Closed Bug 1189980 Opened 4 years ago Closed 4 years ago

Assertion failure: obj == callInfo.thisArg() && value == callInfo.getArg(0), at jit/MCallOptimize.cpp

Categories

(Core :: JavaScript Engine: JIT, defect, critical)

x86_64
macOS
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla42
Tracking Status
firefox42 --- fixed

People

(Reporter: gkw, Assigned: bhackett)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update])

Attachments

(2 files)

function f() {
    return +Math.ceil(0);
}
(function() {
    var x = [];
    for (var i = 0; i < 2; i++) {
        x.push(f());
    }
})();

asserts js debug shell on m-c changeset afa67b6957bb with --fuzzing-safe --no-threads --ion-eager --unboxed-arrays at Assertion failure: obj == callInfo.thisArg() && value == callInfo.getArg(0), at jit/MCallOptimize.cpp.

Configure options:

CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests

python -u ~/funfuzz/js/compileShell.py -b "--enable-debug --enable-more-deterministic --enable-nspr-build" -r afa67b6957bb

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/1398d03aed65
user:        Brian Hackett
date:        Tue Jul 07 11:20:25 2015 -0700
summary:     Bug 1176751 - Eagerly convert unboxed arrays to native arrays more often during Ion compilation, r=jandem.

Brian, is bug 1176751 a likely regressor?
Flags: needinfo?(bhackett1024)
Attached file stack
(lldb) bt 5
* thread #1: tid = 0x6d5f8, 0x000000010064e120 js-dbg-64-dm-nsprBuild-darwin-afa67b6957bb`js::jit::IonBuilder::inlineArrayPush(this=<unavailable>, callInfo=<unavailable>) + 1344 at MCallOptimize.cpp:775, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
  * frame #0: 0x000000010064e120 js-dbg-64-dm-nsprBuild-darwin-afa67b6957bb`js::jit::IonBuilder::inlineArrayPush(this=<unavailable>, callInfo=<unavailable>) + 1344 at MCallOptimize.cpp:775
    frame #1: 0x0000000100597fa5 js-dbg-64-dm-nsprBuild-darwin-afa67b6957bb`js::jit::IonBuilder::inlineSingleCall(this=<unavailable>, callInfo=<unavailable>, targetArg=<unavailable>) + 117 at IonBuilder.cpp:5261
    frame #2: 0x000000010059823c js-dbg-64-dm-nsprBuild-darwin-afa67b6957bb`js::jit::IonBuilder::inlineCallsite(this=0x00000001028b4258, targets=<unavailable>, callInfo=0x00007fff5fbfd970) + 588 at IonBuilder.cpp:5325
    frame #3: 0x000000010058969b js-dbg-64-dm-nsprBuild-darwin-afa67b6957bb`js::jit::IonBuilder::jsop_call(this=0x00000001028b4258, argc=<unavailable>, constructing=<unavailable>) + 859 at IonBuilder.cpp:6203
    frame #4: 0x0000000100580c19 js-dbg-64-dm-nsprBuild-darwin-afa67b6957bb`js::jit::IonBuilder::inspectOpcode(this=0x00000001028b4258, op=<unavailable>) + 857 at IonBuilder.cpp:1844
(lldb)
Attached patch patchSplinter Review
Assignee: nobody → bhackett1024
Flags: needinfo?(bhackett1024)
Attachment #8643752 - Flags: review?(jdemooij)
Attachment #8643752 - Flags: review?(jdemooij) → review+
https://hg.mozilla.org/mozilla-central/rev/dc52da1924d2
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla42
You need to log in before you can comment on or make changes to this bug.