Closed Bug 905986 Opened 7 years ago Closed 7 years ago

Assertion failure: in->type() == MIRType_Double, at jit/IonAnalysis.cpp:542

Categories

(Core :: JavaScript Engine, defect)

x86_64
Linux
defect
Not set
critical

Tracking

()

VERIFIED FIXED
mozilla26
Tracking Status
firefox23 --- unaffected
firefox24 --- unaffected
firefox25 + fixed
firefox26 + fixed
firefox-esr17 --- unaffected
b2g18 --- unaffected

People

(Reporter: decoder, Assigned: shu)

References

Details

(4 keywords)

Attachments

(3 files)

The following testcase asserts on mozilla-central revision 1ed5a88cd4d0 (run with --fuzzing-safe --ion-eager):


function testPartition() {
  if(0.1 || new testPartition()) {}
}
testPartition();
Is there a regressing changeset for this?

Could some IM person look at this?  It has sat here for about a week.
Flags: needinfo?(jdemooij)
The first bad revision is:
changeset:   http://hg.mozilla.org/mozilla-central/rev/471dcc138dfe
user:        Shu-yu Guo
date:        Fri Aug 02 08:24:56 2013 -0700
summary:     Bug 898576 - Ignore cold phi inputs when specializing phi types.
Flags: needinfo?(shu)
Probably my fault, I'll take this.
Assignee: general → shu
Flags: needinfo?(shu)
Flags: needinfo?(jdemooij)
Attached patch fix + testcaseSplinter Review
This is because the special double case for specializing phis wasn't updated correctly to understand the new phi type specialization.

Fold the special double case into the general case in adjustPhiInputs, converting int32 operands to doubles all the time.
Attachment #796390 - Flags: review?(jdemooij)
Comment on attachment 796390 [details] [diff] [review]
fix + testcase

Review of attachment 796390 [details] [diff] [review]:
-----------------------------------------------------------------

Nice catch.
Attachment #796390 - Flags: review?(jdemooij) → review+
We should land this on aurora as well.
Sounds kind of bad.  Feel free to upgrade if it is really bad or whatever.
Keywords: sec-moderate
Comment on attachment 796390 [details] [diff] [review]
fix + testcase

[Approval Request Comment]
Bug caused by (feature/regressing bug #): 898576
User impact if declined: Possible exploit in JIT code
Testing completed (on m-c, etc.): Waiting on m-c
Risk to taking this patch (and alternatives if risky): None
String or IDL/UUID changes made by this patch:
Attachment #796390 - Flags: approval-mozilla-aurora?
https://hg.mozilla.org/mozilla-central/rev/65599e610d98
Status: NEW → RESOLVED
Closed: 7 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla26
Status: RESOLVED → VERIFIED
JSBugMon: This bug has been automatically verified fixed.
Attachment #796390 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Needs a branch-specific patch for uplift.
Flags: needinfo?(shu)
Attached patch aurora patchSplinter Review
This incorporates bug 901391, which wasn't uplifted and is thus causing the conflict.
Flags: needinfo?(shu)
Group: core-security
You need to log in before you can comment on or make changes to this bug.