User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:39.0) Gecko/20100101 Firefox/39.0 Build ID: 20150629114049 Steps to reproduce: mozilla-central revision 892594bdad30 (build with: --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --enable-debug) (Shell Options: --ion-eager --ion-offthread-compile=off) b = Math.pow(assertRecoveredOnBailout(i, true), 32); for (var i = 0; i < 60000; i++) b = b & i; assertEq(b, 0); Actual results: Assertion failure: input()->isRecoveredOnBailout() == mustBeRecovered_ (assertRecoveredOnBailout failed during compilation), at js/src/jit/Recover.cpp:1465
assertRecoveredOnBailout is another unsafe testing function that's not there with --fuzzing-safe. Nicolas, can you confirm this assertion failure is expected?
(In reply to Jan de Mooij [:jandem] from comment #1) > assertRecoveredOnBailout is another unsafe testing function that's not there > with --fuzzing-safe. > > Nicolas, can you confirm this assertion failure is expected? Yes, assertRecoveredOnBailout is a function made to assert that optimizations are working as expected, thus, they are many test cases which will fail when this testing function is used, because they are many cases, where such optimization does not make sense. The current test case assert that we recover a constant (undefined) on bailout, which is not the case because constants are encoded directly in the list of constants of the IonCode, and not computed during the recovery of the instruction value while returning to baseline.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.