Closed Bug 1134298 Opened 5 years ago Closed 5 years ago

Assertion failure: v.toDouble() == double(float(v.toDouble())), at jit/MIR.cpp

Categories

(Core :: JavaScript Engine: JIT, defect, critical)

x86_64
macOS
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla38
Tracking Status
firefox38 --- fixed

People

(Reporter: gkw, Assigned: bbouvier)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update])

Attachments

(2 files)

for (var k = 0; k < 1; k++) {
    Math.fround(Math.ceil(Math.fround(Math.acos(3.0))))
}

asserts js debug shell on m-c changeset 93ddd99ffd86 with --fuzzing-safe --no-threads --ion-eager at Assertion failure: v.toDouble() == double(float(v.toDouble())), at jit/MIR.cpp.

Debug configure options:

CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests

python -u ~/fuzzing/js/compileShell.py -b "--enable-debug --enable-more-deterministic --enable-nspr-build -R ~/trees/mozilla-central" -r 93ddd99ffd86

=== Treeherder Build Bisection Results by autoBisect ===

The "good" changeset has the timestamp "20150216083651" and the hash "4025bc064621".
The "bad" changeset has the timestamp "20150216085345" and the hash "9d2a1a5c46d2".

Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=4025bc064621&tochange=9d2a1a5c46d2

Benjamin, is bug 1130618 a likely regressor?
Flags: needinfo?(benj)
Attached file stack
(lldb) bt 5
* thread #1: tid = 0x8ca24, 0x00000001006265a9 js-dbg-64-dm-nsprBuild-darwin-93ddd99ffd86`js::jit::MConstant::NewTypedValue(alloc=<unavailable>, v=<unavailable>, type=<unavailable>, constraints=<unavailable>) + 137 at MIR.cpp:632, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
  * frame #0: 0x00000001006265a9 js-dbg-64-dm-nsprBuild-darwin-93ddd99ffd86`js::jit::MConstant::NewTypedValue(alloc=<unavailable>, v=<unavailable>, type=<unavailable>, constraints=<unavailable>) + 137 at MIR.cpp:632
    frame #1: 0x0000000100628c5e js-dbg-64-dm-nsprBuild-darwin-93ddd99ffd86`js::jit::MMathFunction::foldsTo(this=<unavailable>, alloc=0x00000001028e9620) + 366 at MIR.cpp:1107
    frame #2: 0x00000001006bbdc2 js-dbg-64-dm-nsprBuild-darwin-93ddd99ffd86`js::jit::ValueNumberer::visitDefinition(js::jit::MDefinition*) [inlined] js::jit::ValueNumberer::simplified(this=0x00007fff5fbfe508, def=0x00000001028edd98) const + 20 at ValueNumbering.cpp:620
    frame #3: 0x00000001006bbdae js-dbg-64-dm-nsprBuild-darwin-93ddd99ffd86`js::jit::ValueNumberer::visitDefinition(this=0x00007fff5fbfe508, def=0x00000001028edd98) + 286 at ValueNumbering.cpp:748
    frame #4: 0x00000001006bcd15 js-dbg-64-dm-nsprBuild-darwin-93ddd99ffd86`js::jit::ValueNumberer::visitBlock(this=<unavailable>, block=<unavailable>, dominatorRoot=<unavailable>) + 357 at ValueNumbering.cpp:949
(lldb)
Assignee: nobody → benj
Status: NEW → ASSIGNED
Comment on attachment 8566158 [details] [diff] [review]
Fix assertion in MConstant::New to handle NaN

NaNNaNNaNa Batman!
Attachment #8566158 - Flags: review?(luke) → review+
https://hg.mozilla.org/mozilla-central/rev/9345d96f487e
Status: ASSIGNED → RESOLVED
Closed: 5 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla38
You need to log in before you can comment on or make changes to this bug.