1046688 - Assertion failure: *ptr == (uintptr_t)expectedData.value, at jit/shared/Assembler-x86-shared.h:1673

Status: RESOLVED FIXED

(Core :: JavaScript Engine: JIT, defect)

Description

[Christian Holler (:decoder)]

The following testcase asserts on mozilla-central revision 005424a764da (run with --fuzzing-safe):


enableSPSProfiling();
for (var j = 0; j < 1000; ++j) {
  (function(stdlib) {
    "use asm";
    var pow = stdlib.Math.pow;
    function f() {
        return +pow(.0, .0)
    }
    return f;
})(this)()
}

Comment 1

[Christian Holler (:decoder)]

Attachment: [crash-signature] Machine-readable crash signature

Comment 2

[Christian Holler (:decoder)]

Marked this s-s because of the assertion, Ccing luke because it involves asm.js.

Comment 3

[Luke Wagner [:luke]]

This is just an assertion that became invalid with the addition of the new 'profiling' state: the patched value now has two possible original values.

Comment 4

[Luke Wagner [:luke]]

Attachment: fix-assert

Kindof a bit of trouble to find the right original value, but I guess it's worth it and easier than adding a PatchDataWithoutValueCheck.

Comment 5

[Douglas Crosher [:dougc]]

Comment on attachment 8465495 [details] [diff] [review]
fix-assert

Review of attachment 8465495 [details] [diff] [review]:
-----------------------------------------------------------------

Looks good.

Comment 6

[Luke Wagner [:luke]]

https://hg.mozilla.org/integration/mozilla-inbound/rev/34df51f6221e

Comment 7

[Ed Morley [:emorley]]

https://hg.mozilla.org/mozilla-central/rev/34df51f6221e