bugzilla.mozilla.org will be intermittently unavailable on Saturday, March 24th, from 16:00 until 20:00 UTC.

Assertion failure: consumer->isConsistentFloat32Use(), at jit/IonAnalysis.cpp

VERIFIED FIXED in Firefox 27, Firefox OS v1.2



JavaScript Engine: JIT
4 years ago
4 years ago


(Reporter: gkw, Assigned: bbouvier)


(Blocks: 1 bug, {assertion, regression, testcase})

Mac OS X
assertion, regression, testcase
Dependency tree / graph

Firefox Tracking Flags

(firefox25 unaffected, firefox26 wontfix, firefox27+ fixed, firefox28 fixed, firefox-esr24 unaffected, b2g18 unaffected, b2g-v1.1hd unaffected, b2g-v1.2 fixed, b2g-v1.3 fixed)


(Whiteboard: [jsbugmon:update][adv-main27+])


(2 attachments)



4 years ago
Created attachment 831920 [details]
lldb stack

function x() {}
ParallelArray(3385, function(y) {
    Object.defineProperty([], 8, {
        e: (y ? x : Math.fround(1))

asserts js debug shell on m-c changeset 7b014f0f3b03 with --baseline-eager at Assertion failure: consumer->isConsistentFloat32Use(), at jit/IonAnalysis.cpp

My configure flags are:

CC="clang -Qunused-arguments" AR=ar CXX="clang++ -Qunused-arguments" sh ./configure --target=x86_64-apple-darwin12.5.0 --enable-optimize --enable-debug --enable-profiling --enable-gczeal --enable-debug-symbols --enable-methodjit --enable-type-inference --disable-tests --with-ccache --disable-threadsafe

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   http://hg.mozilla.org/mozilla-central/rev/13568a3576cd
user:        Benjamin Bouvier
date:        Thu Sep 12 14:54:01 2013 -0700
summary:     Bug 915301: Check Float32 coherency; r=sstangl
Flags: needinfo?(benj)

Comment 1

4 years ago
Older forms of this assertion were marked s-s, e.g. bug 919522.
Group: core-security

Comment 2

4 years ago
Created attachment 832258 [details] [diff] [review]
Patch and test case

Sets the MPostWriteBarrier as an always Float32 safe instruction. This makes sense as long as PostWriteBarriers only notify GC of Objects and Values. The modified function is called during the ApplyTypes phase, to check that there is no Float32 flowing into a non Float32-safe operator.
Assignee: general → benj
Attachment #832258 - Flags: review?
Flags: needinfo?(benj)


4 years ago
Attachment #832258 - Flags: review? → review?(jcoppeard)
Comment on attachment 832258 [details] [diff] [review]
Patch and test case

Review of attachment 832258 [details] [diff] [review]:

Looks good.
Attachment #832258 - Flags: review?(jcoppeard) → review+
Last Resolved: 4 years ago
status-firefox28: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla28
JSBugMon: This bug has been automatically verified fixed.
Pushed https://hg.mozilla.org/integration/mozilla-inbound/rev/e4b5ab3610da as a followup for the test, to bail when ParallelArray isn't defined, since it's only on the trunk.

Comment 9

4 years ago
Per comment 0 b2g18 and b2g1.1 are unaffected. The first bad revision was in September so b2g1.2 may be affected.
status-b2g18: --- → unaffected
status-b2g-v1.1hd: --- → unaffected
status-b2g-v1.2: --- → ?
Is there a reason this bug didn't go through sec-approval (and security rating) before checkin since it affects more than one branch?

status-firefox25: --- → unaffected
status-firefox26: --- → affected
status-firefox27: --- → affected
status-firefox-esr24: --- → unaffected
Marking b2g 1.2 affected since it is based on 26, which is affected by this bug (along with 27).
status-b2g-v1.2: ? → affected
Can we please get Aurora/Beta/b2g26 uplift noms?
Flags: needinfo?(benj)

Comment 13

4 years ago
Comment on attachment 832258 [details] [diff] [review]
Patch and test case

[Approval Request Comment]
Bug caused by (feature/regressing bug #): 888109
User impact if declined: crashes on certain scripts
Testing completed (on m-c, etc.): test added, testing completed on m-i, m-c for some time now
Risk to taking this patch (and alternatives if risky): no risk at all
String or IDL/UUID changes made by this patch: N/A
Attachment #832258 - Flags: approval-mozilla-beta?
Attachment #832258 - Flags: approval-mozilla-b2g26?
Attachment #832258 - Flags: approval-mozilla-aurora?
Flags: needinfo?(benj)
Attachment #832258 - Flags: approval-mozilla-beta?
Attachment #832258 - Flags: approval-mozilla-beta+
Attachment #832258 - Flags: approval-mozilla-aurora?
Attachment #832258 - Flags: approval-mozilla-aurora+
Looks like this actually only needs to get on Beta since 27 is already marked fixed.
status-firefox26: affected → wontfix
tracking-firefox27: --- → +
status-b2g-v1.3: --- → fixed
status-firefox27: affected → fixed
FWIW, the b2g26 backport is green on Try.
Whiteboard: [jsbugmon:update] → [jsbugmon:update][adv-main27+]
Comment on attachment 832258 [details] [diff] [review]
Patch and test case

Plus for approval‑mozilla‑b2g26: Regression
Attachment #832258 - Flags: approval-mozilla-b2g26? → approval-mozilla-b2g26+
Group: core-security
You need to log in before you can comment on or make changes to this bug.