Closed
Bug 953337
Opened 11 years ago
Closed 10 years ago
Assertion failure: popped[i]->isImplicitlyUsed() || popped[i]->isNewDerivedTypedObject() || popped[i]->defUseCount() > poppedUses[i], at jit/IonBuilder.cpp:1338
Categories
(Core :: JavaScript Engine: JIT, defect)
Tracking
()
RESOLVED
FIXED
mozilla29
People
(Reporter: decoder, Assigned: jandem)
Details
(Keywords: assertion, testcase)
Attachments
(2 files, 2 obsolete files)
|
66.07 KB,
text/plain
|
Details | |
|
1.82 KB,
patch
|
nbp
:
review+
|
Details | Diff | Splinter Review |
The following testcase asserts on mozilla-central revision fe7f7ead589c (run with --fuzzing-safe):
setJitCompilerOption("ion.usecount.trigger", 50);
var proxy = new Boolean({ get: function() {} }, {});
Function.prototype.__proto__ = proxy;
function g(x, y) {}
function f() {
g.apply(this, arguments);
}
for (var i = 0; i < 1000; ++i) {
f(i, i*2);
}
|
||
Comment 1•10 years ago
|
||
also found via bughunter on http://saint-marc.ws/index.php
|
Assignee | |
Comment 2•10 years ago
|
||
Just need an extra setFoldedUnchecked call.
Assignee: nobody → jdemooij
Status: NEW → ASSIGNED
Attachment #8355203 -
Flags: review?(nicolas.b.pierron)
|
||
Comment 3•10 years ago
|
||
Comment on attachment 8355203 [details] [diff] [review] Patch Review of attachment 8355203 [details] [diff] [review]: ----------------------------------------------------------------- ::: js/src/jit/IonBuilder.cpp @@ +4935,5 @@ > > MArgumentsLength *numArgs = MArgumentsLength::New(alloc()); > current->add(numArgs); > > MApplyArgs *apply = MApplyArgs::New(alloc(), target, argFunc, numArgs, argThis); We are adding a use of argFunc here, The second part of the assertion should be verified in this case. @@ +4971,5 @@ > callInfo.setThis(argThis); > > // Pop function parameter. > MDefinition *argFunc = current->pop(); > + argFunc->setFoldedUnchecked(); Is the function inlined? If it is not, then the MCall should have a use of argFunc and the second part of the assertion should be verified too. Otherwise the issue is likely located in the inlining code.
Attachment #8355203 -
Flags: review?(nicolas.b.pierron)
Loading http://www.theb-hotels.com/the-b-roppongi/en/ yielded: Assertion failure: popped[i]->isImplicitlyUsed() || popped[i]->isNewDerivedTypedObject() || popped[i]->defUseCount() > poppedUses[i], at /home/dbaron/builds/ssd/mozilla-central/mozilla/js/src/jit/IonBuilder.cpp:1338 which looks like it's the same, although the first piece of the || chain has changed since the bug was filed.
Yeah, bug 953256 changed isFolded to isImplicitlyUsed.
Summary: Assertion failure: popped[i]->isFolded() || popped[i]->isNewDerivedTypedObject() || popped[i]->defUseCount() > poppedUses[i], at jit/IonBuilder.cpp:1338 → Assertion failure: popped[i]->isImplicitlyUsed() || popped[i]->isNewDerivedTypedObject() || popped[i]->defUseCount() > poppedUses[i], at jit/IonBuilder.cpp:1338
|
|
Assignee | |
Comment 6•10 years ago
|
||
Attachment #8355203 -
Attachment is obsolete: true
Attachment #8360317 -
Flags: review?(nicolas.b.pierron)
|
|
Assignee | |
Comment 7•10 years ago
|
||
Realized there's another place where we should set the flag. Sorry for the bugspam.
Attachment #8360317 -
Attachment is obsolete: true
Attachment #8360317 -
Flags: review?(nicolas.b.pierron)
Attachment #8360320 -
Flags: review?(nicolas.b.pierron)
|
|
||
Updated•10 years ago
|
Attachment #8360320 -
Flags: review?(nicolas.b.pierron) → review+
|
|
Assignee | |
Comment 8•10 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/103c0b6c135d
|
||
Comment 9•10 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/103c0b6c135d
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla29
|
||
Updated•10 years ago
|
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•