solution in bug 844452 and this patch would take it even further. Since the landing of 851067 both patches aren't needed. Therefore I back it out. I added the testcase to be sure we are notified when this bug returns.
Assignee: nicolas.b.pierron → hv1989
Attachment #726413 - Attachment is obsolete: true
Attachment #726413 - Flags: review?(hv1989)
Attachment #726933 - Flags: review?(nicolas.b.pierron)
Attachment #726933 - Flags: review?(nicolas.b.pierron) → review+
(In reply to Hannes Verschore [:h4writer] from comment #8)
> Thanks,
> https://hg.mozilla.org/integration/mozilla-inbound/rev/bbb0081483d9

https://hg.mozilla.org/mozilla-central/rev/bbb0081483d9
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
status-firefox22: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla22
Status: RESOLVED → VERIFIED
JSBugMon: This bug has been automatically verified fixed.
I assume Firefox 21 is unaffected here based on regression dates.
status-firefox21: --- → unaffected
Whiteboard: [jsbugmon:update] → [jsbugmon:update][adv-main22-]
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: