Bug 1603886 Comment 0 Edit History

Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.

Original comment by
on 
The following testcase crashes on mozilla-central revision f09f24f2b545 (build with --enable-debug --disable-optimize, run with --fuzzing-safe --ion-eager):

    function g(x, y) {
        y ? 1 : 1;
    }
    function h(x) {
        g(1 ? 1 : d(t | undefined), Math.round() ? x : Math.fround(Math.hypot(undefined | Math.round)));
    }
    let z = [[], false];
    for (var j = 0; j < 4; ++j) {
        for (var k = 0; k < 99; ++k) {
            h(z[j]);
        }
    }

Backtrace:

```
#0  0x0000561910bbc896 in (anonymous namespace)::TypeAnalyzer::adjustPhiInputs (this=0x7f0267301da0, phi=0x7f0267be1268) at js/src/jit/IonAnalysis.cpp:1832
#1  0x0000561910bba5ce in (anonymous namespace)::TypeAnalyzer::insertConversions (this=0x7f0267301da0) at js/src/jit/IonAnalysis.cpp:1967
#2  0x0000561910b460cd in (anonymous namespace)::TypeAnalyzer::analyze (this=0x7f0267301da0) at js/src/jit/IonAnalysis.cpp:2255
#3  0x0000561910b3e489 in js::jit::ApplyTypeInformation (mir=0x7f0267bdb300, graph=...) at js/src/jit/IonAnalysis.cpp:2267
#4  0x0000561910b377e5 in js::jit::OptimizeMIR (mir=0x7f0267bdb300) at js/src/jit/Ion.cpp:1198
#5  0x0000561910b40821 in js::jit::CompileBackEnd (mir=0x7f0267bdb300) at js/src/jit/Ion.cpp:1630
#6  0x0000561910b5909b in js::jit::IonBuilder::runTask (this=0x7f0267bdb2f8) at js/src/jit/IonBuilder.cpp:1181
#7  0x000056190fce6535 in js::HelperThread::handleIonWorkload (this=0x7f0267b08d20, locked=...) at js/src/vm/HelperThreads.cpp:2278
/snip
```

For detailed crash information, see attachment.

Setting s-s as a start as MIR is on the stack.
Revision 1 by
on 
The following testcase crashes on mozilla-central revision f09f24f2b545 (build with --enable-debug --disable-optimize, run with --fuzzing-safe --ion-eager):

    function g(x, y) {
        y ? 1 : 1;
    }
    function h(x) {
        g(1 ? 1 : d(t | undefined), Math.round() ? x : Math.fround(Math.hypot(undefined | Math.round)));
    }
    let z = [[], false];
    for (var j = 0; j < 4; ++j) {
        for (var k = 0; k < 99; ++k) {
            h(z[j]);
        }
    }

Backtrace:

```
#0  0x0000561910bbc896 in (anonymous namespace)::TypeAnalyzer::adjustPhiInputs (this=0x7f0267301da0, phi=0x7f0267be1268) at js/src/jit/IonAnalysis.cpp:1832
#1  0x0000561910bba5ce in (anonymous namespace)::TypeAnalyzer::insertConversions (this=0x7f0267301da0) at js/src/jit/IonAnalysis.cpp:1967
#2  0x0000561910b460cd in (anonymous namespace)::TypeAnalyzer::analyze (this=0x7f0267301da0) at js/src/jit/IonAnalysis.cpp:2255
#3  0x0000561910b3e489 in js::jit::ApplyTypeInformation (mir=0x7f0267bdb300, graph=...) at js/src/jit/IonAnalysis.cpp:2267
#4  0x0000561910b377e5 in js::jit::OptimizeMIR (mir=0x7f0267bdb300) at js/src/jit/Ion.cpp:1198
#5  0x0000561910b40821 in js::jit::CompileBackEnd (mir=0x7f0267bdb300) at js/src/jit/Ion.cpp:1630
#6  0x0000561910b5909b in js::jit::IonBuilder::runTask (this=0x7f0267bdb2f8) at js/src/jit/IonBuilder.cpp:1181
#7  0x000056190fce6535 in js::HelperThread::handleIonWorkload (this=0x7f0267b08d20, locked=...) at js/src/vm/HelperThreads.cpp:2278
/snip
```

For detailed crash information, see attachment.

Setting s-s as a start as MIR is on the stack. Note that this is fairly intermittent.

Back to Bug 1603886 Comment 0