Closed
Bug 1280710
Opened 8 years ago
Closed 7 years ago
Assertion failure: op < JSOP_LIMIT, at js/src/jsopcode.h:604
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla56
People
(Reporter: gkw, Assigned: nbp)
References
Details
(Keywords: assertion, testcase, Whiteboard: [jsbugmon:update,ignore])
Attachments
(1 file)
|
(deleted),
text/plain
|
Details |
The following testcase crashes on mozilla-central revision 5f95858f8ddf (build with --enable-debug --enable-more-deterministic, run with --fuzzing-safe --no-threads --ion-eager --ion-pgo=on):
function f(x) {
switch (1) {
default: switch (1) {}
}
};
f();
getLcovInfo();
Backtrace:
0 js-dbg-64-dm-clang-darwin-5f95858f8ddf 0x0000000104a5a2fb js::coverage::LCovSource::writeScript(JSScript*) + 4859 (jsopcode.h:604)
1 js-dbg-64-dm-clang-darwin-5f95858f8ddf 0x0000000104a5a52f js::coverage::LCovCompartment::collectCodeCoverageInfo(JSCompartment*, JSObject*, JSScript*) + 79 (CodeCoverage.cpp:420)
2 js-dbg-64-dm-clang-darwin-5f95858f8ddf 0x00000001049a9614 js::GetCodeCoverageSummary(JSContext*, unsigned long*) + 1604 (jsopcode.cpp:2065)
3 js-dbg-64-dm-clang-darwin-5f95858f8ddf 0x0000000104d4a915 GetLcovInfo(JSContext*, unsigned int, JS::Value*) + 229 (TestingFunctions.cpp:3415)
4 js-dbg-64-dm-clang-darwin-5f95858f8ddf 0x0000000104b154ce js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) + 222 (jscntxtinlines.h:236)
/snip
For detailed crash information, see attachment.
|
Reporter | |
Comment 1•8 years ago
|
||
|
|
Reporter | |
Comment 2•8 years ago
|
||
=== Treeherder Build Bisection Results by autoBisect ===
The "good" changeset has the timestamp "20160602061152" and the hash "3d68250b133166b7d65dc99c963fac5fa0ef1439".
The "bad" changeset has the timestamp "20160602064143" and the hash "e838c11fd532d3bf3d7562fe56337a7a1bcd3c6b".
Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=3d68250b133166b7d65dc99c963fac5fa0ef1439&tochange=e838c11fd532d3bf3d7562fe56337a7a1bcd3c6b
Nicolas, is bug 1274588 a likely regressor?
Blocks: 1274588
Flags: needinfo?(nicolas.b.pierron)
|
Assignee | |
Comment 3•8 years ago
|
||
(In reply to Gary Kwong [:gkw] [:nth10sd] from comment #2)
> Nicolas, is bug 1274588 a likely regressor?
Yes, this is likely.
Note, this is a low priority as the releng team depends on the Devtools implementation and not the LCov implementation at the moment. Also note that the LCov implementation is not exposed to the web either.
|
||
Updated•7 years ago
|
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
|
|
||
Comment 4•7 years ago
|
||
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 04b6be50a252).
|
|
Reporter | |
Comment 5•7 years ago
|
||
autoBisect shows this is probably related to the following changeset:
The first good revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/da3b6b55ed0b
user: Nicolas B. Pierron
date: Thu Jul 20 16:20:14 2017 +0000
summary: Bug 1304569 - JS Code Coverage: Simplify checks for the last found case-statement body. r=bhackett
Nicolas, is bug 1304569 a likely fix?
|
|
Assignee | |
Comment 6•7 years ago
|
||
(In reply to Gary Kwong [:gkw] [:nth10sd] from comment #5)
> Nicolas, is bug 1304569 a likely fix?
Yes, it is.
Status: NEW → RESOLVED
Closed: 7 years ago
Flags: needinfo?(nicolas.b.pierron)
Resolution: --- → DUPLICATE
|
|
Reporter | |
Comment 7•7 years ago
|
||
Fix is known -> switching resolution to FIXED by bug 1304569.
Resolution: DUPLICATE → FIXED
|
||
Updated•7 years ago
|
Assignee: nobody → nicolas.b.pierron
status-firefox50:
affected → ---
status-firefox55:
--- → wontfix
status-firefox56:
--- → fixed
status-firefox-esr52:
--- → wontfix
Depends on: 1304569
Target Milestone: --- → mozilla56
You need to log in
before you can comment on or make changes to this bug.
Description
•