Closed
Bug 1174322
Opened 9 years ago
Closed 8 years ago
Assertion failure: (object->as<UnboxedPlainObject>().setValue(cx, properties[i], val)), at jit/Recover.cpp
Categories
(Core :: JavaScript Engine: JIT, defect)
Tracking
()
RESOLVED
WONTFIX
mozilla41
Tracking | Status | |
---|---|---|
firefox41 | --- | fixed |
People
(Reporter: gkw, Assigned: nbp)
References
Details
(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update,ignore])
Attachments
(2 files)
(deleted),
text/plain
|
Details | |
(deleted),
patch
|
bhackett1024
:
review+
|
Details | Diff | Splinter Review |
function f(y) {
Math.min(NaN) ? a : y
}
function g(y) {
f({
e: false
})
}
x = [0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0]
for (var j = 0; j < 23; ++j) {
g(x[j])
}
asserts js debug shell on m-c changeset 203e1025a826 with --fuzzing-safe --no-threads --ion-eager at Assertion failure: (object->as<UnboxedPlainObject>().setValue(cx, properties[i], val)), at jit/Recover.cpp.
Configure options:
CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests
python -u ~/fuzzing/js/compileShell.py -b "--enable-debug --enable-more-deterministic --enable-nspr-build" -r 203e1025a826
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/46958967c522
user: Nicolas B. Pierron
date: Thu Jun 11 14:30:33 2015 +0200
summary: Bug 1166711 part 2.5 - ScalarReplacement: Replace M{Store,Load}UnboxedScalar by an offset on the MObjectState. r=bhackett
Nicolas, is bug 1166711 a likely regressor?
Flags: needinfo?(nicolas.b.pierron)
Reporter | ||
Comment 1•9 years ago
|
||
(lldb) bt 5
* thread #1: tid = 0x14a036, 0x0000000100658c25 js-dbg-64-dm-nsprBuild-darwin-203e1025a826`js::jit::RObjectState::recover(this=<unavailable>, cx=0x0000000101fa5180, iter=<unavailable>) const + 693 at Recover.cpp:1386, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
* frame #0: 0x0000000100658c25 js-dbg-64-dm-nsprBuild-darwin-203e1025a826`js::jit::RObjectState::recover(this=<unavailable>, cx=0x0000000101fa5180, iter=<unavailable>) const + 693 at Recover.cpp:1386
frame #1: 0x000000010058ee13 js-dbg-64-dm-nsprBuild-darwin-203e1025a826`js::jit::SnapshotIterator::computeInstructionResults(this=<unavailable>, cx=0x0000000101fa5180, results=0x00007fff5fbfec58) const + 307 at JitFrames.cpp:2257
frame #2: 0x000000010058e36d js-dbg-64-dm-nsprBuild-darwin-203e1025a826`js::jit::SnapshotIterator::initInstructionResults(this=0x00007fff5fbfe0c8, fallback=0x00007fff5fbfdfb8) + 477 at JitFrames.cpp:2211
frame #3: 0x00000001004437d7 js-dbg-64-dm-nsprBuild-darwin-203e1025a826`js::jit::BailoutIonToBaseline(JSContext*, js::jit::JitActivation*, js::jit::JitFrameIterator&, bool, js::jit::BaselineBailoutInfo**, js::jit::ExceptionBailoutInfo const*) [inlined] SnapshotIteratorForBailout::init(this=<unavailable>) + 60 at BaselineBailouts.cpp:436
frame #4: 0x000000010044379b js-dbg-64-dm-nsprBuild-darwin-203e1025a826`js::jit::BailoutIonToBaseline(cx=0x0000000101fa5180, activation=<unavailable>, iter=0x00007fff5fbfe460, invalidate=false, bailoutInfo=0x00007fff5fbfe798, excInfo=0x0000000000000000) + 603 at BaselineBailouts.cpp:1478
(lldb)
Assignee | ||
Comment 2•9 years ago
|
||
I'll investigate now.
Comment hidden (obsolete) |
Assignee | ||
Comment 4•9 years ago
|
||
Ok, I was able to reproduce this issue, apparently MStoreUnboxedScalar coerce the boolean operands to an Int32, which cause the setValue() call within the recover instruction to be called with an int while the property was expected to be a boolean.
Assignee: nobody → nicolas.b.pierron
Assignee | ||
Comment 5•9 years ago
|
||
Attachment #8623194 -
Flags: review?(bhackett1024)
Assignee | ||
Updated•9 years ago
|
Flags: needinfo?(nicolas.b.pierron)
Assignee | ||
Updated•9 years ago
|
Component: JavaScript Engine → JavaScript Engine: JIT
Updated•9 years ago
|
Attachment #8623194 -
Flags: review?(bhackett1024) → review+
Comment 7•9 years ago
|
||
Status: NEW → RESOLVED
Closed: 9 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla41
Comment 8•9 years ago
|
||
backed out by nbp in https://hg.mozilla.org/mozilla-central/rev/b772e603c42f
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Updated•9 years ago
|
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
Comment 9•9 years ago
|
||
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 56e207dbb3bd).
Reporter | ||
Comment 10•8 years ago
|
||
(In reply to Carsten Book [:Tomcat] from comment #8)
> backed out by nbp in https://hg.mozilla.org/mozilla-central/rev/b772e603c42f
Nicolas, is this bug still relevant since bug 1165348 is now WONTFIX'ed?
Flags: needinfo?(nicolas.b.pierron)
Assignee | ||
Comment 11•8 years ago
|
||
(In reply to Gary Kwong [:gkw] [:nth10sd] from comment #10)
> (In reply to Carsten Book [:Tomcat] from comment #8)
> > backed out by nbp in https://hg.mozilla.org/mozilla-central/rev/b772e603c42f
>
> Nicolas, is this bug still relevant since bug 1165348 is now WONTFIX'ed?
No, this bug is no longer relevant anymore.
Thanks.
Status: REOPENED → RESOLVED
Closed: 9 years ago → 8 years ago
Flags: needinfo?(nicolas.b.pierron)
Resolution: --- → WONTFIX
You need to log in
before you can comment on or make changes to this bug.
Description
•