Closed Bug 905986 Opened 12 years ago Closed 12 years ago

Assertion failure: in->type() == MIRType_Double, at jit/IonAnalysis.cpp:542

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla26
Tracking Flags:
Tracking Status
firefox23 --- unaffected
firefox24 --- unaffected
firefox25 + fixed
firefox26 + fixed
firefox-esr17 --- unaffected
b2g18 --- unaffected

People

(Reporter: decoder, Assigned: shu)

References

Details

(4 keywords)

Attachments

(3 files)

[crash-signature] Machine-readable crash signature
637 bytes, text/plain
Details
fix + testcase
4.20 KB, patch
jandem
: review+
akeybl
: approval-mozilla-aurora+
Details | Diff | Splinter Review
aurora patch
3.76 KB, patch
Details | Diff | Splinter Review
The following testcase asserts on mozilla-central revision 1ed5a88cd4d0 (run with --fuzzing-safe --ion-eager): function testPartition() { if(0.1 || new testPartition()) {} } testPartition();
Is there a regressing changeset for this? Could some IM person look at this? It has sat here for about a week.
Flags: needinfo?(jdemooij)
The first bad revision is: changeset: http://hg.mozilla.org/mozilla-central/rev/471dcc138dfe user: Shu-yu Guo date: Fri Aug 02 08:24:56 2013 -0700 summary: Bug 898576 - Ignore cold phi inputs when specializing phi types.
Flags: needinfo?(shu)
Probably my fault, I'll take this.
Assignee: general → shu
Flags: needinfo?(shu)
Flags: needinfo?(jdemooij)
Attached patch fix + testcaseSplinter Review
This is because the special double case for specializing phis wasn't updated correctly to understand the new phi type specialization. Fold the special double case into the general case in adjustPhiInputs, converting int32 operands to doubles all the time.
Attachment #796390 - Flags: review?(jdemooij)
Comment on attachment 796390 [details] [diff] [review] fix + testcase Review of attachment 796390 [details] [diff] [review]: ----------------------------------------------------------------- Nice catch.
Attachment #796390 - Flags: review?(jdemooij) → review+
We should land this on aurora as well.
status-firefox23: --- → unaffected
status-firefox24: --- → unaffected
status-firefox25: --- → affected
status-firefox26: --- → affected
tracking-firefox25: --- → ?
tracking-firefox26: --- → ?
Sounds kind of bad. Feel free to upgrade if it is really bad or whatever.
Keywords: sec-moderate
Comment on attachment 796390 [details] [diff] [review] fix + testcase [Approval Request Comment] Bug caused by (feature/regressing bug #): 898576 User impact if declined: Possible exploit in JIT code Testing completed (on m-c, etc.): Waiting on m-c Risk to taking this patch (and alternatives if risky): None String or IDL/UUID changes made by this patch:
Attachment #796390 - Flags: approval-mozilla-aurora?
https://hg.mozilla.org/mozilla-central/rev/65599e610d98
Status: NEW → RESOLVED
Closed: 12 years ago
status-firefox26: affectedfixed
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla26
Status: RESOLVED → VERIFIED
JSBugMon: This bug has been automatically verified fixed.
Attachment #796390 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Needs a branch-specific patch for uplift.
Flags: needinfo?(shu)
Keywords: branch-patch-needed
Attached patch aurora patchSplinter Review
This incorporates bug 901391, which wasn't uplifted and is thus causing the conflict.
Flags: needinfo?(shu)
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: