IonMonkey: Crash [@ js::jit::MTruncateToInt32::accept] or Assertion failure: false (MOZ_ASSUME_UNREACHABLE(unexpected type)), at jit/Lowering.cpp

VERIFIED FIXED in Firefox 26, Firefox OS v1.2

Status

()

Core
JavaScript Engine
--
critical
VERIFIED FIXED
5 years ago
4 years ago

People

(Reporter: gkw, Assigned: bbouvier)

Tracking

(Blocks: 1 bug, 4 keywords)

Trunk
mozilla27
x86
Windows 8
assertion, crash, regression, testcase
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(firefox24 unaffected, firefox25 unaffected, firefox26 fixed, firefox27 fixed, firefox-esr17 unaffected, firefox-esr24 unaffected, b2g18 unaffected, b2g-v1.2 fixed)

Details

(Whiteboard: [jsbugmon:update], crash signature)

Attachments

(2 attachments, 1 obsolete attachment)

(Reporter)

Description

5 years ago
Created attachment 804054 [details]
debug and opt stacks

x = {};
x.toString = (function(stdlib, heap) {
    Int8ArrayView = stdlib.Int8Array(heap);
    Float32ArrayView = stdlib.Float32Array(heap);
    function f() {
        Int8ArrayView[0] = Float32ArrayView[0]
    }
    return f
})(this, ArrayBuffer);
x + 1

asserts js debug shell on m-c changeset c38b60b9063e with --ion-eager at Assertion failure: false (MOZ_ASSUME_UNREACHABLE(unexpected type)), at jit/Lowering.cpp and crashes js opt shell at js::jit::MTruncateToInt32::accept

I tested that the opt crash happens on Windows 8. Setting needinfo from bbouvier since I just spoke to him in-person about this.

My configure flags are:

Opt shell:

--enable-optimize --disable-debug --enable-profiling --enable-gczeal --enable-debug-symbols --enable-methodjit --enable-type-inference --disable-tests --enable-more-deterministic --enable-threadsafe <other NSPR options>

Debug shell:

--enable-optimize --enable-debug --enable-profiling --enable-gczeal --enable-debug-symbols --enable-methodjit --enable-type-inference --disable-tests --enable-more-deterministic --enable-threadsafe <other NSPR options>
Flags: needinfo?(bbouvier)
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   http://hg.mozilla.org/mozilla-central/rev/a43cf13bd6a6
user:        Benjamin Bouvier
date:        Thu Jul 18 15:13:15 2013 -0700
summary:     Bug 888109: Float32 general optimizations for IonMonkey: framework and arithmetic operations; r=sstangl,nbp

This iteration took 0.976 seconds to run.
(Assignee)

Comment 2

5 years ago
Not a Odin bug as the outer function doesn't contain the "use asm" token, but still a very good catch :)
A patch in bug 913282 fixes that behavior, it should land early next week.
Summary: OdinMonkey: Crash [@ js::jit::MTruncateToInt32::accept] or Assertion failure: false (MOZ_ASSUME_UNREACHABLE(unexpected type)), at jit/Lowering.cpp → IonMonkey: Crash [@ js::jit::MTruncateToInt32::accept] or Assertion failure: false (MOZ_ASSUME_UNREACHABLE(unexpected type)), at jit/Lowering.cpp
(Reporter)

Updated

5 years ago
status-firefox24: --- → unaffected
status-firefox25: --- → unaffected
status-firefox26: --- → affected
status-firefox27: --- → affected
status-firefox-esr17: --- → unaffected
status-firefox-esr24: --- → unaffected
(Assignee)

Comment 3

5 years ago
Created attachment 808769 [details] [diff] [review]
bug915903.patch

Looks like the ARM patches are now needed and blocking progression of bug 913282, so here is a workaround that just converts Float32 to Doubles before storing them in an Int*Array.

The TruncateToInt32 patch of bug 913282 will remove this part.
Assignee: general → bbouvier
Status: NEW → ASSIGNED
Attachment #808769 - Flags: review?(sstangl)
Flags: needinfo?(bbouvier)
(Assignee)

Updated

5 years ago
Duplicate of this bug: 919522
(Assignee)

Comment 5

5 years ago
Auto nit: I added the test case on my local patch.

Comment 6

5 years ago
Unfortunately, bug 919118 still hangs even with this patch applied.
Comment on attachment 808769 [details] [diff] [review]
bug915903.patch

Review of attachment 808769 [details] [diff] [review]:
-----------------------------------------------------------------

Acceptable as a workaround.

::: js/src/jit/TypePolicy.cpp
@@ +652,5 @@
>        case ScalarTypeRepresentation::TYPE_UINT16:
>        case ScalarTypeRepresentation::TYPE_INT32:
>        case ScalarTypeRepresentation::TYPE_UINT32:
>          if (value->type() != MIRType_Int32) {
> +            if (value->type() == MIRType_Float32) {

Could you leave a comment above this line, reading "Workaround for Bug 915903."?
Attachment #808769 - Flags: review?(sstangl) → review+
(Assignee)

Comment 9

5 years ago
Created attachment 810058 [details] [diff] [review]
bug915903.patch

Carrying forward r+ from sstangl.

[Approval Request Comment]
Bug caused by (feature/regressing bug #): bug 888109
User impact if declined: crashes / hangs on some web sites (e.g. Google Maps...)
Testing completed (on m-c, etc.): testing completed on m-i, all tests pass
Risk to taking this patch (and alternatives if risky): very low, if not no risk
String or IDL/UUID changes made by this patch: N/A
Attachment #808769 - Attachment is obsolete: true
Attachment #810058 - Flags: review+
Attachment #810058 - Flags: approval-mozilla-aurora?
https://hg.mozilla.org/mozilla-central/rev/a87ff44842e6
Status: ASSIGNED → RESOLVED
Last Resolved: 5 years ago
status-firefox27: affected → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla27
Flags: in-testsuite+
Status: RESOLVED → VERIFIED
JSBugMon: This bug has been automatically verified fixed.
Attachment #810058 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
status-b2g-v1.2: --- → fixed

Comment 13

5 years ago
Cleaning up list of security bugs for b2g18. This bug doesn't need to be backported either due to it affecting a later version of Fx or another reason.
status-b2g18: --- → unaffected
Blocks: 888109
Group: core-security
You need to log in before you can comment on or make changes to this bug.