Closed Bug 1181166 Opened 9 years ago Closed 9 years ago

Assertion failure: MIR instruction returned object with unexpected type, at c:/mozilla/builds/nightly/mozilla/js/src/jit/MacroAssembler.cpp:1747 with signature XUL!EnterBaseline(JSContext*, js::jit::EnterJitData&) [BaselineJIT.cpp : 124 + 0xf0]

Categories

(Core :: JavaScript Engine: JIT, defect)

Product:
Core
Component:
JavaScript Engine: JIT
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1175538

People

(Reporter: cbook, Unassigned)

References

(
URL
)

Details

(Keywords: sec-high)

Attachments

(2 files)

bughunter stack
(deleted), text/plain
Details
windgb information from this url
(deleted), text/plain
Details
Attached file bughunter stack (deleted) — 
Found by bughunter and has also ->> Assertion failure: MIR instruction returned object with unexpected type, at c:/mozilla/builds/nightly/mozilla/js/src/jit/MacroAssembler.cpp:1747

Steps to reproduce:
-> Load http://www.autobusubilietai.lt
-->> Assertion failure: MIR instruction returned object with unexpected type, at c:/mozilla/builds/nightly/mozilla/js/src/jit/MacroAssembler.cpp:1747

but this time XUL!EnterBaseline(JSContext*, js::jit::EnterJitData&) [BaselineJIT.cpp : 124 + 0xf0] crash , stack attached
Keywords: sec-high
Blocks: 1181590
Attached file windgb information from this url (deleted) — 

  

  



    
    

    
  
Jandem, is there somebody who can look at this? Thanks.

  

  


Flags: needinfo?(jdemooij)

    
    

    
  
Benjamin, would you mind bisecting/investigating this to see if that tells us something? I'm trying to forward more of these bugs to others as taking all these bugs myself can be very time consuming.

  

  


Flags: needinfo?(jdemooij) → needinfo?(benj)

    
    

    
  
Sure, I can take a look this week.

  

  


Flags: needinfo?(benj)

    
    

    
  
The failure is a runtime check implemented in JIT code, so we have no backtrace in the debugger. This check is generated for each LIR instruction. I'd suggest some printf debugging to get more information, or trying disabling a few optimization passes and see what happens, but it's really non-trivial to know what's going on here...
I'll be on PTO next week, so I won't be able to give it a look soon, but I can do it later, when I'm back, unless somebody beats me to it.

  

  



    
    

    
  
I'm back from PTO, and I've tried to reproduce this today, but I couldn't!

Bisection lead to this:

The first good revision is:
changeset:   256340:7ce747f01b72
user:        Brian Hackett <bhackett1024@gmail.com>
date:        Wed Aug 05 11:53:01 2015 -0400
summary:     Bug 1175538 - Ensure str_split result object has the right group. r=jandem

Brian, does this look like this runtime check could have been triggered without this patch? I don't have access to bug 1175538, but the summary and the patch content seem consistent with the failure described in the bug's title.

  

  


Flags: needinfo?(bhackett1024)

    
    

    
  
For what it's worth, bug 1175538 has two parts: a new assertion and a fix. I've tried adding only the assertion onto changeset 256339 and see if it were triggered when visiting the website, but it wasn't. So the question still stands.

  

  



    
    

    
  
Bug 1175538 was fixing one of these "returned object with unexpected type" failures, so it definitely could have fixed this too.  The assertion added by that bug is somewhat ancillary.

  

  


Flags: needinfo?(bhackett1024)
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → DUPLICATE

    
  
Group: core-security → core-security-release
Group: core-security-release

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: