Closed Bug 925305 Opened 11 years ago Closed 11 years ago

Assertion failure: false (MOZ_ASSUME_UNREACHABLE(Modified registers between VM call and OsiPoint)), at jit/shared/CodeGenerator-shared.cpp:532

Categories

(Core :: JavaScript Engine: JIT, defect)

Product:
Core
Component:
JavaScript Engine: JIT
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla27
Tracking Flags:
Tracking Status
firefox26 --- unaffected
firefox27 --- fixed
firefox-esr24 --- unaffected
b2g18 --- unaffected
b2g-v1.1hd --- unaffected
b2g-v1.2 --- unaffected

People

(Reporter: decoder, Assigned: shu)

References

Details

(Keywords: assertion, sec-critical, testcase, Whiteboard: [jsbugmon:update])

Attachments

(2 files, 1 obsolete file)

[crash-signature] Machine-readable crash signature
409 bytes, text/plain
Details
Use ScratchFloatReg when converting float32->double for callVM. (r=?)
2.04 KB, patch
sstangl
: review+
Details | Diff | Splinter Review 
The following testcase asserts on mozilla-central revision aa986b6ce882 (run with --fuzzing-safe --ion-eager):


enableOsiPointRegisterChecks();
function testFloat32SetElemIC(a) {
  for (var i = 0; i < a.length; i++) {
    var r = Math.fround(Math.random());
    a[i] = r;
  }
}
testFloat32SetElemIC(new Array(2048));
testFloat32SetElemIC(new Float64Array(2048));
Whiteboard: [jsbugmon:update,bisect]
Component: JavaScript Engine → JavaScript Engine: JIT
This looks like a float32 + setelem IC issue. Can you take a look? Thanks :)
Flags: needinfo?(shu)
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   http://hg.mozilla.org/mozilla-central/rev/ed91189f940e
user:        Brian Hackett
date:        Wed Sep 18 09:43:21 2013 -0600
summary:     Bug 917441 - Remove dependence of IonBuilder on ScriptAnalysis, r=jandem.

This iteration took 418.712 seconds to run.
Add sec-critical security rating as this assertion implies that one register is mutated and the mutation can be observed with a try-catch.

(In reply to Jan de Mooij [:jandem] from comment #2)
> This looks like a float32 + setelem IC issue. Can you take a look? Thanks :)

I guess the easiest would be to add a NoFloatPolicy on the MSetElementCache value operand.
Keywords: sec-critical
Shouldn't have been doing conversion in place. So far this hasn't been a
problem because all relevant uses of pushArg on float32s have been between
saveLive/restoreLive pairs, which made the in-place conversion not observable.
The OSI point checker is installed in callVM though, in between saveLive and
restoreLive, and so was able to observe this.
Attachment #815669 - Flags: review?(jdemooij)
Assignee: general → shu
Status: NEW → ASSIGNED
Apparently bzexport doesn't clear needinfo
Flags: needinfo?(shu)
Fix the other place where we were converting in place.
Attachment #815694 - Flags: review?(jdemooij)
Attachment #815669 - Attachment is obsolete: true
Attachment #815669 - Flags: review?(jdemooij)
Blocks: 923717
Comment on attachment 815694 [details] [diff] [review]
Use ScratchFloatReg when converting float32->double for callVM. (r=?)

Review of attachment 815694 [details] [diff] [review]:
-----------------------------------------------------------------

Stealing review on shu's request.
Attachment #815694 - Flags: review?(jdemooij) → review+
https://hg.mozilla.org/mozilla-central/rev/f422b59826c1
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla27
Status: RESOLVED → VERIFIED
JSBugMon: This bug has been automatically verified fixed.
Cleaning up list of security bugs for b2g18. This bug doesn't need to be backported either due to it affecting a later version of Fx or another reason.
status-b2g18: --- → unaffected
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: