Closed Bug 1151401 Opened 8 years ago Closed 8 years ago

Assertion failure: ndef->type() == MIRType_Object, at jit/IonAnalysis.cpp

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla40
Tracking Flags:
Tracking Status
firefox38 --- fixed
firefox39 --- fixed
firefox40 --- fixed

People

(Reporter: gkw, Assigned: bhackett1024)

References

Details

(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update])

Attachments

(2 files)

stack
3.53 KB, text/plain
Details
patch
989 bytes, patch
jandem
: review+
Sylvestre
: approval-mozilla-aurora+
Sylvestre
: approval-mozilla-beta+
Details | Diff | Splinter Review 
s = newGlobal();
evalcx("\
    x = null;\
    f = function (z) {\
        var ff = z.ff;\
        function f() {\
            (0(ff()))\
            (ff()|0)\
        }\
        return f\
    }({\
        ff: (function() {\
            return x\
        })\
    });\
    try {\
        f()\
    } catch (e) {}\
", s);
evalcx("\
    function x() {};\
    for (var k = 0; k < 2; ++k) {\
        try {\
            f()\
        } catch (e) {}\
    }\
", s)

asserts js debug shell on m-c changeset 421548077f12 with --fuzzing-safe --no-threads --ion-eager at Assertion failure: ndef->type() == MIRType_Object, at jit/IonAnalysis.cpp.

Configure options:

CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests

python -u ~/fuzzing/js/compileShell.py -b "--enable-debug --enable-more-deterministic --enable-nspr-build" -r 421548077f12

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/a3cabc94db73
user:        Brian Hackett
date:        Tue Feb 17 12:30:44 2015 -0700
summary:     Bug 1131403 - Optimize additional uses of ObjectOrNull values better, r=jandem.

Brian, is bug 1131403 a likely regressor?
Flags: needinfo?(bhackett1024)
Attached file stack 
(lldb) bt 5
* thread #1: tid = 0x5e7de, 0x00000001004fcfe4 js-dbg-64-dm-nsprBuild-darwin-421548077f12`js::jit::EliminateRedundantChecks(js::jit::MIRGraph&) [inlined] TryOptimizeLoadObjectOrNull(peliminateList=0x00000001028da020) + 67 at IonAnalysis.cpp:2556, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
  * frame #0: 0x00000001004fcfe4 js-dbg-64-dm-nsprBuild-darwin-421548077f12`js::jit::EliminateRedundantChecks(js::jit::MIRGraph&) [inlined] TryOptimizeLoadObjectOrNull(peliminateList=0x00000001028da020) + 67 at IonAnalysis.cpp:2556
    frame #1: 0x00000001004fcfa1 js-dbg-64-dm-nsprBuild-darwin-421548077f12`js::jit::EliminateRedundantChecks(graph=<unavailable>) + 3585 at IonAnalysis.cpp:2682
    frame #2: 0x00000001004f4539 js-dbg-64-dm-nsprBuild-darwin-421548077f12`js::jit::OptimizeMIR(mir=<unavailable>) + 5257 at Ion.cpp:1481
    frame #3: 0x0000000100501372 js-dbg-64-dm-nsprBuild-darwin-421548077f12`js::jit::Compile(JSContext*, JS::Handle<JSScript*>, js::jit::BaselineFrame*, unsigned char*, bool, bool) [inlined] js::jit::CompileBackEnd(mir=0x00000001028da258, aRhs=<unavailable>) + 42 at Ion.cpp:1614
    frame #4: 0x0000000100501348 js-dbg-64-dm-nsprBuild-darwin-421548077f12`js::jit::Compile(JSContext*, JS::Handle<JSScript*>, js::jit::BaselineFrame*, unsigned char*, bool, bool) [inlined] js::jit::IonCompile(cx=0x00000001028a5180, script=<unavailable>, baselineFrame=<unavailable>) + 1221 at Ion.cpp:1983
(lldb)
Attached patch patchSplinter Review 
Assignee: nobody → bhackett1024
Flags: needinfo?(bhackett1024)

        Attachment #8588789 -
        Flags: review?(jdemooij)
Whiteboard: [jsbugmon:update]

        Attachment #8588789 -
        Flags: review?(jdemooij) → review+

    
    

    
  
Should we backport this to 38/39?

    
    

    
  
Comment on attachment 8588789 [details] [diff] [review]
patch

Approval Request Comment
[Feature/regressing bug #]: Bug 1131403
[User impact if declined]: Potential incorrect behavior
[Describe test coverage new/current, TreeHerder]: none
[Risks and why]: none

        Attachment #8588789 -
        Flags: approval-mozilla-beta?

        Attachment #8588789 -
        Flags: approval-mozilla-aurora?

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/30f3ac8076dd
Status: NEW → RESOLVED
Closed: 8 years ago

          status-firefox40:
          affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla40

    
    

    
  
Comment on attachment 8588789 [details] [diff] [review]
patch

Should be in 38 beta 4.

Btw, please avoid "none"  for the risk eval. All patches have risks.

        Attachment #8588789 -
        Flags: approval-mozilla-beta?

        Attachment #8588789 -
        Flags: approval-mozilla-beta+

        Attachment #8588789 -
        Flags: approval-mozilla-aurora?

        Attachment #8588789 -
        Flags: approval-mozilla-aurora+

          You need to log in
          before you can comment on or make changes to this bug.