1174556 - Assertion failure: type == MIRType_Object, at js/src/jit/IonTypes.h:450

Status: RESOLVED DUPLICATE of bug 1174547

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

The following testcase crashes on mozilla-central revision c223b8844264 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe --thread-count=2 --ion-eager):

var expect = '';
new Function('eval("({}) instanceof Object") + (_x && !expect && _y);')();



Backtrace:

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7ffff62c6700 (LWP 3672)]
0x000000000045eb2c in js::jit::ValueTypeFromMIRType (type=<optimized out>) at js/src/jit/IonTypes.h:450
#0  0x000000000045eb2c in js::jit::ValueTypeFromMIRType (type=<optimized out>) at js/src/jit/IonTypes.h:450
#1  0x0000000000a3b896 in ValueTypeFromMIRType (type=<optimized out>) at js/src/jit/x64/CodeGenerator-x64.cpp:77
#2  js::jit::CodeGeneratorX64::visitBox (this=0x7ffff472e000, box=0x7ffff471d7e0) at js/src/jit/x64/CodeGenerator-x64.cpp:81
#3  0x00000000008b411e in js::jit::CodeGenerator::generateBody (this=this@entry=0x7ffff472e000) at js/src/jit/CodeGenerator.cpp:4111
#4  0x00000000008b48d2 in js::jit::CodeGenerator::generate (this=this@entry=0x7ffff472e000) at js/src/jit/CodeGenerator.cpp:7787
#5  0x00000000008e1ad7 in js::jit::GenerateCode (mir=mir@entry=0x7ffff470a1a8, lir=0x7ffff4710310) at js/src/jit/Ion.cpp:1729
#6  0x00000000009471e5 in js::jit::CompileBackEnd (mir=0x7ffff470a1a8) at js/src/jit/Ion.cpp:1751
#7  0x000000000064c932 in js::HelperThread::handleIonWorkload (this=this@entry=0x7ffff694c108) at js/src/vm/HelperThreads.cpp:1127
#8  0x000000000064e167 in js::HelperThread::threadLoop (this=0x7ffff694c108) at js/src/vm/HelperThreads.cpp:1423
#9  0x00000000006c6541 in nspr::Thread::ThreadRoutine (arg=0x7ffff69301a0) at js/src/vm/PosixNSPR.cpp:45
#10 0x00007ffff7bc4182 in start_thread (arg=0x7ffff62c6700) at pthread_create.c:312
#11 0x00007ffff6cb3fbd in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:111
rax	0x0	0
rbx	0x7ffff471d7e0	140737294489568
rcx	0x7ffff6ca53cd	140737333842893
rdx	0x0	0
rsi	0x7ffff6f7a9d0	140737336814032
rdi	0x7ffff6f791c0	140737336807872
rbp	0x7ffff62c5a90	140737323489936
rsp	0x7ffff62c5a90	140737323489936
r8	0x7ffff62c6700	140737323493120
r9	0x6372732f736a2f6c	7165916604736876396
r10	0x7ffff6f76be0	140737336798176
r11	0x0	0
r12	0x2	2
r13	0x7ffff472e000	140737294557184
r14	0x7ffff471d848	140737294489672
r15	0x7ffff471d800	140737294489600
rip	0x45eb2c <js::jit::ValueTypeFromMIRType(js::jit::MIRType)+28>
=> 0x45eb2c <js::jit::ValueTypeFromMIRType(js::jit::MIRType)+28>:	movl   $0x1c2,0x0
   0x45eb37 <js::jit::ValueTypeFromMIRType(js::jit::MIRType)+39>:	callq  0x4941f0 <abort()>


Marking s-s because this assertion was already seen in previous s-s bugs.

Comment 1

[Christian Holler (:decoder)]

JSBugMon: Bisection requested, result:
=== Treeherder Build Bisection Results by autoBisect ===

The "good" changeset has the timestamp "20150611043342" and the hash "fbb2e7d00e46".
The "bad" changeset has the timestamp "20150611053142" and the hash "46acf3627306".

Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=fbb2e7d00e46&tochange=46acf3627306

Comment 2

[Nicolas B. Pierron [:nbp]]

I cannot reproduce this issue with my patch queue.
This bug is probably a duplicate of Bug 1174547.

Comment 3

[Christian Holler (:decoder)]

JSBugMon: The testcase found in this bug no longer reproduces (tried revision 4b0fb77f77a4).

Comment 4

[Andrew McCreight [:mccr8]]

Duping this over to bug 1174547 per comment 2.