Closed
Bug 1185957
Opened 10 years ago
Closed 9 years ago
Assertion failure: !call->hasSingleTarget(), at js/src/jit/CodeGenerator.cpp:3020 with ES6 Classes
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla43
People
(Reporter: decoder, Assigned: efaust)
References
Details
(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update])
Attachments
(1 file)
|
3.32 KB,
patch
|
jandem
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision 3a4bfa5d2d02 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe --ion-eager):
class test {
constructor() {};
}
(function() {
test()
})();
Backtrace:
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7ffff5ac2700 (LWP 3407)]
0x0000000000895f07 in js::jit::CodeGenerator::visitCallGeneric (this=0x7ffff69c5000, call=0x7ffff330c830) at js/src/jit/CodeGenerator.cpp:3020
#0 0x0000000000895f07 in js::jit::CodeGenerator::visitCallGeneric (this=0x7ffff69c5000, call=0x7ffff330c830) at js/src/jit/CodeGenerator.cpp:3020
#1 0x00000000008f05c6 in js::jit::CodeGenerator::generateBody (this=this@entry=0x7ffff69c5000) at js/src/jit/CodeGenerator.cpp:4108
#2 0x00000000008f0d62 in js::jit::CodeGenerator::generate (this=this@entry=0x7ffff69c5000) at js/src/jit/CodeGenerator.cpp:7784
#3 0x00000000009231a7 in js::jit::GenerateCode (mir=mir@entry=0x7ffff330a1a8, lir=0x7ffff330bd38) at js/src/jit/Ion.cpp:1713
#4 0x0000000000985601 in js::jit::CompileBackEnd (mir=0x7ffff330a1a8) at js/src/jit/Ion.cpp:1735
#5 0x000000000067daf2 in js::HelperThread::handleIonWorkload (this=this@entry=0x7ffff696a550) at js/src/vm/HelperThreads.cpp:1127
#6 0x000000000067f347 in js::HelperThread::threadLoop (this=0x7ffff696a550) at js/src/vm/HelperThreads.cpp:1423
#7 0x00000000006ffec1 in nspr::Thread::ThreadRoutine (arg=0x7ffff6931180) at js/src/vm/PosixNSPR.cpp:45
#8 0x00007ffff7bc4182 in start_thread (arg=0x7ffff5ac2700) at pthread_create.c:312
#9 0x00007ffff6cb3fbd in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:111
rax 0x0 0
rbx 0x7ffff69c5000 140737330827264
rcx 0x7ffff6ca53cd 140737333842893
rdx 0x0 0
rsi 0x7ffff6f7a9d0 140737336814032
rdi 0x7ffff6f791c0 140737336807872
rbp 0x7ffff5ac1b20 140737315085088
rsp 0x7ffff5ac1a50 140737315084880
r8 0x7ffff5ac2700 140737315088128
r9 0x6372732f736a2f6c 7165916604736876396
r10 0x7ffff6f76be0 140737336798176
r11 0x0 0
r12 0x7ffff330c830 140737273448496
r13 0x3 3
r14 0x7ffff330c830 140737273448496
r15 0x0 0
rip 0x895f07 <js::jit::CodeGenerator::visitCallGeneric(js::jit::LCallGeneric*)+1671>
=> 0x895f07 <js::jit::CodeGenerator::visitCallGeneric(js::jit::LCallGeneric*)+1671>: movl $0xbcc,0x0
0x895f12 <js::jit::CodeGenerator::visitCallGeneric(js::jit::LCallGeneric*)+1682>: callq 0x498e30 <abort()>
|
||
Updated•10 years ago
|
Flags: needinfo?(efaustbmo)
|
||
Comment 1•10 years ago
|
||
See bug 1181336.
|
Assignee | |
Comment 3•10 years ago
|
||
We can't just filter all cases known to throw through LCallGeneric, because it asserts that we don't do that. Make LCallKnown handle this case, but punt to the interpreter.
Assignee: nobody → efaustbmo
Status: NEW → ASSIGNED
Flags: needinfo?(efaustbmo)
Attachment #8637549 -
Flags: review?(jdemooij)
|
||
Comment 4•10 years ago
|
||
Comment on attachment 8637549 [details] [diff] [review]
Fix
Review of attachment 8637549 [details] [diff] [review]:
-----------------------------------------------------------------
::: js/src/jit-test/tests/ion/bug1185957.js
@@ +9,5 @@
> +})();
> +`;
> +
> +if (classesEnabled())
> + eval(test);
This test needs a try-catch or `// |jit-test| error: FOO` line right?
::: js/src/jit/CodeGenerator.cpp
@@ +3141,5 @@
> + emitCallInvokeFunction(call, calleereg, call->isConstructing(), call->numActualArgs(), unusedStack);
> + return;
> + }
> +
> + MOZ_ASSERT_IF(target->isClassConstructor(), call->isConstructing());
Seems we can remove this assert since it follows directly from the if-condition above. If you think it's still useful it's fine to keep it tho.
Attachment #8637549 -
Flags: review?(jdemooij) → review+
|
|
||
Comment 5•10 years ago
|
||
(In reply to Jan de Mooij [:jandem] from comment #4)
> This test needs a try-catch or `// |jit-test| error: FOO` line right?
... and the latter won't work in the !classesEnabled() case...
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
status-firefox43:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla43
|
|
||
Updated•9 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
|
||
Comment 9•9 years ago
|
||
You need to log in
before you can comment on or make changes to this bug.
Description
•