Closed
Bug 1071068
Opened 10 years ago
Closed 10 years ago
Assertion failure: it.type() == JitFrame_IonJS, at jit/Ion.cpp:625 or Crash [@ js::jit::JitFrameIterator::script]
Categories
(Core :: JavaScript Engine: JIT, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1067984
Tracking | Status | |
---|---|---|
firefox35 | --- | affected |
People
(Reporter: decoder, Unassigned)
Details
(Keywords: assertion, crash, testcase, Whiteboard: [jsbugmon:update,ignore])
Crash Data
Attachments
(1 file)
575 bytes,
text/plain
|
Details |
The following testcase asserts on mozilla-central revision 5bd6e09f074e (run with --fuzzing-safe --ion-regalloc=backtracking): function script1() { return arguments.length; } test1(); function test1() { function f(arr) { for (var i = 0; i < 10; ++i) { for (var j = 0; j < arr.length; ++j) { (function() { for (i = 0; i < 5; i++) f(false, 42); })(); } } } f([ script1, ]); } function test2() { function tryAndFail(o) {} function applyIt1(f) {} }
Reporter | ||
Comment 1•10 years ago
|
||
Reporter | ||
Comment 2•10 years ago
|
||
Crash trace: Program received signal SIGSEGV, Segmentation fault. js::jit::JitFrameIterator::script (this=0xffffc2e0) at js/src/jit/IonFrames.cpp:207 207 JSScript *script = ScriptFromCalleeToken(calleeToken()); #0 js::jit::JitFrameIterator::script (this=0xffffc2e0) at js/src/jit/IonFrames.cpp:207 #1 0x081c8cd2 in js::jit::LazyLinkTopActivation (cx=0x92b6ad0) at js/src/jit/Ion.cpp:628 #2 0x0832af7a in js::jit::Simulator::softwareInterrupt (this=0x92b6078, instr=0x92ce5ec) at js/src/jit/arm/Simulator-arm.cpp:2136 #3 0x0832857c in js::jit::Simulator::instructionDecode (this=this@entry=0x92b6078, instr=instr@entry=0x92ce5ec) at js/src/jit/arm/Simulator-arm.cpp:4043 #4 0x08338924 in js::jit::Simulator::execute<false> (this=0x92b6078) at js/src/jit/arm/Simulator-arm.cpp:4096 #5 0x0832b5ed in js::jit::Simulator::callInternal (this=this@entry=0x92b6078, entry=entry@entry=0xf2fb0880 "\360O-\351\r\200\240\341\234\300\t\343(\311", <incomplete sequence \343>) at js/src/jit/arm/Simulator-arm.cpp:4184 #6 0x0832b696 in js::jit::Simulator::call (this=0x92b6078, entry=0xf2fb0880 "\360O-\351\r\200\240\341\234\300\t\343(\311", <incomplete sequence \343>, argument_count=8) at js/src/jit/arm/Simulator-arm.cpp:4267 #7 0x08176ed0 in EnterBaseline (cx=0x92b6ad0, data=...) at js/src/jit/BaselineJIT.cpp:115 eax 0x27fdddb 41934299 => 0x822723b <js::jit::JitFrameIterator::script() const+27>: mov 0x8(%eax),%eax Marking s-s based on crash address.
Crash Signature: [@ js::jit::JitFrameIterator::script]
status-firefox35:
--- → affected
Keywords: crash
Whiteboard: [jsbugmon:update,bisect]
Comment 3•10 years ago
|
||
(In reply to Christian Holler (:decoder) from comment #2) > #1 0x081c8cd2 in js::jit::LazyLinkTopActivation (cx=0x92b6ad0) at > js/src/jit/Ion.cpp:628 NI: Hannes
Flags: needinfo?(hv1989)
Comment 4•10 years ago
|
||
Could it be that you forgot to mention this is ARM (simulator?). If that is the case, this is probably fixed by bug 1067984 (Will land soonish).
Flags: needinfo?(hv1989)
Updated•10 years ago
|
Flags: needinfo?(choller)
Comment 5•10 years ago
|
||
Ok, I should have read the full bt. It is definitely the simulator. @decoder: it might be good to include configure flags in reports)
Flags: needinfo?(choller)
Comment 6•10 years ago
|
||
This should be fixed. Decoder can you confirm?
Reporter | ||
Updated•10 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update,bisect,bisectfix]
Reporter | ||
Updated•10 years ago
|
Whiteboard: [jsbugmon:update,bisect,bisectfix] → [jsbugmon:update,bisectfix]
Reporter | ||
Comment 7•10 years ago
|
||
JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/de8214005a4a user: Jason Orendorff date: Thu Sep 11 17:57:29 2014 -0500 summary: Bug 1051760 - Fix "Assertion failure: !vp.isMagic(), at jsobj.cpp:4600" with arguments, direct eval, and a destructuring declaration. r=Waldo. This iteration took 615.402 seconds to run.
Reporter | ||
Comment 8•10 years ago
|
||
(In reply to Hannes Verschore [:h4writer], pto till 22 September from comment #6) > This should be fixed. Decoder can you confirm? This doesn't seem to be fixed, otherwise the bot would have removed the update flag and bisected the fix with the regular bisection.
Reporter | ||
Updated•10 years ago
|
Whiteboard: [jsbugmon:update,bisectfix] → [jsbugmon:update,ignore]
Reporter | ||
Comment 9•10 years ago
|
||
JSBugMon: The testcase found in this bug no longer reproduces (tried revision bb61415bd7e6). JSBugMon: Fix Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first good revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/0c8fa599e889 parent: 206590:2d6ffa903e38 user: Hannes Verschore date: Mon Sep 22 22:45:08 2014 +0200 summary: Bug 1067984 - IonMonkey: Temporarily disable lazy linking for non i686/x64, r=mjrosenb This iteration took 570.856 seconds to run.
Comment 10•10 years ago
|
||
Aha so indeed fixed by bug 1067984 :D. Now the autobisect is pointing to a wrong bug. It should point to bug 1047346. Which landed the day before. Possibly the testcase uses a feature added/fixed by the bug autobisect is reporting.
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → DUPLICATE
Updated•9 years ago
|
Group: core-security → core-security-release
Updated•8 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•