Closed
Bug 1131297
Opened 9 years ago
Closed 9 years ago
Assertion failure: def->type() == definiteType, at js/src/jit/IonBuilder.cpp:7133 with --unboxed-objects
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla38
Tracking | Status | |
---|---|---|
firefox38 | --- | disabled |
People
(Reporter: decoder, Assigned: bhackett1024)
Details
(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update])
Attachments
(1 file)
723 bytes,
patch
|
jandem
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision be65d1fde126 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe --thread-count=2 --unboxed-objects): DoWhile( new DoWhileObject( 1000, 1000, 0 )); DoWhile( new DoWhileObject( (4294967296), 1001, 0 )); function DoWhileObject( value, iterations, endvalue ) { this.value = value; } function DoWhile( object ) { do { object.value = --object.value; } while( object.value ); } Backtrace: Program terminated with signal SIGSEGV, Segmentation fault. #0 0x000000000084ca5b in js::jit::IonBuilder::ensureDefiniteType ( this=this@entry=0x2894c58, def=def@entry=0x2896ef0, definiteType=<optimized out>) at /home/ownhero/homes/mozilla/repos/mozilla-central/js/src/jit/IonBuilder.cpp:7133 To enable execution of this file add add-auto-load-safe-path /home/ubuntu/mozilla-central/js/src/debug64/dist/bin/js-gdb.py line to your configuration file "/home/ubuntu/.gdbinit". To completely disable this security protection add set auto-load safe-path / line to your configuration file "/home/ubuntu/.gdbinit". For more information about this security protection see the "Auto-loading safe path" section in the GDB manual. E.g., run from the shell: info "(gdb)Auto-loading safe path" #0 0x000000000084ca5b in js::jit::IonBuilder::ensureDefiniteType (this=this@entry=0x2894c58, def=def@entry=0x2896ef0, definiteType=<optimized out>) at /home/ownhero/homes/mozilla/repos/mozilla-central/js/src/jit/IonBuilder.cpp:7133 #1 0x00000000008524d5 in js::jit::IonBuilder::addTypeBarrier (this=0x2894c58, def=0x2896ef0, observed=0x28954f8, kind=<optimized out>, pbarrier=0x0) at /home/ownhero/homes/mozilla/repos/mozilla-central/js/src/jit/IonBuilder.cpp:7061 #2 0x000000000085259d in js::jit::IonBuilder::pushTypeBarrier (this=0x2894c58, def=0x2896ef0, observed=0x28954f8, kind=js::jit::NoBarrier) at /home/ownhero/homes/mozilla/repos/mozilla-central/js/src/jit/IonBuilder.cpp:7032 #3 0x0000000000852ecd in js::jit::IonBuilder::getPropTryUnboxed (this=this@entry=0x2894c58, emitted=emitted@entry=0x7fffe1d539e0, obj=<optimized out>, obj@entry=0x2896ad8, name=name@entry=0x7f51bdc1cb08, barrier=js::jit::NoBarrier, barrier@entry=js::jit::TypeTagOnly, types=types@entry=0x28954f8) at /home/ownhero/homes/mozilla/repos/mozilla-central/js/src/jit/IonBuilder.cpp:10167 #4 0x00000000008af560 in js::jit::IonBuilder::jsop_getprop (this=this@entry=0x2894c58, name=0x7f51bdc1cb08) at /home/ownhero/homes/mozilla/repos/mozilla-central/js/src/jit/IonBuilder.cpp:9757 #5 0x00000000008a78b3 in js::jit::IonBuilder::inspectOpcode (this=this@entry=0x2894c58, op=op@entry=JSOP_GETPROP) at /home/ownhero/homes/mozilla/repos/mozilla-central/js/src/jit/IonBuilder.cpp:1866 #6 0x00000000008a8590 in js::jit::IonBuilder::traverseBytecode (this=this@entry=0x2894c58) at /home/ownhero/homes/mozilla/repos/mozilla-central/js/src/jit/IonBuilder.cpp:1432 #7 0x00000000008a8ded in js::jit::IonBuilder::build (this=0x2894c58) at /home/ownhero/homes/mozilla/repos/mozilla-central/js/src/jit/IonBuilder.cpp:849 #8 0x00000000008b7910 in js::jit::IonCompile (cx=cx@entry=0x26cf490, script=<optimized out>, baselineFrame=baselineFrame@entry=0x7fffe1d53fa8, osrPc=<optimized out>, constructing=<optimized out>, recompile=<optimized out>, optimizationLevel=js::jit::Optimization_Normal) at /home/ownhero/homes/mozilla/repos/mozilla-central/js/src/jit/Ion.cpp:1902 #9 0x00000000008b82c4 in js::jit::Compile (cx=cx@entry=0x26cf490, script=..., script@entry=..., osrFrame=osrFrame@entry=0x7fffe1d53fa8, osrPc=osrPc@entry=0x0, constructing=<optimized out>, forceRecompile=forceRecompile@entry=false) at /home/ownhero/homes/mozilla/repos/mozilla-central/js/src/jit/Ion.cpp:2112 #10 0x00000000008b89d0 in js::jit::CompileFunctionForBaseline (cx=cx@entry=0x26cf490, script=script@entry=..., frame=frame@entry=0x7fffe1d53fa8) at /home/ownhero/homes/mozilla/repos/mozilla-central/js/src/jit/Ion.cpp:2277 #11 0x00000000007a90e2 in EnsureCanEnterIon (stub=<optimized out>, jitcodePtr=<synthetic pointer>, pc=0x2831819 ">W", script=..., frame=0x7fffe1d53fa8, cx=0x26cf490) at /home/ownhero/homes/mozilla/repos/mozilla-central/js/src/jit/BaselineIC.cpp:784 #12 js::jit::DoWarmUpCounterFallback (cx=0x26cf490, stub=<optimized out>, frame=0x7fffe1d53fa8, infoPtr=0x7fffe1d53f78) at /home/ownhero/homes/mozilla/repos/mozilla-central/js/src/jit/BaselineIC.cpp:945 [...] #16 0x00000000019a2760 in js::jit::DoTypeMonitorFallbackInfo () [...] #23 0x0000000000000000 in ?? () rax 0x0 0 rbx 0x2894c58 42552408 rcx 0xffffffffffffffff -1 rdx 0x0 0 rsi 0x7f51bf4ba9d0 139989078485456 rdi 0x7f51bf4b91c0 139989078479296 rbp 0x7fffe1d538d0 140736982235344 rsp 0x7fffe1d538b0 140736982235312 r8 0x7f51c052a780 139989095720832 r9 0x6372732f736a2f6c 7165916604736876396 r10 0x7f51bf4b6be0 139989078469600 r11 0x0 0 r12 0x2894c58 42552408 r13 0x0 0 r14 0x28954f8 42554616 r15 0x2896ef0 42561264 rip 0x84ca5b <js::jit::IonBuilder::ensureDefiniteType(js::jit::MDefinition*, js::jit::MIRType)+203> => 0x84ca5b <js::jit::IonBuilder::ensureDefiniteType(js::jit::MDefinition*, js::jit::MIRType)+203>: movl $0x1bdd,0x0 0x84ca66 <js::jit::IonBuilder::ensureDefiniteType(js::jit::MDefinition*, js::jit::MIRType)+214>: callq 0x4046a0 <abort@plt>
Reporter | ||
Comment 1•9 years ago
|
||
NI from bhackett due to --unboxed-objects.
Flags: needinfo?(bhackett1024)
Reporter | ||
Updated•9 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
Reporter | ||
Comment 2•9 years ago
|
||
JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/c3714f520752 user: Brian Hackett date: Mon Feb 02 09:27:59 2015 -0700 summary: Bug 1127987 - Fix transposed parent/metadata arguments in EmptyShape::getInitialShape, r=jandem. This iteration took 346.102 seconds to run.
Assignee | ||
Comment 3•9 years ago
|
||
getPropTryUnboxed has a spot where it just removes a type barrier, which messed up this assertion. There shouldn't be any problem with doing this, since the instruction generated by loadUnboxedProperty will have the correct type, but I don't think this code is really helping anything either so this patch just removes it.
Assignee: nobody → bhackett1024
Flags: needinfo?(bhackett1024)
Attachment #8562329 -
Flags: review?(jdemooij)
Updated•9 years ago
|
Attachment #8562329 -
Flags: review?(jdemooij) → review+
Assignee | ||
Comment 4•9 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/8e4b8596954f
Comment 5•9 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/8e4b8596954f
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla38
You need to log in
before you can comment on or make changes to this bug.
Description
•