Closed
Bug 1274048
Opened 8 years ago
Closed 8 years ago
Assertion failure: high > low, at js/src/vm/CodeCoverage.cpp:255
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla49
| Tracking | Status | |
|---|---|---|
| firefox49 | --- | fixed |
People
(Reporter: gkw, Unassigned)
References
Details
(Keywords: assertion, testcase, Whiteboard: [jsbugmon:update])
Attachments
(2 files)
|
(deleted),
text/plain
|
Details | |
|
(deleted),
patch
|
bhackett1024
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision c4449eab07d3 (build with --enable-debug --enable-more-deterministic, run with --fuzzing-safe --no-threads --no-baseline --no-ion):
function f() {
throw new Error;
}
function g() {
switch (h()) {}
}
getLcovInfo();
Backtrace:
0 js-dbg-64-dm-clang-darwin-c4449eab07d3 0x000000010ada48cf js::coverage::LCovSource::writeScript(JSScript*) + 5007 (CodeCoverage.cpp:255)
1 js-dbg-64-dm-clang-darwin-c4449eab07d3 0x000000010ada49ef js::coverage::LCovCompartment::collectCodeCoverageInfo(JSCompartment*, JSObject*, JSScript*) + 79 (CodeCoverage.cpp:403)
2 js-dbg-64-dm-clang-darwin-c4449eab07d3 0x000000010ad25d14 js::GetCodeCoverageSummary(JSContext*, unsigned long*) + 1332 (jsopcode.cpp:2067)
3 js-dbg-64-dm-clang-darwin-c4449eab07d3 0x000000010b0954c5 GetLcovInfo(JSContext*, unsigned int, JS::Value*) + 213 (TestingFunctions.cpp:3376)
4 js-dbg-64-dm-clang-darwin-c4449eab07d3 0x000000010ae8f59e js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) + 222 (jscntxtinlines.h:236)
/snip
For detailed crash information, see attachment.
|
Reporter | |
Comment 1•8 years ago
|
||
|
|
Reporter | |
Comment 2•8 years ago
|
||
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/ae61f4fcb292
user: Nicolas B. Pierron
date: Tue May 17 17:15:52 2016 +0000
summary: Bug 1261826 part 8 - Add JSOP_JUMPTARGET opcode. r=jandem,jorendorff,shu
Nicolas, is bug 1261826 a likely regressor?
Blocks: 1261826
Flags: needinfo?(nicolas.b.pierron)
|
||
Comment 3•8 years ago
|
||
(In reply to Gary Kwong [:gkw] [:nth10sd] from comment #2)
> autoBisect shows this is probably related to the following changeset:
>
> The first bad revision is:
> changeset: https://hg.mozilla.org/mozilla-central/rev/ae61f4fcb292
> user: Nicolas B. Pierron
> date: Tue May 17 17:15:52 2016 +0000
> summary: Bug 1261826 part 8 - Add JSOP_JUMPTARGET opcode.
> r=jandem,jorendorff,shu
>
> Nicolas, is bug 1261826 a likely regressor?
Yes, this is more than likely.
I will keep the ni? and fix that within the upcoming week.
|
|
||
Comment 4•8 years ago
|
||
Attachment #8754443 -
Flags: review?(bhackett1024)
|
|
||
Updated•8 years ago
|
Flags: needinfo?(nicolas.b.pierron)
|
||
Comment 5•8 years ago
|
||
Comment on attachment 8754443 [details] [diff] [review]
Code Coverage: Fix assertion to account for empty switch statements.
Review of attachment 8754443 [details] [diff] [review]:
-----------------------------------------------------------------
::: js/src/vm/CodeCoverage.cpp
@@ +251,5 @@
>
> // Get the low and high from the tableswitch
> int32_t low = GET_JUMP_OFFSET(pc + JUMP_OFFSET_LEN * 1);
> int32_t high = GET_JUMP_OFFSET(pc + JUMP_OFFSET_LEN * 2);
> + MOZ_ASSERT(high - low + 1 >= 0);
MOZ_ASSERT(high + 1 >= low)?
Attachment #8754443 -
Flags: review?(bhackett1024) → review+
|
|
||
Comment 6•8 years ago
|
||
(In reply to Brian Hackett (:bhackett) from comment #5)
> > + MOZ_ASSERT(high - low + 1 >= 0);
>
> MOZ_ASSERT(high + 1 >= low)?
This would cause a false positive assertion on overflow if high is INT32_MAX.
Also, the above expression is the one which is just above the "size_t numCase" variable defined the same way.
|
||
Comment 8•8 years ago
|
||
| bugherder | ||
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla49
You need to log in
before you can comment on or make changes to this bug.
Description
•