Assertion failure: ins->type() == MIRType_Value, at ../jit/MIR.h:2256 with BinaryData

RESOLVED WORKSFORME

Status

()

Core
JavaScript Engine
--
critical
RESOLVED WORKSFORME
4 years ago
29 days ago

People

(Reporter: decoder, Assigned: nmatsakis)

Tracking

(Blocks: 1 bug, {assertion, sec-high, testcase})

Trunk
x86
Linux
assertion, sec-high, testcase
Points:
---

Firefox Tracking Flags

(firefox26 disabled, firefox27 disabled, firefox28 disabled, firefox29 disabled, firefox30 affected, firefox-esr24 disabled, b2g18 unaffected)

Details

(Whiteboard: [jsbugmon:testComment=6,origRev=211337f7fb83])

Attachments

(1 attachment)

(Reporter)

Description

4 years ago
The following testcase asserts on mozilla-central revision 211337f7fb83 (run with --fuzzing-safe --ion-eager):


var PointType2 = new StructType({x: float64, y: float64});
function xPlusYTweak({y})  {
  for (var Int16Array = 0; Int16Array < 10; ++Int16Array) {}
}
var N = 30000;
for (var i = 0; i < N; i++) {
  obj = new PointType2({x: i, y: i+1});
  xPlusYTweak(obj)
}
(Reporter)

Comment 1

4 years ago
Created attachment 816682 [details]
[crash-signature] Machine-readable crash signature
Sounds bad.
Keywords: sec-high
(Reporter)

Updated

4 years ago
Whiteboard: [jsbugmon:update,bisect]
(Reporter)

Comment 3

4 years ago
Niko, can you take a look?
Flags: needinfo?(nmatsakis)
(Reporter)

Updated

4 years ago
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update,ignore]
(Reporter)

Comment 4

4 years ago
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 2c85e4d1d678).
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   http://hg.mozilla.org/mozilla-central/rev/4c2b9302fae8
user:        Nicholas D. Matsakis
date:        Wed Aug 21 13:35:30 2013 -0400
summary:     Bug 898349 - JIT support for getting and setting scalar properties and for optimizing away intermediate typed objects r=jandem

This iteration took 1.754 seconds to run.
(Reporter)

Updated

4 years ago
Whiteboard: [jsbugmon:update,ignore] → [jsbugmon:bisectfix]
status-b2g18: --- → unaffected
status-firefox26: --- → disabled
status-firefox27: --- → disabled
status-firefox28: --- → affected
status-firefox-esr24: --- → disabled
(Reporter)

Updated

4 years ago
Whiteboard: [jsbugmon:bisectfix] → [jsbugmon:]
(Reporter)

Comment 5

4 years ago
JSBugMon: Fix Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first good revision is:
changeset:   http://hg.mozilla.org/mozilla-central/rev/89600e659123
user:        Nicholas D. Matsakis
date:        Mon Sep 09 11:52:11 2013 -0400
summary:     Bug 914220 - Move TypedObject global names into a TypedObject module r=waldo

This iteration took 378.426 seconds to run.
(Reporter)

Comment 6

4 years ago
Hm. Let's give this a try:


var T = TypedObject;
var PointType2 = new T.StructType({x: T.float64, y: T.float64});
function xPlusYTweak({y})  {
  for (var Int16Array = 0; Int16Array < 10; ++Int16Array) {}
}
var N = 30000;
for (var i = 0; i < N; i++) {
  obj = new PointType2({x: i, y: i+1});
  xPlusYTweak(obj)
}
Whiteboard: [jsbugmon:] → [jsbugmon:update,testComment=6,origRev=211337f7fb83]
(Reporter)

Updated

4 years ago
Whiteboard: [jsbugmon:update,testComment=6,origRev=211337f7fb83] → [jsbugmon:testComment=6,origRev=211337f7fb83]
(Reporter)

Comment 7

4 years ago
JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.
(Assignee)

Updated

4 years ago
Assignee: general → nmatsakis
Flags: needinfo?(nmatsakis)
(Assignee)

Comment 8

4 years ago
I'll investigate.
status-firefox28: affected → disabled
status-firefox29: --- → affected
Group: javascript-core-security
status-firefox29: affected → disabled
status-firefox30: --- → affected
Flags: needinfo?(nmatsakis)
Can we get an update on progress here?
(Assignee)

Comment 10

4 years ago
I am not currently able to reproduce.
Flags: needinfo?(nmatsakis)
(Assignee)

Comment 11

4 years ago
Clearly this bug fell off my radar. It seems quite likely that it got fixed in passing.
(Reporter)

Comment 12

4 years ago
The test doesn't reproduce for me either, but JSBugMon also cannot track the new test in comment 6, so we cannot get a bisection. I'd suggest we close this as WFM and see if the fuzzer trips over this again at some point.
Status: NEW → RESOLVED
Last Resolved: 4 years ago
Resolution: --- → WORKSFORME
Group: javascript-core-security

Updated

2 years ago
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.