Closed Bug 924538 Opened 11 years ago Closed 11 years ago

Assertion failure: false (MOZ_ASSUME_UNREACHABLE(Bad MIRType)), at jit/IonMacroAssembler.cpp:1862

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla27
Tracking Flags:
Tracking Status
firefox25 --- unaffected
firefox26 --- unaffected
firefox27 --- fixed
firefox-esr17 --- unaffected
firefox-esr24 --- unaffected
b2g18 --- unaffected
b2g-v1.2 --- unaffected

People

(Reporter: decoder, Assigned: sstangl)

References

Details

(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update,ignore])

Attachments

(2 files)

[crash-signature] Machine-readable crash signature
740 bytes, text/plain
Details
Float32 Support for Uint8ClampedArray
1.65 KB, patch
luke
: review+
Details | Diff | Splinter Review 
The following testcase asserts on mozilla-central revision 56b0a41985f3 (run with --fuzzing-safe --ion-eager):


function testFloat32SetElemIC(a) {
  for (var i = 0; i < a.length; i++) {
    var r = Math.fround(Math.random());
    a[i] = r;
  }
}
testFloat32SetElemIC(new Array(2048));
testFloat32SetElemIC(new Uint8ClampedArray(2048));
Whiteboard: [jsbugmon:update,bisect]
Float32 bug. I'll take it.
Assignee: general → sstangl
Uint8ClampedArray is missing a path for MIRType_Float32. This patch reuses the DoubleToInt path, since the conversion of a float to an integer is the same as the conversion of that float to a double and then to an integer. An actual implementation of FloatToInt involves some really scary-looking ARM code that I would prefer not to touch, and isn't appropriate for a security fix anyway -- we can leave that to a follow-up bug.
Attachment #814543 - Flags: review?(luke)
Attachment #814543 - Flags: review?(luke) → review+
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   http://hg.mozilla.org/mozilla-central/rev/ed91189f940e
user:        Brian Hackett
date:        Wed Sep 18 09:43:21 2013 -0600
summary:     Bug 917441 - Remove dependence of IonBuilder on ScriptAnalysis, r=jandem.

This iteration took 380.577 seconds to run.
Sean, is bug 917441 an unlikely regressor, if it's a float32 bug?
Flags: needinfo?(sstangl)
Keywords: regression
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
JSBugMon: The testcase found in this bug no longer reproduces (tried revision c22969eec61d).
marking fixed because its now landed on m-c
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Status: RESOLVED → VERIFIED
JSBugMon: This bug has been automatically verified fixed.
status-firefox27: --- → fixed
Target Milestone: --- → mozilla27
Flags: needinfo?(sstangl)
This appears to affect Firefox 26 (Aurora). How bad a crash is it? If it is actually a security problem we've now checked in a testcase that shows people how to trigger it. If it's a security bug we should land it in Aurora, if not we should unhide the bug.
Blocks: 917441
status-firefox26: --- → affected
tracking-firefox26: --- → ?
Flags: needinfo?(sstangl)
I may need to take that back. If bug 917441 is the regressor (asked in comment 6 but not answered) then this is Firefox 27 only
status-firefox26: affected?
Matt - can you confirm if this is unaffected on 26?
Flags: needinfo?(mwobensmith)
Appears to be unaffected on 26. I was able to repro on 27.
status-firefox26: ?unaffected
Flags: needinfo?(mwobensmith)
Aurora contains Float32 support, so there's probably some way to trigger the same failure. I believe the plan is to disable Float32 on release and beta.
Flags: needinfo?(sstangl)
Group: core-security
status-b2g-v1.2: --- → unaffected
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: