Closed Bug 1178767 Opened 9 years ago Closed 9 years ago

Assertion failure: MIR instruction returned object with unexpected type, at c:/mozilla/builds/nightly/mozilla/js/src/jit/MacroAssembler.cpp:1747 with signature js::array_join std::_Atomic_store_4

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1175538

People

(Reporter: cbook, Unassigned)

References

Details

(Keywords: assertion, sec-high)

Attachments

(1 file)

bughunter stack
(deleted), text/plain
Details
Attached file bughunter stack (deleted) —
filed as spin off from bug 1175538 since this might a different issue. Bughunter found a crash on http://flight.qunar.com/site/interroundtrip_compare.htm?fromCity=%C3%83%C2%A5%C3%82%C2%BE%C3%82%C2%90%C3%83%C2%A5%C3%82%C2%B7%C3%82%C2%9E&toCity=%C3%83%C2%A5%C3%82%C2%8F%C3%82%C2%B0%C3%83%C2%A5%C3%82%C2%8C%C3%82%C2%97&fromDate=2015-06-25&toDate=2015-07-02&fromCode=XUZ&toCode=TPE&from=flight_int_search&ex_track=auto_50e69a47&lowestPrice=null&isInter=true&favorit and this resulted in Assertion failure: MIR instruction returned object with unexpected type, at c:/mozilla/builds/nightly/mozilla/js/src/jit/MacroAssembler.cpp:1747 and the signature: js::array_join std::_Atomic_store_4
guessing sec-high based on bugs with similar assertions, but just a guess at this point
Keywords: sec-high
Blocks: 1181590
Carsten, does this still reproduce?
Flags: needinfo?(cbook)
(In reply to Andrew McCreight [:mccr8] from comment #2) > Carsten, does this still reproduce? yep still asserts on load very fast/quickly on the url from comment #0 what seems only changed is the line number Assertion failure: MIR instruction returned object with unexpected type, at c:/Users/mozilla/debug-b uilds/mozilla-central/js/src/jit/MacroAssembler.cpp:1789 before it was 1747 :( jandem: do you know who could take a look at this ? before it was
Flags: needinfo?(cbook) → needinfo?(jdemooij)
Hannes, would you mind bisecting/investigating this to see if that tells us something? Usually I don't mind doing this myself but we've had a lot of these bugs lately.
Flags: needinfo?(jdemooij) → needinfo?(hv1989)
http://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=f9e71f980245&tochange=e5ea732b4531 The only thing I see in there is: bhackett@mozilla.com Sun Jun 14 15:02:56 2015 +0000 19d5d9619443 Brian Hackett — Bug 1162986 - Allow objects to be turned into singletons dynamically, r=jandem. So probably same as bug 1175538. Best to fix that bug first (Easier to debug) and see if it fixes this too.
Flags: needinfo?(hv1989) → needinfo?(bhackett1024)
I can reproduce this, but not without the patch for bug 1175538, so pretty sure this is a dupe.
Flags: needinfo?(bhackett1024)
Group: core-security → javascript-core-security
(In reply to Brian Hackett (:bhackett) (Only available via email through 1/5) from comment #6) > I can reproduce this, but not without the patch for bug 1175538, so pretty > sure this is a dupe. Closing as duplicate then.
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → DUPLICATE
Group: javascript-core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: