Closed
Bug 980371
Opened 11 years ago
Closed 11 years ago
Assertion failure: false (MOZ_ASSUME_UNREACHABLE(Bad input type)), at jit/IonBuilder.cpp:6340 or SIGILL
Categories
(Core :: JavaScript Engine: JIT, defect)
Tracking
()
RESOLVED
WORKSFORME
| Tracking | Status | |
|---|---|---|
| firefox29 | --- | unaffected |
| firefox30 | --- | affected |
People
(Reporter: decoder, Unassigned)
References
Details
(Keywords: assertion, crash, testcase, Whiteboard: [fuzzblocker] [jsbugmon:update,ignore])
Attachments
(1 file)
|
(deleted),
patch
|
Details | Diff | Splinter Review |
The following testcase asserts on mozilla-central revision 8122ffa9e1aa (run with --fuzzing-safe --ion-eager):
var float32x4 = SIMD.float32x4;
var a = float32x4(1, 20, 3, 40);
var b = float32x4(10, 2, 30, 4);
var c = SIMD.float32x4.min(a, b);
for (var i = 2 ; i < 8; i++)
f();
|
Reporter | |
Comment 1•11 years ago
|
||
Crashes with illegal instruction in an opt-build. SIMD is enabled on nightly only and this could be sec-critical, so marking s-s.
|
|
Reporter | |
Comment 2•11 years ago
|
||
Niko, this is a fuzzblocker, can you take a look?
Flags: needinfo?(nmatsakis)
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update,bisect][fuzzblocker]
|
||
Comment 3•11 years ago
|
||
Not setting myself to assigned or asking of review, as this is just a workaround and just redirects to bug 980400, but it will lower the fury of fuzzers.
These SIMD patches seem not complete, as we have MIR nodes that are not implemented in the lowering side.
|
|
Reporter | |
Updated•11 years ago
|
Whiteboard: [jsbugmon:update,bisect][fuzzblocker] → [fuzzblocker] [jsbugmon:update]
|
|
Reporter | |
Comment 4•11 years ago
|
||
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: http://hg.mozilla.org/mozilla-central/rev/7efaabf97f0c
user: Haitao Feng
date: Tue Mar 04 20:06:26 2014 -0500
summary: Bug 943769 Part 2 -- Set up SIMD inlining infrastructure r=nmatsakis
This iteration took 0.973 seconds to run.
|
|
Reporter | |
Updated•11 years ago
|
Whiteboard: [fuzzblocker] [jsbugmon:update] → [fuzzblocker] [jsbugmon:update,ignore]
|
|
Reporter | |
Comment 5•11 years ago
|
||
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 0dc1be930880).
|
||
Comment 6•11 years ago
|
||
Since this doesn't reproduce any more, does it need more investigation? Did some SIMD fix land recently?
status-firefox29:
--- → unaffected
Flags: needinfo?(choller)
|
|
Reporter | |
Comment 7•11 years ago
|
||
Nope, the offending patch was backed out. I don't know if Niko wants to use the test here to prevent this incomplete patch from being landed again.
Flags: needinfo?(choller)
|
||
Comment 8•11 years ago
|
||
I think we can just close this. The problem is relatively obvious! The patch was incomplete.
Flags: needinfo?(nmatsakis)
|
|
Reporter | |
Comment 9•11 years ago
|
||
Thanks Niko.
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → WORKSFORME
|
||
Updated•9 years ago
|
Group: core-security → core-security-release
|
||
Updated•7 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•