Closed Bug 901391 Opened 12 years ago Closed 12 years ago

Assertion failure: ins->type() == MIRType_Value, at ../ion/MIR.h:2156

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla26
Tracking Flags:
Tracking Status
firefox25 --- unaffected
firefox26 --- fixed
firefox-esr17 --- unaffected
firefox-esr24 --- unaffected
b2g18 --- unaffected
b2g-v1.1hd --- unaffected
b2g-v1.2 --- unaffected

People

(Reporter: decoder, Assigned: shu)

Details

(Keywords: assertion, sec-high, testcase, Whiteboard: [jsbugmon:update])

Attachments

(2 files, 1 obsolete file)

[crash-signature] Machine-readable crash signature
593 bytes, text/plain
Details
Part 1: Add ThreadSafeContext v2
2.12 KB, patch
jandem
: review+
Details | Diff | Splinter Review
The following testcase asserts on mozilla-central revision 0a63cd911b4f (run with --fuzzing-safe --ion-eager): function testPartition() { if( "null" || new testPartition()) {} } testPartition();
S-s because these type failures can be security-related.
Whiteboard: [jsbugmon:update,bisect]
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: http://hg.mozilla.org/mozilla-central/rev/471dcc138dfe user: Shu-yu Guo date: Fri Aug 02 08:24:56 2013 -0700 summary: Bug 898576 - Ignore cold phi inputs when specializing phi types. (r=jandem) This iteration took 344.603 seconds to run.
Needinfo from Shu based on comment 3 :)
Flags: needinfo?(shu)
Attached patch fix + testcase (obsolete) — Splinter Review
Jan, I wasn't aware that MIR with empty observed type sets could be anything but Value (but it makes sense of course, constants and whatnot).
Assignee: general → shu
Attachment #785841 - Flags: review?(jdemooij)
Flags: needinfo?(shu)
Comment on attachment 785841 [details] [diff] [review] fix + testcase Review of attachment 785841 [details] [diff] [review]: ----------------------------------------------------------------- ::: js/src/ion/IonAnalysis.cpp @@ +556,5 @@ > + // Otherwise we need to bail out, since we know this branch > + // will fail to convert to phiType. > + MBail *bail = MBail::New(); > + in->block()->insertBefore(in->block()->lastIns(), bail); > + phi->replaceOperand(i, bail); MBail doesn't really return anything (it has MIRType_None). I think it's simpler to keep the old code and insert an MBox right before the MUnbox if in->type() != MIRType_Value. It's a bit lame but since we will invalidate before we reach this code it doesn't really matter. ::: js/src/jit-test/tests/ion/bug901391.patch @@ +1,1 @@ > +function testPartition() { bug901391.patch -> bug901391.js
Attachment #785841 - Flags: review?(jdemooij)
Good catches, thanks.
Attachment #785841 - Attachment is obsolete: true
Attachment #786586 - Flags: review?(jdemooij)
Comment on attachment 786586 [details] [diff] [review] Part 1: Add ThreadSafeContext v2 Review of attachment 786586 [details] [diff] [review]: ----------------------------------------------------------------- Nice, thanks.
Attachment #786586 - Flags: review?(jdemooij) → review+
Keywords: sec-high
https://hg.mozilla.org/mozilla-central/rev/394ec22dc98c
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Status: RESOLVED → VERIFIED
JSBugMon: This bug has been automatically verified fixed.
status-firefox26: --- → fixed
Flags: in-testsuite+
Target Milestone: --- → mozilla26
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: