Assertion failure: !isFloat(), at jit/RegisterSets.h

VERIFIED FIXED in Firefox 26

Status

()

Core
JavaScript Engine
--
critical
VERIFIED FIXED
4 years ago
3 years ago

People

(Reporter: gkw, Assigned: efaust)

Tracking

(Blocks: 1 bug, 4 keywords)

Trunk
mozilla26
x86
Mac OS X
assertion, regression, sec-high, testcase
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(firefox25 unaffected, firefox26 fixed, firefox27 fixed, firefox-esr17 unaffected, firefox-esr24 unaffected, b2g18 unaffected)

Details

(Whiteboard: [jsbugmon:update,ignore])

Attachments

(4 attachments)

(Reporter)

Description

4 years ago
Created attachment 798436 [details]
stack

function x() {
    yield x
}
new(x)
ParallelArray([7247], function() {
    --x
    eval("")
})

asserts js debug threadsafe shell on m-c changeset 1179318fb5aa without any CLI arguments at Assertion failure: !isFloat(), at jit/RegisterSets.h

My configure flags are:
LD=ld CROSS_COMPILE=1 CXX="clang++ -Qunused-arguments -arch i386" RANLIB=ranlib CC="clang -Qunused-arguments -arch i386" AS=$CC AR=ar STRIP="strip -x -S" HOST_CC="clang -Qunused-arguments" HOST_CXX="clang++ -Qunused-arguments" sh ./configure --target=i386-apple-darwin9.2.0 --enable-macos-target=10.5 --enable-optimize --enable-debug --enable-profiling --enable-gczeal --enable-debug-symbols --enable-methodjit --enable-type-inference --disable-tests --enable-threadsafe --with-ccache <some NSPR compile flags, or use --with-system-nspr>

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   http://hg.mozilla.org/mozilla-central/rev/c1ccfd8f31bf
user:        Eric Faust
date:        Fri Aug 30 18:50:36 2013 -0700
summary:     Bug 824393 - Part 0: Open SetPropertyIC to cases with uncertain TI. (r=bhackett)

(s-s because the stack has a weird memory address (jit code?) on the stack, 0x015d38ec) Eric, is bug 824393 probably related?
Flags: needinfo?(efaustbmo)
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 7ff96bd19c1c).
(Reporter)

Updated

4 years ago
Whiteboard: [jsbugmon:update,ignore] → [jsbugmon:update,ignore,bisectfix]
(Reporter)

Comment 2

4 years ago
autoBisect shows this is probably related to the following changeset:

The first good revision is:
changeset:   http://hg.mozilla.org/mozilla-central/rev/abb25a18b5a5
user:        Brian Hackett
date:        Mon Sep 02 10:05:27 2013 -0700
summary:     Bug 906788 - Construct TypeObject newScript information using MIR, r=jandem.

Eric, you mentioned this bug may not actually be fixed yet. Is bug 906788 likely part of the equation?
Whiteboard: [jsbugmon:update,ignore,bisectfix] → [jsbugmon:update,ignore]
(Assignee)

Updated

4 years ago
Flags: needinfo?(efaustbmo)
(Assignee)

Comment 3

4 years ago
Created attachment 799168 [details] [diff] [review]
Fix

Ok, this seems to fix the problem.

Gary, I'm not sure exactly how Brian's work influences how TI is kept, but it's very likely to have just steered us away from this case. At any rate, this patch ensures that we no longer try to guardTypeSet with a TypedOrValueRegister known to be a float, as we can check that statically against the typeset before generation.

Brian, is this change consistent in correctness with the changes in the bug above? It seems better than what we had.

If not, at least the fact that I misapplied a nit previously (the TypeObject guard was too restrictively generated), should be fixed.
Assignee: general → efaustbmo
Status: NEW → ASSIGNED
Attachment #799168 - Flags: review?(bhackett1024)
Marking high because it is JIT badness...
Keywords: sec-high
Created attachment 801497 [details]
[crash-signature] Machine-readable crash signature
Attachment #799168 - Flags: review?(bhackett1024) → review+
Created attachment 802235 [details]
[crash-signature] Machine-readable crash signature
(Assignee)

Comment 8

4 years ago
https://hg.mozilla.org/mozilla-central/rev/1b8cee26584d
Status: ASSIGNED → RESOLVED
Last Resolved: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla26
Status: RESOLVED → VERIFIED
JSBugMon: This bug has been automatically verified fixed.
status-b2g18: --- → unaffected
status-firefox25: --- → unaffected
status-firefox26: --- → fixed
status-firefox27: --- → fixed
status-firefox-esr17: --- → unaffected
status-firefox-esr24: --- → unaffected
Group: core-security
You need to log in before you can comment on or make changes to this bug.