Closed
Bug 924538
Opened 11 years ago
Closed 11 years ago
Assertion failure: false (MOZ_ASSUME_UNREACHABLE(Bad MIRType)), at jit/IonMacroAssembler.cpp:1862
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
mozilla27
Tracking | Status | |
---|---|---|
firefox25 | --- | unaffected |
firefox26 | --- | unaffected |
firefox27 | --- | fixed |
firefox-esr17 | --- | unaffected |
firefox-esr24 | --- | unaffected |
b2g18 | --- | unaffected |
b2g-v1.2 | --- | unaffected |
People
(Reporter: decoder, Assigned: sstangl)
References
Details
(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update,ignore])
Attachments
(2 files)
740 bytes,
text/plain
|
Details | |
1.65 KB,
patch
|
luke
:
review+
|
Details | Diff | Splinter Review |
The following testcase asserts on mozilla-central revision 56b0a41985f3 (run with --fuzzing-safe --ion-eager): function testFloat32SetElemIC(a) { for (var i = 0; i < a.length; i++) { var r = Math.fround(Math.random()); a[i] = r; } } testFloat32SetElemIC(new Array(2048)); testFloat32SetElemIC(new Uint8ClampedArray(2048));
Reporter | ||
Comment 1•11 years ago
|
||
Reporter | ||
Updated•11 years ago
|
Whiteboard: [jsbugmon:update,bisect]
Assignee | ||
Comment 3•11 years ago
|
||
Uint8ClampedArray is missing a path for MIRType_Float32. This patch reuses the DoubleToInt path, since the conversion of a float to an integer is the same as the conversion of that float to a double and then to an integer. An actual implementation of FloatToInt involves some really scary-looking ARM code that I would prefer not to touch, and isn't appropriate for a security fix anyway -- we can leave that to a follow-up bug.
Attachment #814543 -
Flags: review?(luke)
Updated•11 years ago
|
Attachment #814543 -
Flags: review?(luke) → review+
Assignee | ||
Comment 4•11 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/869221327b1b
Reporter | ||
Updated•11 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
Reporter | ||
Comment 5•11 years ago
|
||
JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: http://hg.mozilla.org/mozilla-central/rev/ed91189f940e user: Brian Hackett date: Wed Sep 18 09:43:21 2013 -0600 summary: Bug 917441 - Remove dependence of IonBuilder on ScriptAnalysis, r=jandem. This iteration took 380.577 seconds to run.
Comment 6•11 years ago
|
||
Sean, is bug 917441 an unlikely regressor, if it's a float32 bug?
Flags: needinfo?(sstangl)
Keywords: regression
Comment 7•11 years ago
|
||
fixed in https://hg.mozilla.org/mozilla-central/rev/869221327b1b
Flags: in-testsuite?
Reporter | ||
Updated•11 years ago
|
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
Reporter | ||
Comment 8•11 years ago
|
||
JSBugMon: The testcase found in this bug no longer reproduces (tried revision c22969eec61d).
Comment 9•11 years ago
|
||
marking fixed because its now landed on m-c
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Reporter | ||
Updated•11 years ago
|
Status: RESOLVED → VERIFIED
Reporter | ||
Comment 10•11 years ago
|
||
JSBugMon: This bug has been automatically verified fixed.
Updated•11 years ago
|
status-firefox27:
--- → fixed
Target Milestone: --- → mozilla27
Assignee | ||
Updated•11 years ago
|
Flags: needinfo?(sstangl)
Comment 11•11 years ago
|
||
This appears to affect Firefox 26 (Aurora). How bad a crash is it? If it is actually a security problem we've now checked in a testcase that shows people how to trigger it. If it's a security bug we should land it in Aurora, if not we should unhide the bug.
Blocks: 917441
status-firefox26:
--- → affected
tracking-firefox26:
--- → ?
Flags: needinfo?(sstangl)
Updated•11 years ago
|
status-b2g18:
--- → unaffected
status-firefox25:
--- → unaffected
status-firefox-esr17:
--- → unaffected
status-firefox-esr24:
--- → unaffected
Comment 12•11 years ago
|
||
I may need to take that back. If bug 917441 is the regressor (asked in comment 6 but not answered) then this is Firefox 27 only
Comment 13•11 years ago
|
||
Matt - can you confirm if this is unaffected on 26?
Flags: needinfo?(mwobensmith)
Comment 14•11 years ago
|
||
Appears to be unaffected on 26. I was able to repro on 27.
Flags: needinfo?(mwobensmith)
Assignee | ||
Comment 15•11 years ago
|
||
Aurora contains Float32 support, so there's probably some way to trigger the same failure. I believe the plan is to disable Float32 on release and beta.
Flags: needinfo?(sstangl)
Updated•11 years ago
|
tracking-firefox26:
? → ---
Updated•10 years ago
|
Group: core-security
status-b2g-v1.2:
--- → unaffected
You need to log in
before you can comment on or make changes to this bug.
Description
•