Closed
Bug 554675
Opened 15 years ago
Closed 15 years ago
JM: Crash [@ 5cbffffb] or "Assertion failure: !JSVAL_IS_PRIMITIVE(v), at ../jsiter.cpp" or "Assertion failure: !JSVAL_IS_PRIMITIVE(f.sp[-2]), at ../methodjit/Stubs.cpp"
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: gkw, Unassigned)
References
Details
(4 keywords)
Crash Data
(function() {
try { (function() {
for each(let x in [0, /x/, 0, {}]) {
if (x < x) {}
}
})()
} catch(e) {}
})()
asserts js debug shell with -m and -j on JM tip at Assertion failure: !JSVAL_IS_PRIMITIVE(v), at ../jsiter.cpp:434.
===
Variants cause opt shell to crash unreliably:
function a(code) {
var f = new Function("for each(let x in[false,'',/x/,'',{}]){if(x<x){(({}))}else if(x){}else{}}");
try {
f()
} catch(e) {}
}
a()
a()
(pass this as a CLI argument into the shell)
Exception Type: EXC_BAD_ACCESS (SIGSEGV)
Exception Codes: KERN_INVALID_ADDRESS at 0x000000005cbffffb
Crashed Thread: 0 Dispatch queue: com.apple.main-thread
Thread 0 Crashed: Dispatch queue: com.apple.main-thread
0 ??? 0x001fc4b8 0 + 2081976
1 js-opt-32-jm-darwin 0x00160bd6 js::methodjit::JaegerShot(JSContext*) + 102
2 js-opt-32-jm-darwin 0x00060250 js_Execute + 576
3 js-opt-32-jm-darwin 0x0000e44c JS_ExecuteScript + 60
4 js-opt-32-jm-darwin 0x00008416 Process(JSContext*, JSObject*, char*, int) + 1638
5 js-opt-32-jm-darwin 0x00009206 main + 1734
6 js-opt-32-jm-darwin 0x00002cdd _start + 208
7 js-opt-32-jm-darwin 0x00002c0c start + 40
|
Reporter | |
Comment 1•15 years ago
|
||
(function() {
for (e in [0, 0]) {
if (/x/ < this) {}
}
})()
asserts js debug shell with -m and -j on JM tip at a similar assert: Assertion failure: !JSVAL_IS_PRIMITIVE(f.sp[-2]), at ../methodjit/Stubs.cpp:2727
Summary: JM: Crash [@ js::methodjit::JaegerShot] or "Assertion failure: !JSVAL_IS_PRIMITIVE(v), at ../jsiter.cpp" → JM: Crash [@ js::methodjit::JaegerShot] or "Assertion failure: !JSVAL_IS_PRIMITIVE(v), at ../jsiter.cpp" or "Assertion failure: !JSVAL_IS_PRIMITIVE(f.sp[-2]), at ../methodjit/Stubs.cpp"
Great test case(s). The method JIT optimizes pairs of opcodes like this:
LT
IFEQ
We remove the 'IFEQ' if there are no incoming branches. I thought it was impossible that the tracer could bail at the 'IFEQ' in this case, but imacros have proved me wrong. The test case in comment #1 has an imacro inside the LT, which ends in IMACOP. The LT is re-executed, and js_Interpret exits at the IFEQ. There's no method JIT position for this and we crash.
I pushed two fixes for this, both of which only take effect if we're in the mode where the interpreter is trying to remove an imacro for the method JIT. The first is if we hit an IMACOP, we stop immediately and let the method JIT resume. The second is if there is no IMACOP, but the imacro ends on a position for which there is no method JIT entry point, we keep interpreting until we hit a safe point (TRACEPOINT, CALL/EVAL/APPLY).
http://hg.mozilla.org/users/danderson_mozilla.com/jaegermonkey/rev/942cf624bac0
|
|
||
Updated•15 years ago
|
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
|
|
Reporter | |
Updated•15 years ago
|
Summary: JM: Crash [@ js::methodjit::JaegerShot] or "Assertion failure: !JSVAL_IS_PRIMITIVE(v), at ../jsiter.cpp" or "Assertion failure: !JSVAL_IS_PRIMITIVE(f.sp[-2]), at ../methodjit/Stubs.cpp" → JM: Crash [@ 5cbffffb] or "Assertion failure: !JSVAL_IS_PRIMITIVE(v), at ../jsiter.cpp" or "Assertion failure: !JSVAL_IS_PRIMITIVE(f.sp[-2]), at ../methodjit/Stubs.cpp"
|
||
Updated•14 years ago
|
Crash Signature: [@ 5cbffffb]
|
||
Comment 3•12 years ago
|
||
A testcase for this bug was automatically identified at js/src/jit-test/tests/jaeger/bug554675-2.js.
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•