Assertion failure: (ptrBits & 0x7) == 0, at ../dist/include/js/Value.h with --ion-regalloc=backtracking

RESOLVED FIXED

Status

()

Core
JavaScript Engine
--
critical
RESOLVED FIXED
5 years ago
4 years ago

People

(Reporter: gkw, Unassigned)

Tracking

(Blocks: 1 bug, 4 keywords)

Trunk
x86_64
Mac OS X
assertion, regression, sec-high, testcase
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox22 unaffected, firefox23 unaffected, firefox24 fixed, firefox-esr17 unaffected, b2g18 unaffected)

Details

Attachments

(1 attachment)

(Reporter)

Description

5 years ago
Created attachment 751226 [details]
stack

(function () {
    eval("\
        'a'.replace(/a/, arguments.callee)\
    ")
})()

asserts js debug shell on m-c changeset 5c240ee646fb with --ion-eager --no-jm --ion-regalloc=backtracking at Assertion failure: (ptrBits & 0x7) == 0,

s-s because this assertion is scary.

Full configuration command with needed environment variables is:
CC="clang -Qunused-arguments" AR=ar CXX="clang++ -Qunused-arguments" sh ./configure --target=x86_64-apple-darwin11.4.0 --enable-optimize --enable-debug --enable-profiling --enable-gczeal --enable-debug-symbols --enable-methodjit --enable-type-inference --disable-tests --enable-more-deterministic --enable-threadsafe  --with-ccache

Not sure if --enable-threadsafe or --with-system-nspr is needed, I had removed some threadsafe-specific flags that were pointing to specific directories on my computer.
Flags: needinfo?(bhackett1024)
(Reporter)

Comment 1

5 years ago
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   129263:d12788533ab7
user:        Kannan Vijayan
date:        Thu Apr 18 16:47:25 2013 -0400
summary:     Bug 860145 - Allow Ion to compile functions which require heavyweight arguments-object construction. r=jandem r=nbp

OK, now I'm not sure what caused this.
(Reporter)

Updated

5 years ago
Flags: needinfo?(kvijayan)
Marking sec-high because that assertion is often bad.

Gary, does this still reproduce?  Bug 860145 was relanded with some fixes, so maybe this has gone away.
Flags: needinfo?(gary)
Keywords: sec-high
(Reporter)

Comment 3

5 years ago
> Gary, does this still reproduce?  Bug 860145 was relanded with some fixes,
> so maybe this has gone away.

I can still reproduce with m-c rev c21ef3664c67 (a recent tip).

--enable-more-deterministic and --enable-threadsafe are not needed.
Flags: needinfo?(gary)
(Reporter)

Comment 4

5 years ago
An even more recent landing in bug 868206 may have fixed this.

Verifying with autoBisect now.
Flags: needinfo?(kvijayan)
Flags: needinfo?(bhackett1024)
(Reporter)

Comment 5

5 years ago
autoBisect shows this is probably related to the following changeset:

The first good revision is:
changeset:   132599:3bfbd1ed214d
user:        Brian Hackett
date:        Tue May 21 21:40:44 2013 -0600
summary:     Bug 868206 - Various fixes for the backtracking register allocator, r=jandem.
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED
status-b2g18: --- → unaffected
status-firefox22: --- → unaffected
status-firefox23: --- → unaffected
status-firefox24: --- → fixed
status-firefox-esr17: --- → unaffected
(Reporter)

Updated

5 years ago
Blocks: 826741
Group: core-security
You need to log in before you can comment on or make changes to this bug.