Closed
Bug 938431
Opened 11 years ago
Closed 11 years ago
Assertion failure: consumer->isConsistentFloat32Use(), at jit/IonAnalysis.cpp
Categories
(Core :: JavaScript Engine: JIT, defect)
Tracking
()
VERIFIED
FIXED
mozilla28
Tracking | Status | |
---|---|---|
firefox25 | --- | unaffected |
firefox26 | --- | wontfix |
firefox27 | + | fixed |
firefox28 | --- | fixed |
firefox-esr24 | --- | unaffected |
b2g18 | --- | unaffected |
b2g-v1.1hd | --- | unaffected |
b2g-v1.2 | --- | fixed |
b2g-v1.3 | --- | fixed |
People
(Reporter: gkw, Assigned: bbouvier)
References
Details
(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update][adv-main27+])
Attachments
(2 files)
4.43 KB,
text/plain
|
Details | |
1.27 KB,
patch
|
jonco
:
review+
lsblakk
:
approval-mozilla-aurora+
lsblakk
:
approval-mozilla-beta+
praghunath
:
approval-mozilla-b2g26+
|
Details | Diff | Splinter Review |
function x() {} ParallelArray(3385, function(y) { Object.defineProperty([], 8, { e: (y ? x : Math.fround(1)) }) }) asserts js debug shell on m-c changeset 7b014f0f3b03 with --baseline-eager at Assertion failure: consumer->isConsistentFloat32Use(), at jit/IonAnalysis.cpp My configure flags are: CC="clang -Qunused-arguments" AR=ar CXX="clang++ -Qunused-arguments" sh ./configure --target=x86_64-apple-darwin12.5.0 --enable-optimize --enable-debug --enable-profiling --enable-gczeal --enable-debug-symbols --enable-methodjit --enable-type-inference --disable-tests --with-ccache --disable-threadsafe autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: http://hg.mozilla.org/mozilla-central/rev/13568a3576cd user: Benjamin Bouvier date: Thu Sep 12 14:54:01 2013 -0700 summary: Bug 915301: Check Float32 coherency; r=sstangl
Flags: needinfo?(benj)
Reporter | ||
Comment 1•11 years ago
|
||
Older forms of this assertion were marked s-s, e.g. bug 919522.
Group: core-security
Assignee | ||
Comment 2•11 years ago
|
||
Sets the MPostWriteBarrier as an always Float32 safe instruction. This makes sense as long as PostWriteBarriers only notify GC of Objects and Values. The modified function is called during the ApplyTypes phase, to check that there is no Float32 flowing into a non Float32-safe operator.
Assignee: general → benj
Status: NEW → ASSIGNED
Attachment #832258 -
Flags: review?
Flags: needinfo?(benj)
Assignee | ||
Updated•11 years ago
|
Attachment #832258 -
Flags: review? → review?(jcoppeard)
Comment 3•11 years ago
|
||
Comment on attachment 832258 [details] [diff] [review] Patch and test case Review of attachment 832258 [details] [diff] [review]: ----------------------------------------------------------------- Looks good.
Attachment #832258 -
Flags: review?(jcoppeard) → review+
Assignee | ||
Comment 4•11 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/fd55575b3350
https://hg.mozilla.org/mozilla-central/rev/fd55575b3350
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
status-firefox28:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla28
Updated•11 years ago
|
Status: RESOLVED → VERIFIED
Comment 6•11 years ago
|
||
JSBugMon: This bug has been automatically verified fixed.
Comment 7•11 years ago
|
||
Pushed https://hg.mozilla.org/integration/mozilla-inbound/rev/e4b5ab3610da as a followup for the test, to bail when ParallelArray isn't defined, since it's only on the trunk.
Comment 8•11 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/e4b5ab3610da
Comment 9•11 years ago
|
||
Per comment 0 b2g18 and b2g1.1 are unaffected. The first bad revision was in September so b2g1.2 may be affected.
Comment 10•11 years ago
|
||
Is there a reason this bug didn't go through sec-approval (and security rating) before checkin since it affects more than one branch? https://wiki.mozilla.org/Security/Bug_Approval_Process
status-firefox25:
--- → unaffected
status-firefox26:
--- → affected
status-firefox27:
--- → affected
status-firefox-esr24:
--- → unaffected
Comment 11•11 years ago
|
||
Marking b2g 1.2 affected since it is based on 26, which is affected by this bug (along with 27).
Assignee | ||
Comment 13•11 years ago
|
||
Comment on attachment 832258 [details] [diff] [review] Patch and test case [Approval Request Comment] Bug caused by (feature/regressing bug #): 888109 User impact if declined: crashes on certain scripts Testing completed (on m-c, etc.): test added, testing completed on m-i, m-c for some time now Risk to taking this patch (and alternatives if risky): no risk at all String or IDL/UUID changes made by this patch: N/A
Attachment #832258 -
Flags: approval-mozilla-beta?
Attachment #832258 -
Flags: approval-mozilla-b2g26?
Attachment #832258 -
Flags: approval-mozilla-aurora?
Flags: needinfo?(benj)
Updated•11 years ago
|
Attachment #832258 -
Flags: approval-mozilla-beta?
Attachment #832258 -
Flags: approval-mozilla-beta+
Attachment #832258 -
Flags: approval-mozilla-aurora?
Attachment #832258 -
Flags: approval-mozilla-aurora+
Comment 14•11 years ago
|
||
Looks like this actually only needs to get on Beta since 27 is already marked fixed.
Updated•11 years ago
|
tracking-firefox27:
--- → +
Comment 15•11 years ago
|
||
https://hg.mozilla.org/releases/mozilla-beta/rev/2765cb3f2d5e
status-b2g-v1.3:
--- → fixed
Comment 16•10 years ago
|
||
FWIW, the b2g26 backport is green on Try.
Updated•10 years ago
|
Whiteboard: [jsbugmon:update] → [jsbugmon:update][adv-main27+]
Comment 17•10 years ago
|
||
Comment on attachment 832258 [details] [diff] [review] Patch and test case Plus for approval‑mozilla‑b2g26: Regression
Attachment #832258 -
Flags: approval-mozilla-b2g26? → approval-mozilla-b2g26+
Updated•10 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•