Closed Bug 1192377 Opened 10 years ago Closed 10 years ago

Crash due to Assertion failure: secondArg->type() == MIRType_Boolean, at js/src/jit/MCallOptimize.cpp:2678

Categories

(Core :: JavaScript Engine: JIT, defect)

Product:
Core
Component:
JavaScript Engine: JIT
Version:
42 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: spandan.veggalam, Unassigned)

Details

User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:39.0) Gecko/20100101 Firefox/39.0 Build ID: 20150629114049 Steps to reproduce: mozilla-central revision 892594bdad30 (build with: --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --enable-debug) (Shell Options: --ion-eager --ion-offthread-compile=off) if (getJitCompilerOptions()["ion.warmup.trigger"] <= 100) setJitCompilerOption("ion.warmup.trigger", 100); function array0Length(i) { var a = []; assertRecoveredOnBailout(a, assertEq(a.this, arrayLarge1.v)); return a.length; } function arrayLarge1(i) { var a = new Array(10000000); assertRecoveredOnBailout(a, false); return a.length; } for (var i = 0; i < 100; i++) { array0Length(i); } Actual results: Assertion failure: secondArg->type() == MIRType_Boolean, at js/src/jit/MCallOptimize.cpp:2678 Segmentation fault (core dumped)
Summary: secondArg->type() == MIRType_Boolean → Crash due to Assertion failure: secondArg->type() == MIRType_Boolean, at js/src/jit/MCallOptimize.cpp:2678
Hm this is like the getSelfHostedValue failures: assertRecoveredOnBailout expects its second argument to be a boolean and here it's undefined (the result of assertEq). Using --fuzzing-safe should fix this one too.
Status: UNCONFIRMED → RESOLVED
Closed: 10 years ago
Resolution: --- → INVALID
Resolution: INVALID → WONTFIX
You need to log in before you can comment on or make changes to this bug.