Assertion failure: !ins->hasDefUses(), at jit/TypePolicy.cpp

RESOLVED FIXED in Firefox 36

Status

()

Core
JavaScript Engine: JIT
--
critical
RESOLVED FIXED
3 years ago
3 years ago

People

(Reporter: gkw, Assigned: shu)

Tracking

(Blocks: 1 bug, {assertion, regression, testcase})

Trunk
mozilla36
x86_64
Mac OS X
assertion, regression, testcase
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox35 affected, firefox36 fixed)

Details

(Whiteboard: [jsbugmon:update])

Attachments

(2 attachments)

(Reporter)

Description

3 years ago
(function() {
    let x = (new function() {})
    __defineGetter__("x", function() {
        ({
            e: x
        })
    })
})()
print(x)

asserts js debug shell on m-c changeset 14665b1de5ee with --ion-eager --no-threads at Assertion failure: !ins->hasDefUses(), at jit/TypePolicy.cpp.

Debug configure options:

CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --enable-optimize --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/7027efe7fae3
user:        Shu-yu Guo
date:        Mon Sep 15 16:30:45 2014 -0700
summary:     Bug 1001090 - Part 1: Implement let temporal dead zone in the frontend and interpreter. (r=Waldo)

Shu-yu, is bug 1001090 a possible regressor?
Flags: needinfo?(shu)
(Reporter)

Comment 1

3 years ago
Created attachment 8498432 [details]
stack

(lldb) bt 5
* thread #1: tid = 0x314869, 0x00000001003d6a31 js-dbg-opt-64-dm-nsprBuild-darwin-14665b1de5ee`js::jit::TypeBarrierPolicy::adjustInputs(js::jit::TempAllocator&, js::jit::MInstruction*) [inlined] js::jit::MTypeBarrier* js::jit::MDefinition::to<js::jit::MTypeBarrier>(this=<unavailable>) + 5 at MIR.h:691, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
  * frame #0: 0x00000001003d6a31 js-dbg-opt-64-dm-nsprBuild-darwin-14665b1de5ee`js::jit::TypeBarrierPolicy::adjustInputs(js::jit::TempAllocator&, js::jit::MInstruction*) [inlined] js::jit::MTypeBarrier* js::jit::MDefinition::to<js::jit::MTypeBarrier>(this=<unavailable>) + 5 at MIR.h:691
    frame #1: 0x00000001003d6a2c js-dbg-opt-64-dm-nsprBuild-darwin-14665b1de5ee`js::jit::TypeBarrierPolicy::adjustInputs(js::jit::TempAllocator&, js::jit::MInstruction*) [inlined] js::jit::MDefinition::toTypeBarrier(this=<unavailable>) at MIR.h:708
    frame #2: 0x00000001003d6a2c js-dbg-opt-64-dm-nsprBuild-darwin-14665b1de5ee`js::jit::TypeBarrierPolicy::adjustInputs(this=<unavailable>, alloc=<unavailable>, def=<unavailable>) + 668 at TypePolicy.cpp:245
    frame #3: 0x00000001002a8a6a js-dbg-opt-64-dm-nsprBuild-darwin-14665b1de5ee`js::jit::ApplyTypeInformation(js::jit::MIRGenerator*, js::jit::MIRGraph&) [inlined] js::InlineListIterator<js::jit::MInstruction>::operator*(this=0x00000001030d57a8, def=0x0000000103133bf8) const + 86 at IonAnalysis.cpp:1080
    frame #4: 0x00000001002a8a14 js-dbg-opt-64-dm-nsprBuild-darwin-14665b1de5ee`js::jit::ApplyTypeInformation(js::jit::MIRGenerator*, js::jit::MIRGraph&) [inlined] (anonymous namespace)::TypeAnalyzer::insertConversions(this=0x00000001030d57a8) + 1683 at IonAnalysis.cpp:1140
(lldb)
(Assignee)

Comment 2

3 years ago
Created attachment 8498462 [details] [diff] [review]
Don't consider uninitialized lexicals when initializing a singleton object property type.

Uninitialized lexicals as required by the TDZ shouldn't escape to script and
shouldn't be picked up by type sets, which will confuse the type set into
thinking it's seen lazyargs.
Attachment #8498462 - Flags: review?(bhackett1024)
(Assignee)

Updated

3 years ago
Assignee: nobody → shu
Status: NEW → ASSIGNED
Flags: needinfo?(shu)
Attachment #8498462 - Flags: review?(bhackett1024) → review+
(Assignee)

Comment 3

3 years ago
https://hg.mozilla.org/integration/mozilla-inbound/rev/748ffeff132c
https://hg.mozilla.org/mozilla-central/rev/748ffeff132c
Status: ASSIGNED → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla36
(Reporter)

Updated

3 years ago
Depends on: 1103048
(Reporter)

Updated

3 years ago
status-firefox36: --- → fixed
You need to log in before you can comment on or make changes to this bug.