Closed
Bug 852140
Opened 12 years ago
Closed 12 years ago
IonMonkey: Assertion failure: ins->type() == MIRType_Value, at ion/MIR.h:1848 or Crash [@ getInterval]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
mozilla22
Tracking | Status | |
---|---|---|
firefox21 | --- | unaffected |
firefox22 | --- | fixed |
firefox-esr17 | --- | unaffected |
b2g18 | --- | unaffected |
People
(Reporter: decoder, Assigned: h4writer)
References
Details
(Keywords: assertion, crash, testcase, Whiteboard: [jsbugmon:update][adv-main22-])
Crash Data
Attachments
(1 file, 1 obsolete file)
(deleted),
patch
|
nbp
:
review+
|
Details | Diff | Splinter Review |
The following testcase asserts on mozilla-central revision b03bb3ce8cee (run with --ion-eager):
function reportCompare (expected, actual) {
if (expected != actual) {}
}
function exitFunc (funcName)
reportCompare(undefined, '');
reportCompare('', '');
exitFunc();
Reporter | ||
Comment 1•12 years ago
|
||
Crash trace:
Program received signal SIGSEGV, Segmentation fault.
0x000000000075d3af in getInterval (i=0, this=<optimized out>) at /srv/repos/mozilla-central/js/src/ion/LiveRangeAllocator.h:404
404 return intervals_[i];
(gdb) bt
#0 0x000000000075d3af in getInterval (i=0, this=<optimized out>) at /srv/repos/mozilla-central/js/src/ion/LiveRangeAllocator.h:404
#1 js::ion::LiveRangeAllocator<js::ion::LinearScanVirtualRegister>::buildLivenessInfo (this=<optimized out>) at /srv/repos/mozilla-central/js/src/ion/LiveRangeAllocator.cpp:699
#2 0x0000000000755d88 in js::ion::LinearScanAllocator::go (this=0x7fffffffca60) at /srv/repos/mozilla-central/js/src/ion/LinearScan.cpp:1137
#3 0x0000000000701976 in js::ion::GenerateLIR (mir=0xc59d28, maybeMasm=0x0) at /srv/repos/mozilla-central/js/src/ion/Ion.cpp:1045
#4 0x0000000000703236 in CompileBackEnd (mir=0xc59d28, maybeMasm=<optimized out>) at /srv/repos/mozilla-central/js/src/ion/Ion.cpp:1120
#5 compile (autoDelete=<synthetic pointer>, builder=0xc59d28, this=<optimized out>, graph=<optimized out>) at /srv/repos/mozilla-central/js/src/ion/Ion.cpp:1315
#6 js::ion::IonCompile<js::ion::SequentialCompileContext> (cx=0xbade30, script=0xc59d28, fun=(JSFunction *) 0x7ffff603ce80 [object Function "exitFunc"], osrPc=0x0, constructing=false, compileContext=...)
at /srv/repos/mozilla-central/js/src/ion/Ion.cpp:1248
#7 0x00000000007038ae in js::ion::Compile<js::ion::SequentialCompileContext> (cx=<optimized out>, script=0x7ffff6032280, fun=..., osrPc=<optimized out>, constructing=<optimized out>, compileContext=...)
at /srv/repos/mozilla-central/js/src/ion/Ion.cpp:1468
#8 0x0000000000703b65 in js::ion::CanEnter (cx=0xbade30, script=0x7ffff6032280, fp=..., isConstructing=false) at /srv/repos/mozilla-central/js/src/ion/Ion.cpp:1567
#9 0x00000000004b2632 in js::Interpret (cx=0xbade30, entryFrame=0x7ffff62f4038, interpMode=js::JSINTERP_NORMAL) at /srv/repos/mozilla-central/js/src/jsinterp.cpp:2427
#10 0x00000000004b7b6b in js::RunScript (cx=0xbade30, fp=0x7ffff62f4038) at /srv/repos/mozilla-central/js/src/jsinterp.cpp:341
#11 0x00000000004bd8a3 in ExecuteKernel (result=0x0, evalInFrame=..., thisv=..., scopeChainArg=..., script=0x7ffff6032100, cx=0xbade30, type=<optimized out>) at /srv/repos/mozilla-central/js/src/jsinterp.cpp:531
#12 js::Execute (cx=0xbade30, script=0x7ffff6032100, scopeChainArg=..., rval=0x0) at /srv/repos/mozilla-central/js/src/jsinterp.cpp:571
#13 0x0000000000424451 in JS_ExecuteScript (cx=0xbade30, objArg=(JSObject *) 0x7ffff602e060 [object global] delegate, scriptArg=<optimized out>, rval=0x0) at /srv/repos/mozilla-central/js/src/jsapi.cpp:5535
#14 0x000000000040fa1e in Process (cx=0xbade30, obj_=<optimized out>, filename=<optimized out>, forceTTY=<optimized out>) at /srv/repos/mozilla-central/js/src/shell/js.cpp:468
#15 0x0000000000413e94 in ProcessArgs (op=0x7fffffffdbc0, obj_=(JSObject *) 0x7ffff602e060 [object global] delegate, cx=0xbade30) at /srv/repos/mozilla-central/js/src/shell/js.cpp:5030
#16 Shell (cx=0xbade30, op=0x7fffffffdbc0, envp=<optimized out>) at /srv/repos/mozilla-central/js/src/shell/js.cpp:5067
#17 0x000000000040453f in main (argc=<optimized out>, argv=<optimized out>, envp=0x7fffffffdd98) at /srv/repos/mozilla-central/js/src/shell/js.cpp:5291
(gdb) x /i $pc
=> 0x75d3af <js::ion::LiveRangeAllocator<js::ion::LinearScanVirtualRegister>::buildLivenessInfo()+2895>: mov (%rax),%rax
(gdb) info reg rax
rax 0x0 0
Looks like a null-deref but filing s-s because the assertion could indicate a security problem.
We already have other bugs on file with this assert, but I'm filing this anyway because this crashes differently and last time we missed at least one of these bugs because we thought they would be the same. If this is a dup to the others, JSBugMon should automatically find out once they are fixed.
Reporter | ||
Updated•12 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
Reporter | ||
Comment 2•12 years ago
|
||
JSBugMon: Bisection requested, result:
Due to skipped revisions, the first bad revision could be any of:
changeset: 122584:b831500ca4be
user: David Anderson
date: Thu Feb 21 13:52:09 2013 -0800
summary: Prevent GC from occuring during IC linking (bug 837714, r=bhackett).
changeset: 122585:437c955ff06d
user: Nicolas B. Pierron
date: Wed Jan 30 07:41:01 2013 -0800
summary: Bug 796114 - Inline with type-checked arguments. r=h4writer
changeset: 122586:5054f997ef77
user: Gregory Szorc
date: Thu Feb 21 14:11:54 2013 -0800
summary: Bug 841074 - Statically declare fields on FHR measurements; r=rnewman
changeset: 122587:6c126d076b0d
user: Phil Ringnalda
date: Thu Feb 21 14:26:04 2013 -0800
summary: Back out b831500ca4be (bug 837714) for bustage
This iteration took 78.562 seconds to run.
Reporter | ||
Comment 3•12 years ago
|
||
Likely bug 796114 again, needinfo from Nicolas :)
Flags: needinfo?(nicolas.b.pierron)
Comment 4•12 years ago
|
||
(In reply to Christian Holler (:decoder) from comment #3)
> Likely bug 796114 again, needinfo from Nicolas :)
Yes, this is likely. Taking it and fixing it soonish.
Assignee: general → nicolas.b.pierron
Status: NEW → ASSIGNED
Flags: needinfo?(nicolas.b.pierron)
Comment 5•12 years ago
|
||
Attachment #726413 -
Flags: review?(hv1989)
Assignee | ||
Comment 7•12 years ago
|
||
The bug is actually fixed by 851067. But we had an interim solution in bug 844452 and this patch would take it even further. Since the landing of 851067 both patches aren't needed. Therefore I back it out. I added the testcase to be sure we are notified when this bug returns.
Assignee: nicolas.b.pierron → hv1989
Attachment #726413 -
Attachment is obsolete: true
Attachment #726413 -
Flags: review?(hv1989)
Attachment #726933 -
Flags: review?(nicolas.b.pierron)
Updated•12 years ago
|
Attachment #726933 -
Flags: review?(nicolas.b.pierron) → review+
Assignee | ||
Comment 8•12 years ago
|
||
Comment 9•12 years ago
|
||
(In reply to Hannes Verschore [:h4writer] from comment #8)
> Thanks,
> https://hg.mozilla.org/integration/mozilla-inbound/rev/bbb0081483d9
https://hg.mozilla.org/mozilla-central/rev/bbb0081483d9
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
status-firefox22:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla22
Reporter | ||
Updated•12 years ago
|
Status: RESOLVED → VERIFIED
Reporter | ||
Comment 10•12 years ago
|
||
JSBugMon: This bug has been automatically verified fixed.
Updated•12 years ago
|
status-b2g18:
--- → unaffected
status-firefox-esr17:
--- → unaffected
Comment 11•11 years ago
|
||
I assume Firefox 21 is unaffected here based on regression dates.
status-firefox21:
--- → unaffected
Whiteboard: [jsbugmon:update] → [jsbugmon:update][adv-main22-]
Updated•11 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•