Closed
Bug 980400
Opened 11 years ago
Closed 11 years ago
Assertion failure: false (MOZ_ASSUME_UNREACHABLE(NYI: SIMDUnaryFunction)), at jit/MOpcodes.h:244 or Crash [@ js::jit::LiveInterval::addRangeAtHead]
Categories
(Core :: JavaScript Engine: JIT, defect)
Tracking
()
RESOLVED
FIXED
mozilla30
| Tracking | Status | |
|---|---|---|
| firefox30 | --- | affected |
People
(Reporter: decoder, Unassigned)
References
Details
(Keywords: assertion, crash, testcase, Whiteboard: [fuzzblocker] [jsbugmon:update,ignore])
Crash Data
Attachments
(1 file, 1 obsolete file)
|
(deleted),
text/plain
|
Details |
The following testcase asserts on mozilla-central revision 8122ffa9e1aa (run with --fuzzing-safe --ion-compile-try-catch --ion-eager --ion-eager):
var float32x4 = SIMD.float32x4;
function test() {
var a = float32x4(1, 4, 9, 16);
var c = SIMD.float32x4.sqrt(a);
assertEq(c.x, 1);
}
test();
test();
|
Reporter | |
Comment 1•11 years ago
|
||
|
|
Reporter | |
Comment 2•11 years ago
|
||
Options in comment 0 are messed up, --ion-eager is the only one needed.
This assert also pops up in slight variations (SIMDBinaryFunction, SIMDTernaryFunction). I assume these are all the same bug, so the signature attached covers them all.
Needinfo from Niko, this is a fuzzblocker (triggers all the time).
Crash Signature: [@ js::jit::LiveInterval::addRangeAtHead]
status-firefox30:
--- → affected
Flags: needinfo?(nmatsakis)
Keywords: crash
Whiteboard: [jsbugmon:update,bisect][fuzzblocker]
|
|
Reporter | |
Comment 3•11 years ago
|
||
Attachment #8386876 -
Attachment is obsolete: true
|
|
Reporter | |
Updated•11 years ago
|
Crash Signature: [@ js::jit::LiveInterval::addRangeAtHead] → [@ js::jit::LiveInterval::addRangeAtHead]
[@ js::jit::ObjectPolicy<0u>::staticAdjustInputs]
|
|
Reporter | |
Updated•11 years ago
|
Crash Signature: [@ js::jit::LiveInterval::addRangeAtHead]
[@ js::jit::ObjectPolicy<0u>::staticAdjustInputs] → [@ js::jit::LiveInterval::addRangeAtHead]
[@ js::jit::ObjectPolicy<0u>::staticAdjustInputs]
Whiteboard: [jsbugmon:update,bisect][fuzzblocker] → [fuzzblocker] [jsbugmon:update]
|
|
Reporter | |
Comment 4•11 years ago
|
||
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: http://hg.mozilla.org/mozilla-central/rev/7efaabf97f0c
user: Haitao Feng
date: Tue Mar 04 20:06:26 2014 -0500
summary: Bug 943769 Part 2 -- Set up SIMD inlining infrastructure r=nmatsakis
This iteration took 0.957 seconds to run.
|
|
Reporter | |
Updated•11 years ago
|
Whiteboard: [fuzzblocker] [jsbugmon:update] → [fuzzblocker] [jsbugmon:update,ignore]
|
|
Reporter | |
Comment 5•11 years ago
|
||
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 0dc1be930880).
|
||
Updated•11 years ago
|
Crash Signature: [@ js::jit::LiveInterval::addRangeAtHead]
[@ js::jit::ObjectPolicy<0u>::staticAdjustInputs] → [@ js::jit::LiveInterval::addRangeAtHead]
[@ js::jit::ObjectPolicy<0u>::staticAdjustInputs]
|
||
Comment 6•11 years ago
|
||
This was due to the incomplete patch that was backed out.
Status: NEW → RESOLVED
Closed: 11 years ago
Flags: needinfo?(nmatsakis)
Resolution: --- → FIXED
|
||
Updated•11 years ago
|
Target Milestone: --- → mozilla30
You need to log in
before you can comment on or make changes to this bug.
Description
•