Assertion failure: v.toDouble() == double(float(v.toDouble())), at jit/MIR.cpp

RESOLVED FIXED in Firefox 38

Status

()

Core
JavaScript Engine: JIT
--
critical
RESOLVED FIXED
3 years ago
3 years ago

People

(Reporter: gkw, Assigned: bbouvier)

Tracking

(Blocks: 1 bug, {assertion, regression, testcase})

Trunk
mozilla38
x86_64
Mac OS X
assertion, regression, testcase
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(firefox38 fixed)

Details

(Whiteboard: [jsbugmon:update])

Attachments

(2 attachments)

(Reporter)

Description

3 years ago
for (var k = 0; k < 1; k++) {
    Math.fround(Math.ceil(Math.fround(Math.acos(3.0))))
}

asserts js debug shell on m-c changeset 93ddd99ffd86 with --fuzzing-safe --no-threads --ion-eager at Assertion failure: v.toDouble() == double(float(v.toDouble())), at jit/MIR.cpp.

Debug configure options:

CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests

python -u ~/fuzzing/js/compileShell.py -b "--enable-debug --enable-more-deterministic --enable-nspr-build -R ~/trees/mozilla-central" -r 93ddd99ffd86

=== Treeherder Build Bisection Results by autoBisect ===

The "good" changeset has the timestamp "20150216083651" and the hash "4025bc064621".
The "bad" changeset has the timestamp "20150216085345" and the hash "9d2a1a5c46d2".

Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=4025bc064621&tochange=9d2a1a5c46d2

Benjamin, is bug 1130618 a likely regressor?
Flags: needinfo?(benj)
(Reporter)

Comment 1

3 years ago
Created attachment 8566102 [details]
stack

(lldb) bt 5
* thread #1: tid = 0x8ca24, 0x00000001006265a9 js-dbg-64-dm-nsprBuild-darwin-93ddd99ffd86`js::jit::MConstant::NewTypedValue(alloc=<unavailable>, v=<unavailable>, type=<unavailable>, constraints=<unavailable>) + 137 at MIR.cpp:632, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
  * frame #0: 0x00000001006265a9 js-dbg-64-dm-nsprBuild-darwin-93ddd99ffd86`js::jit::MConstant::NewTypedValue(alloc=<unavailable>, v=<unavailable>, type=<unavailable>, constraints=<unavailable>) + 137 at MIR.cpp:632
    frame #1: 0x0000000100628c5e js-dbg-64-dm-nsprBuild-darwin-93ddd99ffd86`js::jit::MMathFunction::foldsTo(this=<unavailable>, alloc=0x00000001028e9620) + 366 at MIR.cpp:1107
    frame #2: 0x00000001006bbdc2 js-dbg-64-dm-nsprBuild-darwin-93ddd99ffd86`js::jit::ValueNumberer::visitDefinition(js::jit::MDefinition*) [inlined] js::jit::ValueNumberer::simplified(this=0x00007fff5fbfe508, def=0x00000001028edd98) const + 20 at ValueNumbering.cpp:620
    frame #3: 0x00000001006bbdae js-dbg-64-dm-nsprBuild-darwin-93ddd99ffd86`js::jit::ValueNumberer::visitDefinition(this=0x00007fff5fbfe508, def=0x00000001028edd98) + 286 at ValueNumbering.cpp:748
    frame #4: 0x00000001006bcd15 js-dbg-64-dm-nsprBuild-darwin-93ddd99ffd86`js::jit::ValueNumberer::visitBlock(this=<unavailable>, block=<unavailable>, dominatorRoot=<unavailable>) + 357 at ValueNumbering.cpp:949
(lldb)
(Assignee)

Comment 2

3 years ago
Created attachment 8566158 [details] [diff] [review]
Fix assertion in MConstant::New to handle NaN

Doh, i'll never learn...

See also https://twitter.com/jswalden/status/567602793272205312
Attachment #8566158 - Flags: review?(luke)
(Assignee)

Updated

3 years ago
Assignee: nobody → benj
Status: NEW → ASSIGNED

Comment 3

3 years ago
Comment on attachment 8566158 [details] [diff] [review]
Fix assertion in MConstant::New to handle NaN

NaNNaNNaNa Batman!
Attachment #8566158 - Flags: review?(luke) → review+
(Assignee)

Comment 4

3 years ago
https://hg.mozilla.org/integration/mozilla-inbound/rev/9345d96f487e
Flags: needinfo?(benj)
https://hg.mozilla.org/mozilla-central/rev/9345d96f487e
Status: ASSIGNED → RESOLVED
Last Resolved: 3 years ago
status-firefox38: affected → fixed
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla38
You need to log in before you can comment on or make changes to this bug.