Closed Bug 911708 Opened 6 years ago Closed 6 years ago

Assertion failure: !isFloat(), at jit/RegisterSets.h

Categories

(Core :: JavaScript Engine, defect, critical)

x86
macOS
defect
Not set
critical

Tracking

()

VERIFIED FIXED
mozilla26
Tracking Status
firefox25 --- unaffected
firefox26 --- fixed
firefox27 --- fixed
firefox-esr17 --- unaffected
firefox-esr24 --- unaffected
b2g18 --- unaffected

People

(Reporter: gkw, Assigned: efaust)

References

(Blocks 1 open bug)

Details

(4 keywords, Whiteboard: [jsbugmon:update,ignore])

Attachments

(4 files)

Attached file stack
function x() {
    yield x
}
new(x)
ParallelArray([7247], function() {
    --x
    eval("")
})

asserts js debug threadsafe shell on m-c changeset 1179318fb5aa without any CLI arguments at Assertion failure: !isFloat(), at jit/RegisterSets.h

My configure flags are:
LD=ld CROSS_COMPILE=1 CXX="clang++ -Qunused-arguments -arch i386" RANLIB=ranlib CC="clang -Qunused-arguments -arch i386" AS=$CC AR=ar STRIP="strip -x -S" HOST_CC="clang -Qunused-arguments" HOST_CXX="clang++ -Qunused-arguments" sh ./configure --target=i386-apple-darwin9.2.0 --enable-macos-target=10.5 --enable-optimize --enable-debug --enable-profiling --enable-gczeal --enable-debug-symbols --enable-methodjit --enable-type-inference --disable-tests --enable-threadsafe --with-ccache <some NSPR compile flags, or use --with-system-nspr>

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   http://hg.mozilla.org/mozilla-central/rev/c1ccfd8f31bf
user:        Eric Faust
date:        Fri Aug 30 18:50:36 2013 -0700
summary:     Bug 824393 - Part 0: Open SetPropertyIC to cases with uncertain TI. (r=bhackett)

(s-s because the stack has a weird memory address (jit code?) on the stack, 0x015d38ec) Eric, is bug 824393 probably related?
Flags: needinfo?(efaustbmo)
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 7ff96bd19c1c).
Whiteboard: [jsbugmon:update,ignore] → [jsbugmon:update,ignore,bisectfix]
autoBisect shows this is probably related to the following changeset:

The first good revision is:
changeset:   http://hg.mozilla.org/mozilla-central/rev/abb25a18b5a5
user:        Brian Hackett
date:        Mon Sep 02 10:05:27 2013 -0700
summary:     Bug 906788 - Construct TypeObject newScript information using MIR, r=jandem.

Eric, you mentioned this bug may not actually be fixed yet. Is bug 906788 likely part of the equation?
Whiteboard: [jsbugmon:update,ignore,bisectfix] → [jsbugmon:update,ignore]
Flags: needinfo?(efaustbmo)
Attached patch FixSplinter Review
Ok, this seems to fix the problem.

Gary, I'm not sure exactly how Brian's work influences how TI is kept, but it's very likely to have just steered us away from this case. At any rate, this patch ensures that we no longer try to guardTypeSet with a TypedOrValueRegister known to be a float, as we can check that statically against the typeset before generation.

Brian, is this change consistent in correctness with the changes in the bug above? It seems better than what we had.

If not, at least the fact that I misapplied a nit previously (the TypeObject guard was too restrictively generated), should be fixed.
Assignee: general → efaustbmo
Status: NEW → ASSIGNED
Attachment #799168 - Flags: review?(bhackett1024)
Marking high because it is JIT badness...
Keywords: sec-high
Attachment #799168 - Flags: review?(bhackett1024) → review+
https://hg.mozilla.org/mozilla-central/rev/1b8cee26584d
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla26
Status: RESOLVED → VERIFIED
JSBugMon: This bug has been automatically verified fixed.
Group: core-security
You need to log in before you can comment on or make changes to this bug.