Closed
Bug 1196589
Opened 9 years ago
Closed 9 years ago
Crash [@ js::ToPrimitive] or Assertion failure: output.type() == MIRType_Int32, at jit/IonCaches.cpp:1188 with --unboxed-arrays
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla43
| Tracking | Status | |
|---|---|---|
| firefox43 | --- | fixed |
People
(Reporter: decoder, Assigned: bhackett1024)
Details
(4 keywords, Whiteboard: [jsbugmon:update,bisect])
Crash Data
Attachments
(1 file)
|
1.20 KB,
patch
|
jandem
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision 90d9b7c391d3 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-debug, run with --ion-offthread-compile=off --unboxed-arrays --ion-eager):
function printStatus (msg) {
var lines = msg.split ("\n");
for (var i=0; i<lines.length; i++)
print (STATUS + lines[i]);
}
Object.prototype.length = function(){};
var summary = 'Do not assert: !OBJ_GET_PROTO(cx, ctor)';
printStatus (summary);
Backtrace:
Program received signal SIGSEGV, Segmentation fault.
0x00000000008eeb63 in js::ToPrimitive (cx=0x7ffff6907000, obj=..., hint=JSTYPE_NUMBER, vp=...) at js/src/jsobj.h:122
#0 0x00000000008eeb63 in js::ToPrimitive (cx=0x7ffff6907000, obj=..., hint=JSTYPE_NUMBER, vp=...) at js/src/jsobj.h:122
#1 0x0000000000868b02 in ToPrimitive (vp=..., preferredType=JSTYPE_NUMBER, cx=0x7ffff6907000) at js/src/jsobjinlines.h:595
#2 LessThanOperation (res=0x7fffffffc7ac, rhs=..., lhs=..., cx=0x7ffff6907000) at js/src/vm/Interpreter-inl.h:679
#3 js::jit::LessThan (cx=0x7ffff6907000, lhs=..., rhs=..., res=0x7fffffffc7ac) at js/src/jit/VMFunctions.cpp:219
#4 0x00007ffff7feb524 in ?? ()
#5 0x00007ffff69cbc80 in ?? ()
#6 0x00007fffffffc7ac in ?? ()
#7 0x00000000017f1e60 in js::jit::GetElementIC::UpdateInfo ()
#8 0x00007ffff7e557c0 in ?? ()
#9 0x00000000017f2b80 in js::jit::LeInfo ()
#10 0x00007ffff7e55d60 in ?? ()
#11 0x00007ffff7ff4f69 in ?? ()
#12 0x0000000000000a00 in ?? ()
#13 0xfff8800000000000 in ?? ()
#14 0xfffc000000000001 in ?? ()
#15 0xfff9000000000000 in ?? ()
#16 0x0000000000000058 in ?? ()
#17 0x00007ffff7e60060 in ?? ()
#18 0x0000000000000000 in ?? ()
rax 0x1 1
rbx 0x7fffffffc7d0 140737488340944
rcx 0x7fffffffc7d8 140737488340952
rdx 0x4 4
rsi 0x7fffffffc750 140737488340816
rdi 0x7ffff6907000 140737330049024
rbp 0x7ffff6907000 140737330049024
rsp 0x7fffffffc708 140737488340744
r8 0x7fffffffc798 140737488340888
r9 0x7ffff7e6d080 140737352487040
r10 0x7fffffffc7d0 140737488340944
r11 0x7ffff693c1e0 140737330266592
r12 0x7fffffffc7d8 140737488340952
r13 0x7fffffffc7ac 140737488340908
r14 0x404 1028
r15 0x7ffff7fe8660 140737354040928
rip 0x8eeb63 <js::ToPrimitive(JSContext*, JS::Handle<JSObject*>, JSType, JS::MutableHandle<JS::Value>)+3>
=> 0x8eeb63 <js::ToPrimitive(JSContext*, JS::Handle<JSObject*>, JSType, JS::MutableHandle<JS::Value>)+3>: mov (%rax),%rax
0x8eeb66 <js::ToPrimitive(JSContext*, JS::Handle<JSObject*>, JSType, JS::MutableHandle<JS::Value>)+6>: mov (%rax),%rax
|
Assignee | |
Comment 1•9 years ago
|
||
As with normal arrays, the |length| property of unboxed arrays isn't reflected in type information and Ion caches need to be careful when emitting loads from the unboxed array length.
Assignee: nobody → bhackett1024
Attachment #8651120 -
Flags: review?(jdemooij)
|
||
Updated•9 years ago
|
Attachment #8651120 -
Flags: review?(jdemooij) → review+
|
|
Assignee | |
Comment 2•9 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/81259cd97224
|
||
Comment 3•9 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/81259cd97224
Status: NEW → RESOLVED
Closed: 9 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla43
You need to log in
before you can comment on or make changes to this bug.
Description
•