Assertion failure: (uint32_t)(const uint32_t *)val == uint32_t(expectedValue.value), at jit/arm/Assembler-arm.cpp

RESOLVED FIXED in Firefox 29, Firefox OS v1.4

Status

()

Core
JavaScript Engine: JIT
--
critical
RESOLVED FIXED
4 years ago
3 years ago

People

(Reporter: gkw, Assigned: mjrosenb)

Tracking

(Blocks: 1 bug, 4 keywords)

Trunk
mozilla29
ARM
Linux
assertion, regression, sec-want, testcase
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox26 unaffected, firefox27 unaffected, firefox28 unaffected, firefox29 fixed, firefox-esr17 unaffected, firefox-esr24 unaffected, b2g18 unaffected, b2g-v1.1hd unaffected, b2g-v1.2 unaffected, b2g-v1.3 unaffected, b2g-v1.4 fixed)

Details

(Whiteboard: [fuzzblocker])

Attachments

(2 attachments)

(Reporter)

Description

4 years ago
Created attachment 8349287 [details]
stack

s = []
for (var j = 0; j < 999999; j++) {}

asserts js debug shell on m-c changeset 862cb6a1cc88 without any CLI arguments at Assertion failure: (uint32_t)(const uint32_t *)val == uint32_t(expectedValue.value), at jit/arm/Assembler-arm.cpp

My configure flags are:

CC="gcc -mfloat-abi=softfp -B/usr/lib/gcc/arm-linux-gnueabi/4.7" AR=ar CXX="g++ -mfloat-abi=softfp -B/usr/lib/gcc/arm-linux-gnueabi/4.7" sh ./configure --target=arm-linux-gnueabi --enable-optimize --enable-debug --enable-profiling --enable-gczeal --enable-debug-symbols --enable-methodjit --enable-type-inference --disable-tests --enable-more-deterministic --with-ccache --enable-threadsafe <other NSPR options>


autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   http://hg.mozilla.org/mozilla-central/rev/9db2450f2a16
user:        Hannes Verschore
date:        Wed Sep 18 17:53:41 2013 +0200
summary:     Bug 910960 - IonMonkey: Improve codegen of TypeBarriers, r=nbp

Hannes, is bug 910960 a likely regressor?
Flags: needinfo?(hv1989)
(Reporter)

Updated

4 years ago
See Also: → bug 950824
The place it is failing, cannot be introduced by Bug 910960. (Though I didn't try to debug myself. This is solely based on the data in comment 0).
Flags: needinfo?(hv1989)
(Reporter)

Comment 2

4 years ago
(In reply to Hannes Verschore [:h4writer] from comment #1)
> The place it is failing, cannot be introduced by Bug 910960. (Though I
> didn't try to debug myself. This is solely based on the data in comment 0).

In that case, we need some ARM folks to take a look - it's occurring very often on ARM.
Flags: needinfo?(mrosenberg)
Whiteboard: [fuzzblocker]
Group: core-security
Keywords: sec-want
(Reporter)

Updated

4 years ago
status-firefox29: --- → affected
tracking-firefox29: --- → ?
(Assignee)

Comment 4

4 years ago
Created attachment 8349312 [details] [diff] [review]
updateIonScriptLabels-r0.patch
Attachment #8349312 - Flags: review?(jdemooij)
Flags: needinfo?(mrosenberg)
Comment on attachment 8349312 [details] [diff] [review]
updateIonScriptLabels-r0.patch

Review of attachment 8349312 [details] [diff] [review]:
-----------------------------------------------------------------

Oops, thanks!
Attachment #8349312 - Flags: review?(jdemooij) → review+
(Reporter)

Comment 6

4 years ago
Marty, does this bug affect other branches? (it might need sec-approval, for that matter)
Flags: needinfo?(mrosenberg)
(Assignee)

Comment 7

4 years ago
it probably isn't a big deal.  The added code that is causing this failure is:
      jdemooij 1b91cf5c8407:  #ifdef DEBUG
      jdemooij 1b91cf5c8407:      for (size_t i = 0; i < ionScriptLabels_.length(); i++) {
    mrosenberg 440213a072ac:          ionScriptLabels_[i].fixup(&masm);
      jdemooij 1b91cf5c8407:          Assembler::patchDataWithValueCheck(CodeLocationLabel(code, ionScriptLabels_[i]),
      jdemooij 1b91cf5c8407:                                             ImmPtr(ionScript),
      jdemooij 1b91cf5c8407:                                             ImmPtr((void*)-1));
      jdemooij 1b91cf5c8407:      }
      jdemooij 1b91cf5c8407:  #endif
 which was landed on the 14th, and is actually only active in debug builds, so it isn't that there is a bad patch that is only guarded in debug builds, the relevant code only exists in debug builds.
Flags: needinfo?(mrosenberg)
(Reporter)

Comment 8

4 years ago
https://hg.mozilla.org/integration/mozilla-inbound/rev/e4d49705cdfe

Helping to land since this seems to affect only m-c as per comment 7. Thanks!
status-firefox26: --- → unaffected
status-firefox27: --- → unaffected
status-firefox28: --- → unaffected
status-firefox-esr17: --- → unaffected
status-firefox-esr24: --- → unaffected
tracking-firefox29: ? → ---
(Reporter)

Updated

4 years ago
Flags: needinfo?(mrosenberg)
This wasn't at fault. Relanded.
https://hg.mozilla.org/integration/mozilla-inbound/rev/14eaffaa838a
Flags: needinfo?(mrosenberg)
https://hg.mozilla.org/mozilla-central/rev/14eaffaa838a
Status: NEW → RESOLVED
Last Resolved: 4 years ago
status-firefox29: affected → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla29
Blocks: 950824
Marking b2g affected-ness based on comment 7.
status-b2g18: --- → unaffected
status-b2g-v1.1hd: --- → unaffected
status-b2g-v1.2: --- → unaffected
status-b2g-v1.3: --- → unaffected
status-b2g-v1.4: --- → fixed
Group: core-security
You need to log in before you can comment on or make changes to this bug.