Closed
Bug 1183056
Opened 9 years ago
Closed 9 years ago
Assertion failure: !IsInsideNursery(ty.singleton()), at js/src/jit/OptimizationTracking.cpp:391
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1182730
Tracking | Status | |
---|---|---|
firefox42 | --- | affected |
People
(Reporter: decoder, Unassigned)
Details
(4 keywords, Whiteboard: [jsbugmon:update,testComment=3][dupe of bug 1182730?])
The following testcase crashes on mozilla-central revision 9f2b81411bf5 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --ion-eager min.js): enableSPSProfiling(); var a = {__lookupSetter__ : 'a'}, b1 = Object.create(a), c1 = Object.create(b1), b2 = (Object(b1)), c2 = Object.create(b2); for each (var obj in [c1, c2]) s += obj.x; Backtrace: Program received signal SIGSEGV, Segmentation fault. 0x0000000000a07119 in js::jit::UniqueTrackedTypes::getIndexOf (this=this@entry=0x7fffffffc6d0, cx=cx@entry=0x7ffff69831c0, ty=..., indexp=indexp@entry=0x7fffffffc540 "") at js/src/jit/OptimizationTracking.cpp:391 #0 0x0000000000a07119 in js::jit::UniqueTrackedTypes::getIndexOf (this=this@entry=0x7fffffffc6d0, cx=cx@entry=0x7ffff69831c0, ty=..., indexp=indexp@entry=0x7fffffffc540 "") at js/src/jit/OptimizationTracking.cpp:391 #1 0x0000000000a07591 in js::jit::OptimizationTypeInfo::writeCompact (this=this@entry=0x7ffff3b07ab8, cx=cx@entry=0x7ffff69831c0, writer=..., uniqueTypes=...) at js/src/jit/OptimizationTracking.cpp:613 #2 0x0000000000a07a8d in js::jit::WriteIonTrackedOptimizationsTable (cx=cx@entry=0x7ffff69831c0, writer=..., start=<optimized out>, end=<optimized out>, unique=..., numRegions=numRegions@entry=0x7fffffffca1c, regionTableOffsetp=regionTableOffsetp@entry=0x7fffffffc9f0, typesTableOffsetp=typesTableOffsetp@entry=0x7fffffffca00, optimizationTableOffsetp=optimizationTableOffsetp@entry=0x7fffffffca10, allTypes=allTypes@entry=0x7ffff3a0aa10) at js/src/jit/OptimizationTracking.cpp:959 #3 0x0000000000a61647 in js::jit::CodeGeneratorShared::generateCompactTrackedOptimizationsMap (this=this@entry=0x7ffff3a16000, cx=cx@entry=0x7ffff69831c0, code=code@entry=0x7ffff7e794f0, allTypes=allTypes@entry=0x7ffff3a0aa10) at js/src/jit/shared/CodeGenerator-shared.cpp:835 #4 0x00000000008d9e39 in js::jit::CodeGenerator::link (this=this@entry=0x7ffff3a16000, cx=cx@entry=0x7ffff69831c0, constraints=<optimized out>) at js/src/jit/CodeGenerator.cpp:7942 #5 0x0000000000946a6f in LinkCodeGen (cx=cx@entry=0x7ffff69831c0, builder=builder@entry=0x7ffff3b02258, codegen=codegen@entry=0x7ffff3a16000, scripts=scripts@entry=0x7fffffffd150, info=info@entry=0x7fffffffd110) at js/src/jit/Ion.cpp:543 #6 0x00000000009471db in LinkBackgroundCodeGen (cx=cx@entry=0x7ffff69831c0, builder=builder@entry=0x7ffff3b02258, scripts=scripts@entry=0x7fffffffd150, info=info@entry=0x7fffffffd110) at js/src/jit/Ion.cpp:565 #7 0x0000000000947f86 in js::jit::AttachFinishedCompilations (cx=cx@entry=0x7ffff69831c0) at js/src/jit/Ion.cpp:1817 #8 0x00000000006fdc7e in InvokeInterruptCallback (cx=0x7ffff69831c0) at js/src/vm/Runtime.cpp:542 #9 0x00007ffff7ff1c49 in ?? () [...] #31 0x0000000000000000 in ?? () rax 0x0 0 rbx 0x7fffffffc6d0 140737488340688 rcx 0x7ffff6ca53cd 140737333842893 rdx 0x0 0 rsi 0x7ffff6f7a9d0 140737336814032 rdi 0x7ffff6f791c0 140737336807872 rbp 0x7fffffffc520 140737488340256 rsp 0x7fffffffc480 140737488340096 r8 0x7ffff7fd4780 140737353959296 r9 0x6372732f736a2f6c 7165916604736876396 r10 0x7fffffffc240 140737488339520 r11 0x7ffff6c27960 140737333328224 r12 0x7fffffffc4d0 140737488340176 r13 0x7ffff3c00000 140737282834432 r14 0x7fffffffc6d0 140737488340688 r15 0x7ffff3b07ab8 140737281817272 rip 0xa07119 <js::jit::UniqueTrackedTypes::getIndexOf(JSContext*, js::TypeSet::Type, unsigned char*)+665> => 0xa07119 <js::jit::UniqueTrackedTypes::getIndexOf(JSContext*, js::TypeSet::Type, unsigned char*)+665>: movl $0x187,0x0 0xa07124 <js::jit::UniqueTrackedTypes::getIndexOf(JSContext*, js::TypeSet::Type, unsigned char*)+676>: callq 0x4994a0 <abort()> Marking s-s because it's a GC-related assertion.
Reporter | ||
Updated•9 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:bisect]
Reporter | ||
Comment 1•9 years ago
|
||
JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.
Reporter | ||
Updated•9 years ago
|
Whiteboard: [jsbugmon:bisect] → [jsbugmon:]
Comment 2•9 years ago
|
||
Brian, could this be a regression from something you have been working on? (Or even a dupe of something.) Thanks.
Flags: needinfo?(bhackett1024)
Keywords: sec-high
Reporter | ||
Comment 3•9 years ago
|
||
For some reason, this only reproduces with --no-threads for me now, so reposting for JSBugMon: The following testcase crashes on mozilla-central revision 9f2b81411bf5 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --ion-eager --no-threads): enableSPSProfiling(); var a = {__lookupSetter__ : 'a'}, b1 = Object.create(a), c1 = Object.create(b1), b2 = (Object(b1)), c2 = Object.create(b2); for each (var obj in [c1, c2]) s += obj.x;
Whiteboard: [jsbugmon:] → [jsbugmon:update,bisect,testComment=3]
Reporter | ||
Updated•9 years ago
|
Whiteboard: [jsbugmon:update,bisect,testComment=3] → [jsbugmon:update,testComment=3]
Reporter | ||
Comment 4•9 years ago
|
||
JSBugMon: Bisection requested, result: === Treeherder Build Bisection Results by autoBisect === The "good" changeset has the timestamp "20150629094535" and the hash "1fd3716e4bd1". The "bad" changeset has the timestamp "20150629101538" and the hash "1388dbf01406". Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=1fd3716e4bd1&tochange=1388dbf01406
Comment 6•9 years ago
|
||
This is my fault, not bhackett's. I think this is a dup of bug 1182730, but have no time to confirm until next week.
Flags: needinfo?(bhackett1024)
Updated•9 years ago
|
Whiteboard: [jsbugmon:update,testComment=3] → [jsbugmon:update,testComment=3][dupe of bug 1182730?]
Updated•9 years ago
|
Status: NEW → RESOLVED
Closed: 9 years ago
Flags: needinfo?(shu)
Resolution: --- → DUPLICATE
Updated•9 years ago
|
Group: core-security → core-security-release
Updated•8 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•