Closed
Bug 1185746
Opened 9 years ago
Closed 9 years ago
Assertion failure: obj->lastProperty() == templateObject->as<ArrayObject>().lastProperty(), at vm/Interpreter.cpp
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
WORKSFORME
Tracking | Status | |
---|---|---|
firefox42 | --- | affected |
People
(Reporter: gkw, Unassigned)
References
Details
(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:])
Attachments
(1 file)
(deleted),
text/plain
|
Details |
// Randomly chosen test: js/src/jit-test/tests/ion/popn.js
evalcx("\
setJitCompilerOption(\"ion.warmup.trigger\", 1);\
setObjectMetadataCallback(true);\
var a = new Array(5);\
(function() {\
for (var i = 0; i < 1; ++i) {}\
for (var i = 0; i < 9; ++i) {\
var [r, g, b] = [1, i, -10];\
}\
})();\
// jsfunfuzz-generated
", newGlobal())
asserts js debug shell on m-c changeset d00e4167b482 with --fuzzing-safe --no-threads --ion-eager at Assertion failure: obj->lastProperty() == templateObject->as<ArrayObject>().lastProperty(), at vm/Interpreter.cpp
Configure options:
CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests
python -u ~/funfuzz/js/compileShell.py -b "--enable-debug --enable-more-deterministic --enable-nspr-build" -r d00e4167b482
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/3a464761991d
user: Jim Blandy
date: Thu May 07 11:34:03 2015 -0700
summary: Bug 1050500: Add SpiderMonkey API for reporting JavaScript entry points. r=shu
Jim, is bug 1050500 a likely regressor, or did it merely expose the bug?
Flags: needinfo?(jimb)
Reporter | ||
Comment 1•9 years ago
|
||
(lldb) bt 5
* thread #1: tid = 0x37d24d, 0x0000000100263ed9 js-dbg-64-dm-nsprBuild-darwin-d00e4167b482`js::NewArrayOperationWithTemplate(cx=<unavailable>, templateObject=<unavailable>) + 553 at Interpreter.cpp:4782, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
* frame #0: 0x0000000100263ed9 js-dbg-64-dm-nsprBuild-darwin-d00e4167b482`js::NewArrayOperationWithTemplate(cx=<unavailable>, templateObject=<unavailable>) + 553 at Interpreter.cpp:4782
frame #1: 0x0000000100499fd2 js-dbg-64-dm-nsprBuild-darwin-d00e4167b482`js::jit::DoNewArray(cx=0x00000001028a3180, frame=<unavailable>, stub=<unavailable>, length=<unavailable>, res=<unavailable>) + 130 at BaselineIC.cpp:975
frame #2: 0x0000000101dc7347
frame #3: 0x0000000101dbfdc4
frame #4: 0x00000001004d5cb3 js-dbg-64-dm-nsprBuild-darwin-d00e4167b482`EnterBaseline(cx=0x0000000000000204, data=0xfff8800000000009) + 419 at BaselineJIT.cpp:124
(lldb)
Updated•9 years ago
|
Whiteboard: [jsbugmon:update] → [jsbugmon:]
Comment 2•9 years ago
|
||
JSBugMon: Cannot process bug: Error: Failed to isolate test from comment
Reporter | ||
Comment 3•9 years ago
|
||
I can't reproduce this anymore, not even with the original changeset. -> WORKSFORME
Status: NEW → RESOLVED
Closed: 9 years ago
Flags: needinfo?(jimb) → in-testsuite?
Resolution: --- → WORKSFORME
You need to log in
before you can comment on or make changes to this bug.
Description
•