IonMonkey: Assertion failure: ins->type() == MIRType_Value, at ion/MIR.h:1823 or Crash [@ getInterval]

VERIFIED FIXED in Firefox 22



JavaScript Engine
5 years ago
5 years ago


(Reporter: decoder, Assigned: h4writer)


(Blocks: 2 bugs, {assertion, crash, testcase})

assertion, crash, testcase
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(firefox21 unaffected, firefox22+ fixed, firefox23+ verified, firefox-esr17 unaffected, b2g18 unaffected)


(Whiteboard: [jsbugmon:update][adv-main22-], crash signature)


(1 attachment)



5 years ago
The following testcase asserts on mozilla-central revision 55f9e3e3dae7 (run with --ion-eager):

function TestCase(e, a) {
  getTestCaseResult(e, a);
function reportCompare (expected, actual) {
  new TestCase(expected, actual);
function enterFunc() {}
function getTestCaseResult(expected, actual) {
  return actual == expected;
reportCompare('', '');
function test() {\

Comment 1

5 years ago
This seems to be a different failure than the other MIRType_Value asserts that were filed. The opt-build seems to crash with a null-deref:

Program received signal SIGSEGV, Segmentation fault.
0x000000000073f7ef in getInterval (i=0, this=<optimized out>) at /srv/repos/mozilla-central/js/src/ion/LiveRangeAllocator.h:404
404             return intervals_[i];
(gdb) bt
#0  0x000000000073f7ef in getInterval (i=0, this=<optimized out>) at /srv/repos/mozilla-central/js/src/ion/LiveRangeAllocator.h:404
#1  js::ion::LiveRangeAllocator<js::ion::LinearScanVirtualRegister>::buildLivenessInfo (this=<optimized out>) at /srv/repos/mozilla-central/js/src/ion/LiveRangeAllocator.cpp:699
#2  0x0000000000738078 in js::ion::LinearScanAllocator::go (this=0x7fffffffb9d0) at /srv/repos/mozilla-central/js/src/ion/LinearScan.cpp:1137
#3  0x00000000006dd357 in js::ion::GenerateLIR (mir=0xc0a2d8) at /srv/repos/mozilla-central/js/src/ion/Ion.cpp:1114
#4  0x00000000006e0a46 in CompileBackEnd (mir=0xc0a2d8, maybeMasm=<optimized out>) at /srv/repos/mozilla-central/js/src/ion/Ion.cpp:1194
#5  compile (autoDelete=<synthetic pointer>, builder=0xc0a2d8, this=<optimized out>, graph=<optimized out>) at /srv/repos/mozilla-central/js/src/ion/Ion.cpp:1386
#6  js::ion::IonCompile<js::ion::SequentialCompileContext> (cx=0xc0d1b0, script=0xc0a2d8, fun=(JSFunction *) 0x7ffff6047100 [object Function "test"], osrPc=0x0, constructing=false, compileContext=...)
    at /srv/repos/mozilla-central/js/src/ion/Ion.cpp:1327
#7  0x00000000006e0c28 in js::ion::Compile<js::ion::SequentialCompileContext> (cx=<optimized out>, script=0x7ffff60385d8, fun=..., osrPc=<optimized out>, constructing=<optimized out>, compileContext=...)
    at /srv/repos/mozilla-central/js/src/ion/Ion.cpp:1557
#8  0x00000000006e11a8 in js::ion::CompileFunctionForBaseline (cx=0xc0d1b0, script=0x7ffff60385d8, fp=..., isConstructing=false) at /srv/repos/mozilla-central/js/src/ion/Ion.cpp:1685
#9  0x00000000008329fa in EnsureCanEnterIon (jitcodePtr=<synthetic pointer>, pc=0xc66698  <incomplete sequence \323>, script=0x7ffff60385d8, frame=0x7fffffffbf68, cx=0xc0d1b0, stub=<optimized out>)
    at /srv/repos/mozilla-central/js/src/ion/BaselineIC.cpp:650
#10 DoUseCountFallback (infoPtr=0x7fffffffbf40, frame=0x7fffffffbf68, stub=<optimized out>, cx=0xc0d1b0) at /srv/repos/mozilla-central/js/src/ion/BaselineIC.cpp:834
#11 js::ion::DoUseCountFallback (cx=0xc0d1b0, stub=<optimized out>, frame=0x7fffffffbf68, infoPtr=0x7fffffffbf40) at /srv/repos/mozilla-central/js/src/ion/BaselineIC.cpp:793
#12 0x00007ffff7f96c2e in ?? ()
(gdb) x /i $pc
=> 0x73f7ef <js::ion::LiveRangeAllocator<js::ion::LinearScanVirtualRegister>::buildLivenessInfo()+2895>:        mov    (%rax),%rax
(gdb) info reg rax
rax            0x0      0

Marking s-s though until confirmed to be harmless.
Crash Signature: [@ getInterval]
Keywords: crash
Whiteboard: [jsbugmon:update,bisect]


5 years ago
Blocks: 724444
Summary: Assertion failure: ins->type() == MIRType_Value, at ion/MIR.h:1823 or Crash [@ getInterval] → IonMonkey: Assertion failure: ins->type() == MIRType_Value, at ion/MIR.h:1823 or Crash [@ getInterval]

Comment 2

5 years ago
Created attachment 734029 [details] [diff] [review]
Potential fix

This reintroduces a milder version of the check I removed in Bug 849781. This should normally be sufficient and fixes this bug.
@decoder: you said you had other testcase versions of this bug. Could you test if this milder version fixes those too? If not I might go with the full check, but I want to know when these happen, to be sure...
Assignee: general → hv1989
Attachment #734029 - Flags: feedback?(choller)

Comment 3

5 years ago
Comment on attachment 734029 [details] [diff] [review]
Potential fix

I don't have any other reduced tests that differed based on the stack. Just go ahead and land this :) If this doesn't fix all the bugs, then some will keep popping up in the fuzzer.
Attachment #734029 - Flags: feedback?(choller)

Comment 4

5 years ago
Comment on attachment 734029 [details] [diff] [review]
Potential fix

Thanks decoder

I forgot I enabled inlining unknown argument types. That means we need to make sure they are boxed.

@nbp: The full condition you had would also fix it, but I want to be sure that if there are other cases we know about it... 

(The change in jsinfer.cpp is unrelated, but definitely wrong)
Attachment #734029 - Flags: review?(nicolas.b.pierron)


5 years ago
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]

Comment 5

5 years ago
JSBugMon: Bisection requested, result:
Due to skipped revisions, the first bad revision could be any of:
changeset:   122584:b831500ca4be
user:        David Anderson
date:        Thu Feb 21 13:52:09 2013 -0800
summary:     Prevent GC from occuring during IC linking (bug 837714, r=bhackett).

changeset:   122585:437c955ff06d
user:        Nicolas B. Pierron
date:        Wed Jan 30 07:41:01 2013 -0800
summary:     Bug 796114 - Inline with type-checked arguments. r=h4writer

changeset:   122586:5054f997ef77
user:        Gregory Szorc
date:        Thu Feb 21 14:11:54 2013 -0800
summary:     Bug 841074 - Statically declare fields on FHR measurements; r=rnewman

changeset:   122587:6c126d076b0d
user:        Phil Ringnalda
date:        Thu Feb 21 14:26:04 2013 -0800
summary:     Back out b831500ca4be (bug 837714) for bustage

This iteration took 133.350 seconds to run.
Attachment #734029 - Flags: review?(nicolas.b.pierron) → review+
status-firefox21: --- → unaffected
status-firefox22: --- → affected
status-firefox23: --- → affected
tracking-firefox22: --- → ?
tracking-firefox23: --- → ?

Comment 6

5 years ago

(I'll land the testcase after uplifting to FF22)
I backed this out from inbound, as it appears to have triggered assertions in check-jit-test across Linux/OSX/Win.

See for example (linux) (linux64) (osx) (win32)

Typical log:
TEST-UNEXPECTED-FAIL | /builds/slave/m-in-lx-d-00000000000000000000/build/js/src/jit-test/tests/debug/Frame-onPop-multiple-01.js | --no-baseline --ion-eager: Assertion failure: !unknownObject(), at ../../../js/src/jsinferinlines.h:1519
TEST-UNEXPECTED-FAIL | /builds/slave/m-in-lx-d-00000000000000000000/build/js/src/jit-test/tests/ion/bug835496.js | --no-baseline --ion-eager: Assertion failure: !unknownObject(), at ../../../js/src/jsinferinlines.h:1519
make[1]: *** [check-jit-test] Error 2
make: *** [check] Error 2

Comment 8

5 years ago
Thanks for reporting. This is definitely the unrelated change I did to jsinfer.cpp. So I've pushed this without that fix.

I'll investigate the assert and create a new bug for the obvious fault in jsinfer.cpp, that I couldn't fix along with this.
Last Resolved: 5 years ago
status-firefox23: affected → fixed
Flags: in-testsuite?
Resolution: --- → FIXED
Target Milestone: --- → mozilla23


5 years ago

Comment 10

5 years ago
JSBugMon: This bug has been automatically verified fixed.

Comment 11

5 years ago
Comment on attachment 734029 [details] [diff] [review]
Potential fix

[Approval Request Comment]
Bug caused by (feature/regressing bug #): Bug 796114

User impact if declined: crashes during IonMonkey compilation

Testing completed (on m-c, etc.): m-i, 1 day, m-c few hours

Risk to taking this patch (and alternatives if risky): None. A heavier version of this check has been in the tree a few weeks ago.

String or IDL/UUID changes made by this patch: /
Attachment #734029 - Flags: approval-mozilla-aurora?
Comment on attachment 734029 [details] [diff] [review]
Potential fix

Since this is low risk, approving for Aurora.

Before tracking, we'll need to understand whether we actually think this will have critical user impact (security, functionally, etc.).
Attachment #734029 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
status-firefox22: affected → fixed


5 years ago
tracking-firefox22: ? → +
tracking-firefox23: ? → +
status-b2g18: --- → unaffected
status-firefox-esr17: --- → unaffected
Whiteboard: [jsbugmon:update] → [jsbugmon:update][adv-main22-]
Group: core-security
Marking status-firefox23:verified based on comment 10.
status-firefox23: fixed → verified
You need to log in before you can comment on or make changes to this bug.