Closed Bug 919522 Opened 11 years ago Closed 11 years ago

Assertion failure: consumer->isConsistentFloat32Use(), at jit/IonAnalysis.cpp:922 or Crash [@ js::jit::LIRGenerator::visitTruncateToInt32] with invalid read

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 915903

People

(Reporter: decoder, Unassigned)

References

Details

(5 keywords, Whiteboard: [sg:dupe 915903][jsbugmon:update])

Crash Data

Attachments

(1 file)

[crash-signature] Machine-readable crash signature
1.18 KB, text/plain
Details
The following testcase asserts on mozilla-central revision f97307cb4c95 (run with --fuzzing-safe --ion-eager): function testFloat32SetElemIC(a) { for (var i = 0; i < a.length; i++) { var r = Math.fround(Math.random()); a[i] = r; } } testFloat32SetElemIC(new Int8Array(2048));
This looks bad: Program received signal SIGSEGV, Segmentation fault. 0x000000000074133a in js::jit::LIRGenerator::visitTruncateToInt32 (this=0x7fffffffb450, truncate=0x14cc1e8) at js/src/jit/Lowering.cpp:1699 1699 switch (opd->type()) { #0 0x000000000074133a in js::jit::LIRGenerator::visitTruncateToInt32 (this=0x7fffffffb450, truncate=0x14cc1e8) at js/src/jit/Lowering.cpp:1699 #1 0x0000000000756e45 in visitInstruction (ins=0x14cc1e8, this=0x7fffffffb450) at js/src/jit/Lowering.cpp:3200 #2 js::jit::LIRGenerator::visitBlock (this=0x7fffffffb450, block=0x14ca040) at js/src/jit/Lowering.cpp:3292 #3 0x0000000000757194 in js::jit::LIRGenerator::generate (this=0x7fffffffb450) at js/src/jit/Lowering.cpp:3368 #4 0x00000000006c4be3 in js::jit::GenerateLIR (mir=0x1436758) at js/src/jit/Ion.cpp:1384 #5 0x00000000006c60dc in CompileBackEnd (mir=0x1436758, maybeMasm=<optimized out>) at js/src/jit/Ion.cpp:1487 #6 js::jit::IonCompile (cx=0x141a600, script=<optimized out>, baselineFrame=0x7fffffffc408, osrPc=0x14be870 "\343\001V", constructing=false, executionMode=<optimized out>) at js/src/jit/Ion.cpp:1656 #7 0x00000000006c6387 in js::jit::Compile (cx=0x141a600, script=..., osrFrame=0x7fffffffc408, osrPc=<optimized out>, constructing=<optimized out>, executionMode=js::jit::SequentialExecution) at js/src/jit/Ion.cpp:1814 rax 0x9dc6d0 10340048 rdx 0xfffefa81 4294900353 rip 0x74133a <js::jit::LIRGenerator::visitTruncateToInt32(js::jit::MTruncateToInt32*)+74> => 0x74133a <js::jit::LIRGenerator::visitTruncateToInt32(js::jit::MTruncateToInt32*)+74>: movslq (%rax,%rdx,4),%rdx 0x74133e <js::jit::LIRGenerator::visitTruncateToInt32(js::jit::MTruncateToInt32*)+78>: add %rdx,%rax Marking sec-high based on crash.
Crash Signature: [@ js::jit::LIRGenerator::visitTruncateToInt32]
Keywords: crash, sec-high
Whiteboard: [jsbugmon:update,bisect]
Could be the same as the inception demo crash.
(That is, bug 919522)
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: http://hg.mozilla.org/mozilla-central/rev/8621bdc40841 user: Benjamin Bouvier date: Wed Sep 11 02:10:17 2013 -0700 summary: Bug 900257: Inline Math.fround in IonMonkey; r=sstangl This iteration took 364.573 seconds to run.
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → DUPLICATE
Blocks: 900257
Keywords: regression
Whiteboard: [jsbugmon:update] → [sg:dupe 915903][jsbugmon:update]
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: