Closed
Bug 1033856
Opened 10 years ago
Closed 10 years ago
Assertion failure: false (MOZ_ASSERT_UNREACHABLE: unexpected type), at jit/Lowering.cpp:1772 with Symbol
Categories
(Core :: JavaScript Engine: JIT, defect)
Tracking
()
VERIFIED
FIXED
mozilla33
| Tracking | Status | |
|---|---|---|
| firefox31 | --- | unaffected |
| firefox32 | --- | unaffected |
| firefox33 | --- | verified |
| firefox34 | --- | verified |
| firefox-esr24 | --- | unaffected |
| firefox-esr31 | --- | unaffected |
| b2g-v1.3 | --- | unaffected |
| b2g-v1.3T | --- | unaffected |
| b2g-v1.4 | --- | unaffected |
| b2g-v2.0 | --- | unaffected |
| b2g-v2.1 | --- | fixed |
People
(Reporter: decoder, Assigned: jorendorff)
Details
(4 keywords, Whiteboard: [jsbugmon:update,bisect])
Attachments
(2 files)
|
685 bytes,
text/plain
|
Details | |
|
2.89 KB,
patch
|
jandem
:
review+
|
Details | Diff | Splinter Review |
The following testcase asserts on mozilla-central revision 7075808c3306 (run with --fuzzing-safe --ion-eager):
function TestCase(e, a)
this.passed = getTestCaseResult(e, a);
function reportCompare (e, a) {
printStatus ();
var testcase = new TestCase(e, a);
}
function getTestCaseResult(e, a) {
return a == e;
}
try {
test();
} catch(exc1) {}
function test()
reportCompare();
new TestCase( .1, 0.1e0 );
var sym = Symbol("method");
evaluate("\
reportCompare(test, sym, length)\
", { noScriptRval : true, compileAndGo : true});
|
Reporter | |
Comment 1•10 years ago
|
||
|
|
Reporter | |
Comment 2•10 years ago
|
||
Needinfo from Jason, as this is related to the recent Symbol implementation.
|
Assignee | |
Comment 3•10 years ago
|
||
Again, would love some help regarding how to test each of these changes. There must be a less convoluted way. The change to the comment (only) in LIRGenerator::visitToString is justified by the check for type == MIRType_Symbol in ToStringPolicy::staticAdjustInputs.
Assignee: nobody → jorendorff
Attachment #8450168 -
Flags: review?(jdemooij)
Flags: needinfo?(jorendorff)
|
||
Comment 4•10 years ago
|
||
Comment on attachment 8450168 [details] [diff] [review] bug-1033856-symbol-tonumber-jit-v1.patch Review of attachment 8450168 [details] [diff] [review]: ----------------------------------------------------------------- (In reply to Jason Orendorff [:jorendorff] from comment #3) > Again, would love some help regarding how to test each of these changes. > There must be a less convoluted way. Here's a test for the ToDouble case (fails with --ion-eager --ion-offthread-compile=off): function f(x, y) { return x == y; } f(1.1, 2.2); for (var i=0; i<5; i++) f(1, Symbol()); ToFloat32 is a bit more complicated unfortunately. ::: js/src/jit/MIR.h @@ +3476,5 @@ > return AliasSet::None(); > } > > bool fallible() const { > + return input()->mightBeType(MIRType_Object) || input()->mightBeType(MIRType_Symbol); You don't need this change. We give the LIR instruction a snapshot if fallible() returns true, so that CodeGenerator::visitValueToString can bail out. For symbols we do a VM call that can still be "fallible" but in a different way, it's not affected by this method. I think this method should be renamed (or just inlined into the only caller) to avoid confusion, but doesn't have to happen in this patch.
Attachment #8450168 -
Flags: review?(jdemooij) → review+
|
||
Updated•10 years ago
|
Keywords: sec-moderate
|
|
||
Updated•10 years ago
|
Keywords: regression,
regressionwindow-wanted
|
|
Assignee | |
Comment 5•10 years ago
|
||
Symbols regressed this, count on it.
Keywords: regressionwindow-wanted
|
|
Assignee | |
Comment 6•10 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/4c5ee514a3ac
|
||
Comment 7•10 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/4c5ee514a3ac
Status: NEW → RESOLVED
Closed: 10 years ago
status-b2g-v1.3:
--- → unaffected
status-b2g-v1.3T:
--- → unaffected
status-b2g-v1.4:
--- → unaffected
status-b2g-v2.0:
--- → unaffected
status-b2g-v2.1:
--- → fixed
status-firefox31:
--- → unaffected
status-firefox32:
--- → unaffected
status-firefox-esr24:
--- → unaffected
status-firefox-esr31:
--- → unaffected
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla33
|
|
Reporter | |
Updated•10 years ago
|
Status: RESOLVED → VERIFIED
status-firefox34:
--- → verified
|
|
Reporter | |
Comment 8•10 years ago
|
||
JSBugMon: This bug has been automatically verified fixed.
|
|
||
Updated•10 years ago
|
Group: core-security
|
|
Reporter | |
Updated•10 years ago
|
|
|
Reporter | |
Comment 9•10 years ago
|
||
JSBugMon: This bug has been automatically verified fixed on Fx33
You need to log in
before you can comment on or make changes to this bug.
Description
•