Closed Bug 1291887 Opened 8 years ago Closed 8 years ago

Crash [@ js::jit::MBasicBlock::end] or Assertion failure: !inDeadCode(), at js/src/asmjs/WasmIonCompile.cpp:938

Categories

(Core :: JavaScript Engine, defect)

x86_64
macOS
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla51
Tracking Status
firefox51 --- fixed

People

(Reporter: gkw, Assigned: luke)

References

Details

(4 keywords, Whiteboard: [fuzzblocker] [jsbugmon:])

Crash Data

Attachments

(2 files)

The following testcase crashes on mozilla-central revision 331c4166a3a2 (build with --enable-debug --enable-more-deterministic, run with --fuzzing-safe --no-threads --no-baseline --no-ion): (function(stdlib) { "use asm" var log = stdlib.Math.log function f(x) { x = +x var y = 3. return 0, y return +log(x) + y } })() Backtrace: 0 js-dbg-64-dm-clang-darwin-331c4166a3a2 0x000000010d014876 (anonymous namespace)::FunctionCompiler::callPrivate(js::jit::MAsmJSCall::Callee, js::jit::MAsmJSCall::PreservesTlsReg, (anonymous namespace)::FunctionCompiler::CallArgs const&, js::wasm::ExprType, js::jit::MDefinition**) + 310 (WasmIonCompile.cpp:938) 1 js-dbg-64-dm-clang-darwin-331c4166a3a2 0x000000010d00e06a EmitUnaryMathBuiltinCall((anonymous namespace)::FunctionCompiler&, unsigned int, js::wasm::SymbolicAddress, js::wasm::ValType) + 474 (WasmIonCompile.cpp:2293) 2 js-dbg-64-dm-clang-darwin-331c4166a3a2 0x000000010cff4c20 EmitExpr((anonymous namespace)::FunctionCompiler&) + 17904 (WasmIonCompile.cpp:3141) 3 js-dbg-64-dm-clang-darwin-331c4166a3a2 0x000000010cfefb43 js::wasm::IonCompileFunction(js::wasm::IonCompileTask*) + 3571 (WasmIonCompile.cpp:3512) 4 js-dbg-64-dm-clang-darwin-331c4166a3a2 0x000000010cff902f js::wasm::CompileFunction(js::wasm::IonCompileTask*) + 111 (WasmIonCompile.cpp:3557) 5 js-dbg-64-dm-clang-darwin-331c4166a3a2 0x000000010ccb13da js::wasm::ModuleGenerator::finishFuncDef(unsigned int, js::wasm::FunctionGenerator*) + 330 (WasmGenerator.cpp:864) 6 js-dbg-64-dm-clang-darwin-331c4166a3a2 0x000000010cc3a757 CheckFunction(ModuleValidator&) + 6359 (AsmJS.cpp:7026) /snip For detailed crash information, see attachment.
This also crashes opt builds [@ js::jit::MBasicBlock::end].
Crash Signature: [@ js::jit::MBasicBlock::end]
Keywords: crash
Summary: Assertion failure: !inDeadCode(), at js/src/asmjs/WasmIonCompile.cpp:938 → Crash [@ js::jit::MBasicBlock::end] or Assertion failure: !inDeadCode(), at js/src/asmjs/WasmIonCompile.cpp:938
autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/c5bb9552230c user: Luke Wagner date: Tue Aug 02 10:14:30 2016 -0500 summary: Bug 1288944 - Baldr: move the Instance* into TlsData (r=jolesen) Luke, is bug 1288944 a likely regressor?
Blocks: 1288944
Flags: needinfo?(luke)
Setting [fuzzblocker] because this seems to be happening very often. Also adding jsbugmon keyword.
Keywords: jsbugmon
Whiteboard: [jsbugmon:update] → [fuzzblocker][jsbugmon:update]
Whiteboard: [fuzzblocker][jsbugmon:update] → [fuzzblocker] [jsbugmon:]
JSBugMon: Cannot process bug: Error: Failed to isolate test from comment
Attached patch bug-fix (deleted) — Splinter Review
D'oh! I didn't look far down enough to see the fourth call of callPrivate().
Assignee: nobody → luke
Status: NEW → ASSIGNED
Flags: needinfo?(luke)
Attachment #8777566 - Flags: review?(jolesen)
Attachment #8777566 - Flags: review?(jolesen) → review+
Pushed by lwagner@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/d3b50142a70c Odin: don't forget to check for dead code in builtin call (r=jolesen)
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla51
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: