Closed
Bug 1178767
Opened 9 years ago
Closed 9 years ago
Assertion failure: MIR instruction returned object with unexpected type, at c:/mozilla/builds/nightly/mozilla/js/src/jit/MacroAssembler.cpp:1747 with signature js::array_join std::_Atomic_store_4
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
RESOLVED
DUPLICATE
of bug 1175538
People
(Reporter: cbook, Unassigned)
References
Details
(Keywords: assertion, sec-high)
Attachments
(1 file)
(deleted),
text/plain
|
Details |
filed as spin off from bug 1175538 since this might a different issue.
Bughunter found a crash on http://flight.qunar.com/site/interroundtrip_compare.htm?fromCity=%C3%83%C2%A5%C3%82%C2%BE%C3%82%C2%90%C3%83%C2%A5%C3%82%C2%B7%C3%82%C2%9E&toCity=%C3%83%C2%A5%C3%82%C2%8F%C3%82%C2%B0%C3%83%C2%A5%C3%82%C2%8C%C3%82%C2%97&fromDate=2015-06-25&toDate=2015-07-02&fromCode=XUZ&toCode=TPE&from=flight_int_search&ex_track=auto_50e69a47&lowestPrice=null&isInter=true&favorit
and this resulted in Assertion failure: MIR instruction returned object with unexpected type, at c:/mozilla/builds/nightly/mozilla/js/src/jit/MacroAssembler.cpp:1747
and the signature:
js::array_join std::_Atomic_store_4
Comment 1•9 years ago
|
||
guessing sec-high based on bugs with similar assertions, but just a guess at this point
Keywords: sec-high
Reporter | ||
Comment 3•9 years ago
|
||
(In reply to Andrew McCreight [:mccr8] from comment #2)
> Carsten, does this still reproduce?
yep still asserts on load very fast/quickly on the url from comment #0
what seems only changed is the line number
Assertion failure: MIR instruction returned object with unexpected type, at c:/Users/mozilla/debug-b
uilds/mozilla-central/js/src/jit/MacroAssembler.cpp:1789 before it was 1747 :(
jandem: do you know who could take a look at this ?
before it was
Flags: needinfo?(cbook) → needinfo?(jdemooij)
Comment 4•9 years ago
|
||
Hannes, would you mind bisecting/investigating this to see if that tells us something? Usually I don't mind doing this myself but we've had a lot of these bugs lately.
Flags: needinfo?(jdemooij) → needinfo?(hv1989)
Comment 5•9 years ago
|
||
http://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=f9e71f980245&tochange=e5ea732b4531
The only thing I see in there is:
bhackett@mozilla.com
Sun Jun 14 15:02:56 2015 +0000 19d5d9619443 Brian Hackett — Bug 1162986 - Allow objects to be turned into singletons dynamically, r=jandem.
So probably same as bug 1175538. Best to fix that bug first (Easier to debug) and see if it fixes this too.
Flags: needinfo?(hv1989) → needinfo?(bhackett1024)
Comment 6•9 years ago
|
||
I can reproduce this, but not without the patch for bug 1175538, so pretty sure this is a dupe.
Flags: needinfo?(bhackett1024)
Updated•9 years ago
|
Group: core-security → javascript-core-security
Comment 7•9 years ago
|
||
(In reply to Brian Hackett (:bhackett) (Only available via email through 1/5) from comment #6)
> I can reproduce this, but not without the patch for bug 1175538, so pretty
> sure this is a dupe.
Closing as duplicate then.
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → DUPLICATE
Updated•8 years ago
|
Group: javascript-core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•