755639 - "Assertion failure: L.isSet()" with gcPreserveCode()

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Jesse Ruderman]

./js -m -a -n

function f(t)
{
    for (var i = 0; i < 1; ++i) {
        if (typeof(t) != "string") {
        }
    }
}
function m(d)
{
    if (d == 0)
        return "";
    f(m(d - 1));
}
m(1);
gcPreserveCode();
mjitChunkLimit(1);
gcslice(0);
m(1);
gc();
m(2);

Assertion failure: L.isSet(), at js/src/methodjit/Compiler.cpp:1408

Regression from:
  https://hg.mozilla.org/mozilla-central/rev/fbff86190de6 (bug 750834)

This was a mix of fuzzer-generated code with the fuzzer itself. m() and f() are reduced from parts of jsfunfuzz.

Comment 1

[Brian Hackett [Laid off!]]

Attachment: patch

Mmmm, gcPreserveCode() doesn't play well with mjitChunkLimit().  The latter needs to clear out old code so that the new chunk limit will be reflected in future compilations, but this behavior is prevented by the former.  The fix watches for this case and throws in mjitChunkLimit().

Comment 2

[Brian Hackett [Laid off!]]

https://hg.mozilla.org/integration/mozilla-inbound/rev/ce618ce8d84a

Comment 3

[Ed Morley [:emorley]]

https://hg.mozilla.org/mozilla-central/rev/ce618ce8d84a

Comment 4

[Lukas Blakk [:lsblakk] use ?needinfo]

Fixed on 15, no need to track.

Comment 5

[Christian Holler (:decoder)]

Automatically extracted testcase for this bug was committed:

https://hg.mozilla.org/mozilla-central/rev/efaf8960a929