Closed Bug 866706 Opened 7 years ago Closed 7 years ago

IonMonkey: Assertion failure: mir->type() == MIRType_Value, at ion/x64/Lowering-x64.cpp:19

Categories

(Core :: JavaScript Engine, defect, critical)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla23
Tracking Flags:
Tracking Status
firefox21 --- unaffected
firefox22 --- unaffected
firefox23 --- verified
firefox-esr17 --- unaffected
b2g18 --- unaffected

People

(Reporter: decoder, Assigned: bhackett)

References

(Blocks 1 open bug)

Details

(4 keywords, Whiteboard: [jsbugmon:update][adv-main23-])

Attachments

(1 file)

patch
1.28 KB, patch
dvander
: review+
Details | Diff | Splinter Review 
The following testcase asserts on mozilla-central revision 05533d50f2f7 (run with --ion-eager):


var MyMath = {
  random: function() {
    this.seed = (this.seed + 0x7ed55d16) & 0xffffffff;
    return (this.seed & 0xfffffff) / 0x10000000;
  }
};
var kSplayTreeSize = 8000;
function GenerateKey() {
  return MyMath.random();
}
function InsertNewNode() {
  do {
    key = GenerateKey();
  } while (splayTree.find(key) != null);
  splayTree.insert(key);
}
splayTree = new SplayTree();
for (var i = 0; i < kSplayTreeSize; i++)
  InsertNewNode();
function SplayTree() {
  SplayTree.prototype.isEmpty = function() {
    return !this.root_;
  };
  SplayTree.prototype.insert = function(key, value) {
    this.root_ = new SplayTree.Node(key, value);
  };
  SplayTree.prototype.find = function(key) {
    if (this.isEmpty()) {
      return null;
    }
    var right = new SplayTree.Node(null, null);
    var current = this.root_;
    while (true) {
      if (key < current.key) {
        right.left = current;
      } else if (key > current.key) {
          break;
      }
      current ^= tmp;
      break;
    }
  };
  SplayTree.Node = function(key, value) {
    this.key = key;
  };
}
Backtrace of the assertion:

Program received signal SIGSEGV, Segmentation fault.
bt
0x0000000000958f01 in js::ion::LIRGeneratorX64::useBox (this=0x7fffffffcd60, lir=0xf5b750, n=0, mir=0xf521c0, policy=<optimized out>, useAtStart=<optimized out>)
    at js/src/ion/x64/Lowering-x64.cpp:19
19          JS_ASSERT(mir->type() == MIRType_Value);
(gdb) bt
#0  0x0000000000958f01 in js::ion::LIRGeneratorX64::useBox (this=0x7fffffffcd60, lir=0xf5b750, n=0, mir=0xf521c0, policy=<optimized out>, useAtStart=<optimized out>)
    at js/src/ion/x64/Lowering-x64.cpp:19
#1  0x00000000008cd15a in js::ion::LIRGenerator::visitMonitorTypes (this=0x7fffffffcd60, ins=0xf53ad0) at js/src/ion/Lowering.cpp:1722
#2  0x00000000008c94a6 in js::ion::LIRGenerator::visitInstruction (this=0x7fffffffcd60, ins=0xf53ad0) at js/src/ion/Lowering.cpp:2659
#3  0x00000000008c9902 in js::ion::LIRGenerator::visitBlock (this=0x7fffffffcd60, block=0xf53498) at js/src/ion/Lowering.cpp:2751
#4  0x00000000008c9f2b in js::ion::LIRGenerator::generate (this=0x7fffffffcd60) at js/src/ion/Lowering.cpp:2827
#5  0x00000000008203b6 in js::ion::GenerateLIR (mir=0xf46320) at js/src/ion/Ion.cpp:1135
#6  0x00000000008222ea in CompileBackEnd (mir=0xf46320, maybeMasm=<optimized out>) at js/src/ion/Ion.cpp:1231
#7  js::ion::SequentialCompileContext::compile (this=<optimized out>, builder=0xf46320, graph=<optimized out>, autoDelete=...) at js/src/ion/Ion.cpp:1427
#8  0x0000000000822afd in js::ion::IonCompile<js::ion::SequentialCompileContext> (cx=0xe997f0, script=<optimized out>, fp=..., osrPc=0x0, constructing=<optimized out>, compileContext=...)
    at js/src/ion/Ion.cpp:1367
#9  0x0000000000822e5b in js::ion::Compile<js::ion::SequentialCompileContext> (cx=<optimized out>, script=0x7ffff6739710, fp=..., osrPc=<optimized out>, constructing=<optimized out>, compileContext=...)
    at js/src/ion/Ion.cpp:1598
#10 0x0000000000823735 in js::ion::CompileFunctionForBaseline (cx=0xe997f0, script=0x7ffff6739710, fp=..., isConstructing=false) at js/src/ion/Ion.cpp:1734
#11 0x0000000000a02707 in EnsureCanEnterIon (jitcodePtr=<synthetic pointer>, pc=<optimized out>, script=0x7ffff6739710, frame=0x7fffffffd1b8, cx=0xe997f0, stub=<optimized out>)
    at js/src/ion/BaselineIC.cpp:661
#12 DoUseCountFallback (infoPtr=0x7fffffffd180, frame=0x7fffffffd1b8, stub=<optimized out>, cx=0xe997f0) at js/src/ion/BaselineIC.cpp:844
#13 js::ion::DoUseCountFallback (cx=0xe997f0, stub=<optimized out>, frame=0x7fffffffd1b8, infoPtr=0x7fffffffd180) at js/src/ion/BaselineIC.cpp:803
#14 0x00007ffff7e17318 in ?? ()


S-s because previous similar assertions were problematic.
Blocks: IonFuzz
Whiteboard: [jsbugmon:update,bisect]
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   129970:ebf1b0f1920c
user:        Brian Hackett
date:        Thu Apr 25 14:44:44 2013 -0600
summary:     Bug 865635 - Use MMonitorTypes instead of MTypeBarrier for type write barriers, r=dvander.

This iteration took 145.045 seconds to run.
Attached patch patchSplinter Review 
MMonitorTypes needs to make sure it has a boxed input.
Attachment #743557 - Flags: review?(dvander)
Attachment #743557 - Flags: review?(dvander) → review+
I'm assuming the regression range in comment 2 is right.

Type confusion sounds bad, so I'm marking this sec-high.  Feel free to adjust as desired.
Blocks: 865635
status-b2g18: --- → unaffected
status-firefox21: --- → unaffected
status-firefox22: --- → unaffected
status-firefox23: --- → affected
status-firefox-esr17: --- → unaffected
Keywords: regression, sec-high
Assignee: general → bhackett1024
https://hg.mozilla.org/mozilla-central/rev/120ca4a6afc3
Status: NEW → RESOLVED
Closed: 7 years ago
status-firefox23: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla23
Status: RESOLVED → VERIFIED
JSBugMon: This bug has been automatically verified fixed.
Marking status-firefox23:verified based on comment 7.
status-firefox23: fixedverified
Whiteboard: [jsbugmon:update] → [jsbugmon:update][adv-main23-]
Group: core-security
You need to log in before you can comment on or make changes to this bug.