Closed
Bug 916752
Opened 11 years ago
Closed 11 years ago
Assertion failure: outputType == MIRType_Value, at jit/Lowering.cpp:1961 with GC
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla27
| Tracking | Status | |
|---|---|---|
| firefox26 | --- | affected |
People
(Reporter: decoder, Assigned: h4writer)
References
Details
(Keywords: assertion, testcase, Whiteboard: [jsbugmon:update])
Attachments
(2 files, 1 obsolete file)
|
(deleted),
patch
|
jandem
:
review+
|
Details | Diff | Splinter Review |
|
(deleted),
text/plain
|
Details |
The following testcase asserts on mozilla-central revision dc909122bcf5 (run with --fuzzing-safe --ion-eager):
function test() { return "x,y,z"; };
function testClear() {
test().split(',');
}
loadFile("1");
loadFile("testClear();");
loadFile("2");
loadFile("gc();");
loadFile("testClear();");
loadFile("new test(0);");
function loadFile(lfVarx) {
if (lfVarx.substr(-3) != ".js" && lfVarx.length != 1) {
switch (lfRunTypeId) {
case 2: new Function(lfVarx)(); break;
default: evaluate(lfVarx); break;
}
} else if (!isNaN(lfVarx)) {
lfRunTypeId = parseInt(lfVarx);
}
}
|
Reporter | |
Comment 1•11 years ago
|
||
|
||
Updated•11 years ago
|
Whiteboard: [jsbugmon:update,bisect]
|
|
Reporter | |
Updated•11 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
|
|
Reporter | |
Comment 2•11 years ago
|
||
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: http://hg.mozilla.org/mozilla-central/rev/a1bd3bb5a0ba
user: Hannes Verschore
date: Fri Sep 06 15:10:54 2013 +0200
summary: Bug 909717: IonBuilder: Introduce typed typebarriers, r=jandem
This iteration took 1.370 seconds to run.
|
|
||
Updated•11 years ago
|
Flags: needinfo?(hv1989)
|
Assignee | |
Updated•11 years ago
|
Assignee: general → hv1989
Flags: needinfo?(hv1989)
|
|
Assignee | |
Comment 3•11 years ago
|
||
Interesting we didn't had a testcase exercising this path in the testsuite. This is again bogus asserts. When we are definitely bailing the type is changed to the input type (not to MIRType_Value).
Attachment #805881 -
Flags: review?(jdemooij)
|
|
Assignee | |
Comment 4•11 years ago
|
||
@decoder: This bug may get opened. Is not security sensitive.
|
|
Reporter | |
Updated•11 years ago
|
Group: core-security
|
|
||
Updated•11 years ago
|
Attachment #805881 -
Flags: review?(jdemooij) → review+
|
||
Comment 6•11 years ago
|
||
Status: NEW → RESOLVED
Closed: 11 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla27
|
|
Reporter | |
Updated•11 years ago
|
status-firefox26:
--- → affected
|
|
Reporter | |
Comment 8•11 years ago
|
||
Attachment #805267 -
Attachment is obsolete: true
You need to log in
before you can comment on or make changes to this bug.
Description
•