901455 - Uninitialised value use in js::ion::Range::set(long, long, bool, unsigned short)

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Julian Seward [:jseward]]

This is on x86_64-linux, after running quite a while.  STR unclear.
Will try and get better STR if you haven't seen this one already.
This is trunk of 2 Aug 2013, compiled opt and debug.

 Conditional jump or move depends on uninitialised value(s)
    at 0x83CD0F1: js::ion::Range::set(long, long, bool, unsigned short) (RangeAnalysis.h:234)
    by 0x83D04C3: js::ion::Range::Range(js::ion::MDefinition const*) (RangeAnalysis.cpp:387)
    by 0x83D0BED: js::ion::MSub::computeRange() (RangeAnalysis.cpp:1032)
    by 0x83D5B23: js::ion::RangeAnalysis::analyze() (RangeAnalysis.cpp:1602)
    by 0x82F91B1: js::ion::OptimizeMIR(js::ion::MIRGenerator*) (Ion.cpp:1099)
    by 0x82FA2DD: js::ion::CompileBackEnd(js::ion::MIRGenerator*, js::ion::MacroAssembler*) (Ion.cpp:1279)
    by 0x82FD2C7: js::ion::IonCompile(JSContext*, JSScript*, js::ion::BaselineFrame*, unsigned char*, bool, js::ion::ExecutionMode) (Ion.cpp:1449)
    by 0x82FD559: js::ion::Compile(JSContext*, JS::Handle<JSScript*>, js::ion::BaselineFrame*, unsigned char*, bool, js::ion::ExecutionMode) (Ion.cpp:1607)
    by 0x82FEAA5: js::ion::CompileFunctionForBaseline(JSContext*, JS::Handle<JSScript*>, js::ion::BaselineFrame*, bool) (Ion.cpp:1759)
    by 0x82C408B: js::ion::DoUseCountFallback(JSContext*, js::ion::ICUseCount_Fallback*, js::ion::BaselineFrame*, js::ion::IonOsrTempData**) (BaselineIC.cpp:706)
    by 0x17211748: ???
    by 0x3D492E9F: ???
 
 Conditional jump or move depends on uninitialised value(s)
    at 0x83CD0F1: js::ion::Range::set(long, long, bool, unsigned short) (RangeAnalysis.h:234)
    by 0x83D04C3: js::ion::Range::Range(js::ion::MDefinition const*) (RangeAnalysis.cpp:387)
    by 0x83D0C06: js::ion::MSub::computeRange() (RangeAnalysis.cpp:1033)
    by 0x83D5B23: js::ion::RangeAnalysis::analyze() (RangeAnalysis.cpp:1602)
    by 0x82F91B1: js::ion::OptimizeMIR(js::ion::MIRGenerator*) (Ion.cpp:1099)
    by 0x82FA2DD: js::ion::CompileBackEnd(js::ion::MIRGenerator*, js::ion::MacroAssembler*) (Ion.cpp:1279)
    by 0x82FD2C7: js::ion::IonCompile(JSContext*, JSScript*, js::ion::BaselineFrame*, unsigned char*, bool, js::ion::ExecutionMode) (Ion.cpp:1449)
    by 0x82FD559: js::ion::Compile(JSContext*, JS::Handle<JSScript*>, js::ion::BaselineFrame*, unsigned char*, bool, js::ion::ExecutionMode) (Ion.cpp:1607)
    by 0x82FEAA5: js::ion::CompileFunctionForBaseline(JSContext*, JS::Handle<JSScript*>, js::ion::BaselineFrame*, bool) (Ion.cpp:1759)
    by 0x82C408B: js::ion::DoUseCountFallback(JSContext*, js::ion::ICUseCount_Fallback*, js::ion::BaselineFrame*, js::ion::IonOsrTempData**) (BaselineIC.cpp:706)
    by 0x17211748: ???
    by 0x3D492E9F: ???

 Conditional jump or move depends on uninitialised value(s)
    at 0x83CD0F1: js::ion::Range::set(long, long, bool, unsigned short) (RangeAnalysis.h:234)
    by 0x83D04C3: js::ion::Range::Range(js::ion::MDefinition const*) (RangeAnalysis.cpp:387)
    by 0x83D0572: js::ion::MToInt32::computeRange() (RangeAnalysis.cpp:1112)
    by 0x83D5B23: js::ion::RangeAnalysis::analyze() (RangeAnalysis.cpp:1602)
    by 0x82F91B1: js::ion::OptimizeMIR(js::ion::MIRGenerator*) (Ion.cpp:1099)
    by 0x82FA2DD: js::ion::CompileBackEnd(js::ion::MIRGenerator*, js::ion::MacroAssembler*) (Ion.cpp:1279)
    by 0x82FD2C7: js::ion::IonCompile(JSContext*, JSScript*, js::ion::BaselineFrame*, unsigned char*, bool, js::ion::ExecutionMode) (Ion.cpp:1449)
    by 0x82FD559: js::ion::Compile(JSContext*, JS::Handle<JSScript*>, js::ion::BaselineFrame*, unsigned char*, bool, js::ion::ExecutionMode) (Ion.cpp:1607)
    by 0x82FF1D4: js::ion::CanEnterAtBranch(JSContext*, JSScript*, js::ion::BaselineFrame*, unsigned char*, bool) (Ion.cpp:1651)
    by 0x82C3FD1: js::ion::DoUseCountFallback(JSContext*, js::ion::ICUseCount_Fallback*, js::ion::BaselineFrame*, js::ion::IonOsrTempData**) (BaselineIC.cpp:703)
    by 0x17211748: ???
    by 0x3E67F66F: ???

Comment 1

[Nicolas B. Pierron [:nbp]]

Got it, I'll submit a patch in a few minutes.

The problem is that we do not set the max_exponent_ before we enter makeLowerInfinite(), which ensure that the max exponents is at least equal to the int32 size.

I don't think it cause any issue right now, as the value of the max_exponent was erased by the value defined in the set() function.

Comment 2

[Nicolas B. Pierron [:nbp]]

Attachment: bug901455.patch

I guess this simple patch will prevent this jump based on uninitialized value, which was caused by the removal of the initialization from the Range::Range(const MDefinition *) constructor.

Comment 3

[Nicolas B. Pierron [:nbp]]

Attachment: bug901455.patch

Hum … Attaching a non-empty patch this time.

Comment 4

[Dan Gohman [:sunfish]]

It's still empty :-}.

Comment 5

[Nicolas B. Pierron [:nbp]]

Attachment: bug901455.patch

Here it is!

Comment 6

[Julian Seward [:jseward]]

Comment on attachment 786994 [details] [diff] [review]
bug901455.patch

LGTM .. with the patch in place I can no longer repro the V errors.

Comment 7

[Dan Gohman [:sunfish]]

Comment on attachment 786994 [details] [diff] [review]
bug901455.patch

Review of attachment 786994 [details] [diff] [review]:
-----------------------------------------------------------------

LGTM.

Comment 8

[Nicolas B. Pierron [:nbp]]

https://hg.mozilla.org/integration/mozilla-inbound/rev/9691652b0303

Comment 9

[Ryan VanderMeulen [:RyanVM]]

https://hg.mozilla.org/mozilla-central/rev/9691652b0303