Closed Bug 852140 Opened 12 years ago Closed 12 years ago

IonMonkey: Assertion failure: ins->type() == MIRType_Value, at ion/MIR.h:1848 or Crash [@ getInterval]

Categories

(Core :: JavaScript Engine, defect)

x86_64
Linux
defect
Not set
critical

Tracking

()

VERIFIED FIXED
mozilla22
Tracking Status
firefox21 --- unaffected
firefox22 --- fixed
firefox-esr17 --- unaffected
b2g18 --- unaffected

People

(Reporter: decoder, Assigned: h4writer)

References

Details

(Keywords: assertion, crash, testcase, Whiteboard: [jsbugmon:update][adv-main22-])

Crash Data

Attachments

(1 file, 1 obsolete file)

The following testcase asserts on mozilla-central revision b03bb3ce8cee (run with --ion-eager): function reportCompare (expected, actual) { if (expected != actual) {} } function exitFunc (funcName) reportCompare(undefined, ''); reportCompare('', ''); exitFunc();
Crash trace: Program received signal SIGSEGV, Segmentation fault. 0x000000000075d3af in getInterval (i=0, this=<optimized out>) at /srv/repos/mozilla-central/js/src/ion/LiveRangeAllocator.h:404 404 return intervals_[i]; (gdb) bt #0 0x000000000075d3af in getInterval (i=0, this=<optimized out>) at /srv/repos/mozilla-central/js/src/ion/LiveRangeAllocator.h:404 #1 js::ion::LiveRangeAllocator<js::ion::LinearScanVirtualRegister>::buildLivenessInfo (this=<optimized out>) at /srv/repos/mozilla-central/js/src/ion/LiveRangeAllocator.cpp:699 #2 0x0000000000755d88 in js::ion::LinearScanAllocator::go (this=0x7fffffffca60) at /srv/repos/mozilla-central/js/src/ion/LinearScan.cpp:1137 #3 0x0000000000701976 in js::ion::GenerateLIR (mir=0xc59d28, maybeMasm=0x0) at /srv/repos/mozilla-central/js/src/ion/Ion.cpp:1045 #4 0x0000000000703236 in CompileBackEnd (mir=0xc59d28, maybeMasm=<optimized out>) at /srv/repos/mozilla-central/js/src/ion/Ion.cpp:1120 #5 compile (autoDelete=<synthetic pointer>, builder=0xc59d28, this=<optimized out>, graph=<optimized out>) at /srv/repos/mozilla-central/js/src/ion/Ion.cpp:1315 #6 js::ion::IonCompile<js::ion::SequentialCompileContext> (cx=0xbade30, script=0xc59d28, fun=(JSFunction *) 0x7ffff603ce80 [object Function "exitFunc"], osrPc=0x0, constructing=false, compileContext=...) at /srv/repos/mozilla-central/js/src/ion/Ion.cpp:1248 #7 0x00000000007038ae in js::ion::Compile<js::ion::SequentialCompileContext> (cx=<optimized out>, script=0x7ffff6032280, fun=..., osrPc=<optimized out>, constructing=<optimized out>, compileContext=...) at /srv/repos/mozilla-central/js/src/ion/Ion.cpp:1468 #8 0x0000000000703b65 in js::ion::CanEnter (cx=0xbade30, script=0x7ffff6032280, fp=..., isConstructing=false) at /srv/repos/mozilla-central/js/src/ion/Ion.cpp:1567 #9 0x00000000004b2632 in js::Interpret (cx=0xbade30, entryFrame=0x7ffff62f4038, interpMode=js::JSINTERP_NORMAL) at /srv/repos/mozilla-central/js/src/jsinterp.cpp:2427 #10 0x00000000004b7b6b in js::RunScript (cx=0xbade30, fp=0x7ffff62f4038) at /srv/repos/mozilla-central/js/src/jsinterp.cpp:341 #11 0x00000000004bd8a3 in ExecuteKernel (result=0x0, evalInFrame=..., thisv=..., scopeChainArg=..., script=0x7ffff6032100, cx=0xbade30, type=<optimized out>) at /srv/repos/mozilla-central/js/src/jsinterp.cpp:531 #12 js::Execute (cx=0xbade30, script=0x7ffff6032100, scopeChainArg=..., rval=0x0) at /srv/repos/mozilla-central/js/src/jsinterp.cpp:571 #13 0x0000000000424451 in JS_ExecuteScript (cx=0xbade30, objArg=(JSObject *) 0x7ffff602e060 [object global] delegate, scriptArg=<optimized out>, rval=0x0) at /srv/repos/mozilla-central/js/src/jsapi.cpp:5535 #14 0x000000000040fa1e in Process (cx=0xbade30, obj_=<optimized out>, filename=<optimized out>, forceTTY=<optimized out>) at /srv/repos/mozilla-central/js/src/shell/js.cpp:468 #15 0x0000000000413e94 in ProcessArgs (op=0x7fffffffdbc0, obj_=(JSObject *) 0x7ffff602e060 [object global] delegate, cx=0xbade30) at /srv/repos/mozilla-central/js/src/shell/js.cpp:5030 #16 Shell (cx=0xbade30, op=0x7fffffffdbc0, envp=<optimized out>) at /srv/repos/mozilla-central/js/src/shell/js.cpp:5067 #17 0x000000000040453f in main (argc=<optimized out>, argv=<optimized out>, envp=0x7fffffffdd98) at /srv/repos/mozilla-central/js/src/shell/js.cpp:5291 (gdb) x /i $pc => 0x75d3af <js::ion::LiveRangeAllocator<js::ion::LinearScanVirtualRegister>::buildLivenessInfo()+2895>: mov (%rax),%rax (gdb) info reg rax rax 0x0 0 Looks like a null-deref but filing s-s because the assertion could indicate a security problem. We already have other bugs on file with this assert, but I'm filing this anyway because this crashes differently and last time we missed at least one of these bugs because we thought they would be the same. If this is a dup to the others, JSBugMon should automatically find out once they are fixed.
Blocks: IonFuzz
Crash Signature: [@ getInterval]
Keywords: crash
Whiteboard: [jsbugmon:update,bisect]
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result: Due to skipped revisions, the first bad revision could be any of: changeset: 122584:b831500ca4be user: David Anderson date: Thu Feb 21 13:52:09 2013 -0800 summary: Prevent GC from occuring during IC linking (bug 837714, r=bhackett). changeset: 122585:437c955ff06d user: Nicolas B. Pierron date: Wed Jan 30 07:41:01 2013 -0800 summary: Bug 796114 - Inline with type-checked arguments. r=h4writer changeset: 122586:5054f997ef77 user: Gregory Szorc date: Thu Feb 21 14:11:54 2013 -0800 summary: Bug 841074 - Statically declare fields on FHR measurements; r=rnewman changeset: 122587:6c126d076b0d user: Phil Ringnalda date: Thu Feb 21 14:26:04 2013 -0800 summary: Back out b831500ca4be (bug 837714) for bustage This iteration took 78.562 seconds to run.
Likely bug 796114 again, needinfo from Nicolas :)
Flags: needinfo?(nicolas.b.pierron)
(In reply to Christian Holler (:decoder) from comment #3) > Likely bug 796114 again, needinfo from Nicolas :) Yes, this is likely. Taking it and fixing it soonish.
Assignee: general → nicolas.b.pierron
Status: NEW → ASSIGNED
Flags: needinfo?(nicolas.b.pierron)
Blocks: 796114
Attachment #726413 - Flags: review?(hv1989)
Attached patch Counter proposal (deleted) — Splinter Review
The bug is actually fixed by 851067. But we had an interim solution in bug 844452 and this patch would take it even further. Since the landing of 851067 both patches aren't needed. Therefore I back it out. I added the testcase to be sure we are notified when this bug returns.
Assignee: nicolas.b.pierron → hv1989
Attachment #726413 - Attachment is obsolete: true
Attachment #726413 - Flags: review?(hv1989)
Attachment #726933 - Flags: review?(nicolas.b.pierron)
Attachment #726933 - Flags: review?(nicolas.b.pierron) → review+
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla22
Status: RESOLVED → VERIFIED
JSBugMon: This bug has been automatically verified fixed.
I assume Firefox 21 is unaffected here based on regression dates.
Whiteboard: [jsbugmon:update] → [jsbugmon:update][adv-main22-]
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: