Closed Bug 980371 Opened 7 years ago Closed 7 years ago

Assertion failure: false (MOZ_ASSUME_UNREACHABLE(Bad input type)), at jit/IonBuilder.cpp:6340 or SIGILL

Categories

(Core :: JavaScript Engine: JIT, defect)

x86_64
Linux
defect
Not set
critical

Tracking

()

RESOLVED WORKSFORME
Tracking Status
firefox29 --- unaffected
firefox30 --- affected

People

(Reporter: decoder, Unassigned)

References

Details

(Keywords: assertion, crash, testcase, Whiteboard: [fuzzblocker] [jsbugmon:update,ignore])

Attachments

(1 file)

The following testcase asserts on mozilla-central revision 8122ffa9e1aa (run with --fuzzing-safe --ion-eager):


var float32x4 = SIMD.float32x4;
var a = float32x4(1, 20, 3, 40);
var b = float32x4(10, 2, 30, 4);
var c = SIMD.float32x4.min(a, b);
for (var i = 2 ; i < 8; i++)
    f();
Crashes with illegal instruction in an opt-build. SIMD is enabled on nightly only and this could be sec-critical, so marking s-s.
Keywords: crash
Whiteboard: [jsbugmon:update,bisect]
Niko, this is a fuzzblocker, can you take a look?
Flags: needinfo?(nmatsakis)
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update,bisect][fuzzblocker]
Not setting myself to assigned or asking of review, as this is just a workaround and just redirects to bug 980400, but it will lower the fury of fuzzers.

These SIMD patches seem not complete, as we have MIR nodes that are not implemented in the lowering side.
Blocks: 943769
Whiteboard: [jsbugmon:update,bisect][fuzzblocker] → [fuzzblocker] [jsbugmon:update]
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   http://hg.mozilla.org/mozilla-central/rev/7efaabf97f0c
user:        Haitao Feng
date:        Tue Mar 04 20:06:26 2014 -0500
summary:     Bug 943769 Part 2 -- Set up SIMD inlining infrastructure r=nmatsakis

This iteration took 0.973 seconds to run.
Whiteboard: [fuzzblocker] [jsbugmon:update] → [fuzzblocker] [jsbugmon:update,ignore]
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 0dc1be930880).
Since this doesn't reproduce any more, does it need more investigation?  Did some SIMD fix land recently?
Flags: needinfo?(choller)
Nope, the offending patch was backed out. I don't know if Niko wants to use the test here to prevent this incomplete patch from being landed again.
Flags: needinfo?(choller)
I think we can just close this. The problem is relatively obvious! The patch was incomplete.
Flags: needinfo?(nmatsakis)
Thanks Niko.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → WORKSFORME
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.