Closed Bug 969778 Opened 11 years ago Closed 11 years ago

Crash [@ js::jit::LiveInterval::addRangeAtHead] or Assertion failure: false (MOZ_ASSUME_UNREACHABLE(unexpected type)), at jit/Lowering.cpp

Categories

(Core :: JavaScript Engine: JIT, defect)

Product:
Core
Component:
JavaScript Engine: JIT
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla30
Tracking Flags:
Tracking Status
firefox28 --- unaffected
firefox29 --- fixed
firefox30 --- fixed
firefox-esr24 --- unaffected
b2g-v1.3 --- unaffected

People

(Reporter: gkw, Assigned: bhackett1024)

References

Details

(5 keywords, Whiteboard: [jsbugmon:origRev=6c899a1064f3])

Crash Data

Attachments

(1 file)

debug and opt stacks
(deleted), text/plain
Details
Attached file debug and opt stacks (deleted) —
for (var aa = 0; aa < 999999; aa++) { try { Function("\ (function() {})([NaN, , 0])\ ")() } catch (e) {}; } crashes js opt shell on m-c changeset cafe909f7e07 with --ion-eager at js::jit::LiveInterval::addRangeAtHead and asserts js debug shell at Assertion failure: false (MOZ_ASSUME_UNREACHABLE(unexpected type)), at jit/Lowering.cpp My configure flags are: (opt) CC="clang -Qunused-arguments" AR=ar CXX="clang++ -Qunused-arguments" sh ./configure --target=x86_64-apple-darwin12.5.0 --enable-optimize --disable-debug --enable-profiling --enable-gczeal --enable-debug-symbols --enable-methodjit --enable-type-inference --disable-tests --enable-more-deterministic --enable-exact-rooting --with-ccache --enable-threadsafe <other NSPR options> Debug: CC="clang -Qunused-arguments" AR=ar CXX="clang++ -Qunused-arguments" sh ./configure --target=x86_64-apple-darwin12.5.0 --enable-optimize --enable-debug --enable-profiling --enable-gczeal --enable-debug-symbols --enable-methodjit --enable-type-inference --disable-tests --enable-more-deterministic --enable-exact-rooting --with-ccache --enable-threadsafe <other NSPR options> autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: http://hg.mozilla.org/mozilla-central/rev/dbeea0e93b56 user: Brian Hackett date: Mon Dec 16 10:53:02 2013 -0800 summary: Bug 785905 - Build Ion MIR graph off thread, r=jandem. Brian, is bug 785905 a likely regressor?
Flags: needinfo?(bhackett1024)
Whiteboard: [jsbugmon:update] → [jsbugmon:]
JSBugMon: Cannot process bug: Error: Failed to compile specified revision cafe909f7e07 (maybe try another?)
(In reply to Christian Holler (:decoder) from comment #1) > JSBugMon: Cannot process bug: Error: Failed to compile specified revision > cafe909f7e07 (maybe try another?) Retry with a later revision that fixed non-threadsafe build compilation issues.
Whiteboard: [jsbugmon:] → [jsbugmon:update,origRev=6c899a1064f3]
Whiteboard: [jsbugmon:update,origRev=6c899a1064f3] → [jsbugmon:origRev=6c899a1064f3]
JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.
Keywords: sec-high
Bug 785905 has been backed out and I can't reproduce this.
Flags: needinfo?(bhackett1024)
Yes, this is likely fixed by the backout, which has also landed in Aurora. autoBisect shows this is probably related to the following changeset: The first good revision is: changeset: http://hg.mozilla.org/mozilla-central/rev/8c521a802625 parent: 168757:9e7cf0b1d80c user: Jan de Mooij date: Fri Feb 14 13:17:53 2014 +0100 summary: Backout bug 785905, off-thread IonBuilder. r=jorendorff
Status: NEW → RESOLVED
Closed: 11 years ago
status-firefox29: affectedfixed
status-firefox30: affectedfixed
Resolution: --- → FIXED
Status: RESOLVED → VERIFIED
JSBugMon: This bug has been automatically verified fixed.
Assignee: nobody → bhackett1024
status-firefox28: --- → unaffected
Target Milestone: --- → mozilla30
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: