Closed
Bug 1082611
Opened 10 years ago
Closed 10 years ago
Assertion failure: pred->isLoopBackedge(), at jit/IonAnalysis.cpp:1905 or Crash [@ js::jit::LiveInterval::addRangeAtHead]
Categories
(Core :: JavaScript Engine: JIT, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1077991
Tracking | Status | |
---|---|---|
firefox36 | --- | affected |
People
(Reporter: decoder, Unassigned)
Details
(Keywords: assertion, crash, testcase, Whiteboard: [jsbugmon:update])
Crash Data
Attachments
(1 file)
1.20 KB,
text/plain
|
Details |
The following testcase asserts on mozilla-central revision 54217864bae9 (run with --no-threads --fuzzing-safe --ion-eager): for ( var n = 4; n <= 7; n += 1 ) { var minDepth = 4; var maxDepth = Math.max(minDepth + 2, n); for (var depth=minDepth; depth<=maxDepth; depth+=2) { var iterations = 1 << (maxDepth - depth + minDepth); try { c6+=1; break; } catch(er1){} for (var i=1; i<=iterations; i++){} } }
Reporter | ||
Comment 1•10 years ago
|
||
Reporter | ||
Comment 2•10 years ago
|
||
Crash seems to be a null-deref: Program received signal SIGSEGV, Segmentation fault. js::jit::LiveInterval::addRangeAtHead (this=0x0, from=..., to=...) at js/src/jit/LiveRangeAllocator.cpp:158 158 return ranges_.append(newRange); #0 js::jit::LiveInterval::addRangeAtHead (this=0x0, from=..., to=...) at js/src/jit/LiveRangeAllocator.cpp:158 #1 0x0000000000679384 in js::jit::LiveRangeAllocator<js::jit::LinearScanVirtualRegister, true>::buildLivenessInfo (this=0x7fffffffae50) at js/src/jit/LiveRangeAllocator.cpp:851 #2 0x000000000065367d in js::jit::LinearScanAllocator::go (this=0x7fffffffae50) at js/src/jit/LinearScan.cpp:1284 #3 0x000000000059e16a in js::jit::GenerateLIR (mir=0x17d1778) at js/src/jit/Ion.cpp:1751 #4 0x000000000059ea05 in js::jit::CompileBackEnd (mir=0x17d1778) at js/src/jit/Ion.cpp:1839 #5 0x00000000005cd452 in IonCompile (optimizationLevel=js::jit::Optimization_Normal, recompile=false, executionMode=<optimized out>, constructing=<optimized out>, osrPc=<optimized out>, baselineFrame=<optimized out>, script=<optimized out>, cx=0x16934f0) at js/src/jit/Ion.cpp:2126 #6 js::jit::Compile (cx=0x16934f0, script=..., osrFrame=<optimized out>, osrPc=<optimized out>, constructing=<optimized out>, executionMode=<optimized out>) at js/src/jit/Ion.cpp:2295 #7 0x00000000005cd81b in js::jit::CanEnterAtBranch (cx=0x16934f0, script=0x7ffff5334510, osrFrame=<optimized out>, pc=<optimized out>) at js/src/jit/Ion.cpp:2357 rdi 0x0 0 => 0x6460be <js::jit::LiveInterval::addRangeAtHead(js::jit::CodePosition, js::jit::CodePosition)+14>: mov 0x20(%rdi),%rax
Crash Signature: [@ js::jit::LiveInterval::addRangeAtHead]
status-firefox36:
--- → affected
Keywords: crash
Whiteboard: [jsbugmon:update,bisect]
Reporter | ||
Updated•10 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
Reporter | ||
Comment 3•10 years ago
|
||
JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/8f27a48a25d5 user: Dan Gohman date: Wed Sep 17 10:27:25 2014 -0700 summary: Bug 1029830 - IonMonkey: GVN: Replace UCE with GVN r=nbp This iteration took 3.274 seconds to run.
Reporter | ||
Comment 4•10 years ago
|
||
Needinfo from sunfish based on comment 3.
Flags: needinfo?(sunfish)
Updated•10 years ago
|
Status: NEW → RESOLVED
Closed: 10 years ago
Flags: needinfo?(sunfish)
Resolution: --- → DUPLICATE
Updated•10 years ago
|
Group: core-security
Updated•9 years ago
|
Group: core-security → core-security-release
Updated•8 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•