Closed Bug 1151326 Opened 9 years ago Closed 9 years ago

Assertion failure: Inline yield with closing generator, at js/src/jit/MacroAssembler.cpp:1753

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla40
Tracking Flags:
Tracking Status
firefox40 --- fixed

People

(Reporter: decoder, Assigned: jandem)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update])

Attachments

(1 file)

Patch
2.58 KB, patch
shu
: review+
Details | Diff | Splinter Review 
The following testcase crashes on mozilla-central revision 421548077f12 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --baseline-eager):

var finally3;
function gen() {
    try {
        try {
          yield 1;
        } finally { 
          finally3();
        } 
    } catch (e) {
        yield finally3 === parseInt;
    }
}
iter = gen();
iter.next();
iter.close();



Backtrace:

Program received signal SIGTRAP, Trace/breakpoint trap.
0x00007ffff7ff59b5 in ?? ()
#0  0x00007ffff7ff59b5 in ?? ()
#1  0xfff9800000000000 in ?? ()
#2  0x00007fffffffb750 in ?? ()
#3  0x0000000000000203 in ?? ()
#4  0x00007fff00000058 in ?? ()
#5  0x00007ffff4d72b40 in ?? ()
#6  0x00007ffff7feeeb7 in ?? ()
#7  0x00007fffffffa888 in ?? ()
#8  0x00007fffffffa898 in ?? ()
#9  0x000000040000002f in ?? ()
#10 0x00007fffffffa918 in ?? ()
#11 0x00007ffff7e4d3c9 in ?? ()
#12 0x0000000000000601 in ?? ()
#13 0x00007ffff4d72640 in ?? ()
#14 0x0000000000000000 in ?? ()
rax	0x7ffff4e002a0	140737301709472
rbx	0xfffc7ffff4d72d80	-985162605712000
rcx	0x7ffffffe	2147483646
rdx	0x7fffffffacf0	140737488334064
rsi	0x7ffff4b065f0	140737298589168
rdi	0x7fffffffa740	140737488332608
rbp	0x7fffffffa898	140737488332952
rsp	0x7fffffffa850	140737488332880
r8	0xc	12
r9	0xd	13
r10	0x7ffff69a78a8	140737330706600
r11	0x7ffff6c27960	140737333328224
r12	0x8	8
r13	0x7fffffffb750	140737488336720
r14	0x203	515
r15	0x7fffffffaee0	140737488334560
rip	0x7ffff7ff59b5	140737354095029
=> 0x7ffff7ff59b5:	movabs $0xfff8800000000002,%r11
   0x7ffff7ff59bf:	mov    %r11,0x48(%rax)
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/8792056f152c
user:        Jan de Mooij
date:        Thu Nov 13 17:39:51 2014 +0100
summary:     Bug 1093573 part 13 - Handle closing legacy generators correctly. r=wingo,shu

This iteration took 160.740 seconds to run.
Flags: needinfo?(jdemooij)
Attached patch PatchSplinter Review 
When we yield, we have to throw an exception if we have a legacy generator in the closing state. Baseline compilation of yields didn't do this in all cases.

Different ways to fix this: (1) change legacy generator semantics slightly and remove this exception, (2) inline the yield but emit JIT code to check for closing generators and fall back to a stub or (3) don't inline yields in a legacy generator.

This patch does (3), it's the simplest fix and legacy generator performance is not very interesting.
Assignee: nobody → jdemooij
Status: NEW → ASSIGNED
Flags: needinfo?(jdemooij)
Attachment #8589619 - Flags: review?(shu)
Comment on attachment 8589619 [details] [diff] [review]
Patch

Review of attachment 8589619 [details] [diff] [review]:
-----------------------------------------------------------------

Death to legacy generators!
Attachment #8589619 - Flags: review?(shu) → review+
https://hg.mozilla.org/mozilla-central/rev/4bdb88846d41
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
status-firefox40: affectedfixed
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla40
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: