Closed
Bug 1181166
Opened 9 years ago
Closed 9 years ago
Assertion failure: MIR instruction returned object with unexpected type, at c:/mozilla/builds/nightly/mozilla/js/src/jit/MacroAssembler.cpp:1747 with signature XUL!EnterBaseline(JSContext*, js::jit::EnterJitData&) [BaselineJIT.cpp : 124 + 0xf0]
Categories
(Core :: JavaScript Engine: JIT, defect)
Core
JavaScript Engine: JIT
Tracking
()
RESOLVED
DUPLICATE
of bug 1175538
People
(Reporter: cbook, Unassigned)
References
()
Details
(Keywords: sec-high)
Attachments
(2 files)
Found by bughunter and has also ->> Assertion failure: MIR instruction returned object with unexpected type, at c:/mozilla/builds/nightly/mozilla/js/src/jit/MacroAssembler.cpp:1747 Steps to reproduce: -> Load http://www.autobusubilietai.lt -->> Assertion failure: MIR instruction returned object with unexpected type, at c:/mozilla/builds/nightly/mozilla/js/src/jit/MacroAssembler.cpp:1747 but this time XUL!EnterBaseline(JSContext*, js::jit::EnterJitData&) [BaselineJIT.cpp : 124 + 0xf0] crash , stack attached
Reporter | ||
Comment 1•9 years ago
|
||
Comment 2•9 years ago
|
||
Jandem, is there somebody who can look at this? Thanks.
Flags: needinfo?(jdemooij)
Comment 3•9 years ago
|
||
Benjamin, would you mind bisecting/investigating this to see if that tells us something? I'm trying to forward more of these bugs to others as taking all these bugs myself can be very time consuming.
Flags: needinfo?(jdemooij) → needinfo?(benj)
Comment 5•9 years ago
|
||
The failure is a runtime check implemented in JIT code, so we have no backtrace in the debugger. This check is generated for each LIR instruction. I'd suggest some printf debugging to get more information, or trying disabling a few optimization passes and see what happens, but it's really non-trivial to know what's going on here... I'll be on PTO next week, so I won't be able to give it a look soon, but I can do it later, when I'm back, unless somebody beats me to it.
Comment 6•9 years ago
|
||
I'm back from PTO, and I've tried to reproduce this today, but I couldn't! Bisection lead to this: The first good revision is: changeset: 256340:7ce747f01b72 user: Brian Hackett <bhackett1024@gmail.com> date: Wed Aug 05 11:53:01 2015 -0400 summary: Bug 1175538 - Ensure str_split result object has the right group. r=jandem Brian, does this look like this runtime check could have been triggered without this patch? I don't have access to bug 1175538, but the summary and the patch content seem consistent with the failure described in the bug's title.
Flags: needinfo?(bhackett1024)
Comment 7•9 years ago
|
||
For what it's worth, bug 1175538 has two parts: a new assertion and a fix. I've tried adding only the assertion onto changeset 256339 and see if it were triggered when visiting the website, but it wasn't. So the question still stands.
Comment 8•9 years ago
|
||
Bug 1175538 was fixing one of these "returned object with unexpected type" failures, so it definitely could have fixed this too. The assertion added by that bug is somewhat ancillary.
Flags: needinfo?(bhackett1024)
Updated•9 years ago
|
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → DUPLICATE
Updated•9 years ago
|
Group: core-security → core-security-release
Updated•8 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•