Closed Bug 1181336 Opened 9 years ago Closed 9 years ago

Assertion failure: !call->hasSingleTarget(), at jit/CodeGenerator.cpp

Categories

(Core :: JavaScript Engine: JIT, defect)

Product:
Core
Component:
JavaScript Engine: JIT
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1185957
Tracking Flags:
Tracking Status
firefox40 --- unaffected
firefox41 --- affected
firefox42 --- affected

People

(Reporter: gkw, Unassigned)

References

Details

(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update])

Attachments

(1 file)

stack
3.53 KB, text/plain
Details 
// Randomly chosen test: js/src/tests/ecma_6/Class/outerBinding.js
eval("class x { constructor(){} }");
// jsfunfuzz-generated
(function() {
    x()
})()

asserts js debug shell on m-c changeset ffa83d153080 with --fuzzing-safe --no-threads --ion-eager at Assertion failure: !call->hasSingleTarget(), at jit/CodeGenerator.cpp.

Configure options:

CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests

python -u ~/fuzzing/js/compileShell.py -b "--enable-debug --enable-more-deterministic --enable-nspr-build" -r ffa83d153080

=== Treeherder Build Bisection Results by autoBisect ===

The "good" changeset has the timestamp "20150617143743" and the hash "f858f1ba0ea5".
The "bad" changeset has the timestamp "20150617144141" and the hash "5c5ab792827a".

Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=f858f1ba0ea5&tochange=5c5ab792827a

Eric, are any of those bug listed a likely regressor?
Flags: needinfo?(efaustbmo)
Attached file stack 
(lldb) bt 5
* thread #1: tid = 0xeadf6, 0x00000001004c4946 js-dbg-64-dm-nsprBuild-darwin-ffa83d153080`js::jit::CodeGenerator::visitCallGeneric(this=<unavailable>, call=<unavailable>) + 2982 at CodeGenerator.cpp:3020, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
  * frame #0: 0x00000001004c4946 js-dbg-64-dm-nsprBuild-darwin-ffa83d153080`js::jit::CodeGenerator::visitCallGeneric(this=<unavailable>, call=<unavailable>) + 2982 at CodeGenerator.cpp:3020
    frame #1: 0x00000001004c9679 js-dbg-64-dm-nsprBuild-darwin-ffa83d153080`js::jit::CodeGenerator::generateBody(this=0x0000000102ad6000) + 985 at CodeGenerator.cpp:4108
    frame #2: 0x00000001004e298a js-dbg-64-dm-nsprBuild-darwin-ffa83d153080`js::jit::CodeGenerator::generate(this=0x0000000102ad6000) + 458 at CodeGenerator.cpp:7784
    frame #3: 0x000000010053da5f js-dbg-64-dm-nsprBuild-darwin-ffa83d153080`js::jit::GenerateCode(mir=0x0000000102ace1a8, lir=0x0000000102acfd38) + 303 at Ion.cpp:1713
    frame #4: 0x000000010053db41 js-dbg-64-dm-nsprBuild-darwin-ffa83d153080`js::jit::CompileBackEnd(mir=0x0000000102ace1a8) + 97 at Ion.cpp:1735
(lldb)
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/f11b7896950f
user:        Eric Faust
date:        Wed Jun 17 14:37:49 2015 -0700
summary:     Bug 1169731 - [[Call]] on a class constructor should throw. (r=jandem)

Eric, is bug 1169731 a likely regressor?
Blocks: 1169731
status-firefox40: --- → unaffected
status-firefox41: --- → affected
Component: JavaScript Engine → JavaScript Engine: JIT
Yep. This is gonna be taken care of in bug 1185957.
Status: NEW → RESOLVED
Closed: 9 years ago
Flags: needinfo?(efaustbmo)
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: