If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

Assertion failure: (expected != ExprType::Void) == !!*def, at js/src/asmjs/WasmIonCompile.cpp:2522

RESOLVED FIXED in Firefox 47

Status

()

Core
JavaScript Engine
--
critical
RESOLVED FIXED
2 years ago
2 years ago

People

(Reporter: gkw, Assigned: bbouvier)

Tracking

(Blocks: 1 bug, {assertion, regression, testcase})

Trunk
mozilla47
x86_64
Mac OS X
assertion, regression, testcase
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox47 fixed)

Details

(Whiteboard: [fuzzblocker][jsbugmon:update])

Attachments

(1 attachment)

(Reporter)

Description

2 years ago
The following testcase crashes on mozilla-central revision 1dbe350b57b1 (build with --enable-debug --enable-more-deterministic, run with --fuzzing-safe --no-threads --ion-eager):

(function() {
    "use asm"
    function f() {
        return .0
        return 0 ? -0 : -0
    }
})()

Backtrace:

0   js-dbg-64-dm-clang-darwin-1dbe350b57b1	0x00000001000f9e7d EmitExpr(FunctionCompiler&, js::wasm::ExprType, js::jit::MDefinition**, mozilla::Vector<unsigned long, 1ul, js::SystemAllocPolicy>*) + 28893 (WasmIonCompile.cpp:2522)
1   js-dbg-64-dm-clang-darwin-1dbe350b57b1	0x00000001000f8a31 EmitExpr(FunctionCompiler&, js::wasm::ExprType, js::jit::MDefinition**, mozilla::Vector<unsigned long, 1ul, js::SystemAllocPolicy>*) + 23697 (WasmIonCompile.cpp:2583)
2   js-dbg-64-dm-clang-darwin-1dbe350b57b1	0x00000001000f1548 js::wasm::IonCompileFunction(js::wasm::IonCompileTask*) + 536 (WasmIonCompile.cpp:2997)
3   js-dbg-64-dm-clang-darwin-1dbe350b57b1	0x00000001000f124e js::wasm::ModuleGenerator::finishFuncDef(unsigned int, unsigned int, js::wasm::FunctionGenerator*) + 286 (WasmGenerator.cpp:529)
4   js-dbg-64-dm-clang-darwin-1dbe350b57b1	0x00000001000e7c2e CheckModule(js::ExclusiveContext*, js::frontend::Parser<js::frontend::FullParseHandler>&, js::frontend::ParseNode*, JS::MutableHandle<js::WasmModuleObject*>, unsigned int*, mozilla::Vector<js::wasm::SlowFunction, 0ul, js::TempAllocPolicy>*) + 9070 (AsmJS.cpp:6707)
5   js-dbg-64-dm-clang-darwin-1dbe350b57b1	0x00000001000e42b2 js::CompileAsmJS(js::ExclusiveContext*, js::frontend::Parser<js::frontend::FullParseHandler>&, js::frontend::ParseNode*, bool*) + 3010 (AsmJS.cpp:8215)
6   js-dbg-64-dm-clang-darwin-1dbe350b57b1	0x000000010003ffdf js::frontend::Parser<js::frontend::FullParseHandler>::asmJS(js::frontend::ParseNode*) + 143 (Parser.cpp:3404)
7   js-dbg-64-dm-clang-darwin-1dbe350b57b1	0x00000001000534ab js::frontend::Parser<js::frontend::FullParseHandler>::maybeParseDirective(js::frontend::ParseNode*, js::frontend::ParseNode*, bool*) + 347 (Parser.cpp:3479)
8   js-dbg-64-dm-clang-darwin-1dbe350b57b1	0x000000010004bbf6 js::frontend::Parser<js::frontend::FullParseHandler>::statements(js::frontend::YieldHandling) + 758 (Parser.cpp:3544)
9   js-dbg-64-dm-clang-darwin-1dbe350b57b1	0x0000000100053623 js::frontend::Parser<js::frontend::FullParseHandler>::functionBody(js::frontend::InHandling, js::frontend::YieldHandling, js::frontend::FunctionSyntaxKind, js::frontend::Parser<js::frontend::FullParseHandler>::FunctionBodyType) + 307 (Parser.cpp:1360)
10  js-dbg-64-dm-clang-darwin-1dbe350b57b1	0x0000000100054c9c js::frontend::Parser<js::frontend::FullParseHandler>::functionArgsAndBodyGeneric(js::frontend::InHandling, js::frontend::YieldHandling, js::frontend::ParseNode*, JS::Handle<JSFunction*>, js::frontend::FunctionSyntaxKind) + 604 (Parser.cpp:3174)
11  js-dbg-64-dm-clang-darwin-1dbe350b57b1	0x0000000100042cc2 js::frontend::Parser<js::frontend::FullParseHandler>::functionArgsAndBody(js::frontend::InHandling, js::frontend::ParseNode*, JS::Handle<JSFunction*>, js::frontend::FunctionSyntaxKind, js::GeneratorKind, js::frontend::Directives, js::frontend::Directives*) + 802 (Parser.cpp:2979)
12  js-dbg-64-dm-clang-darwin-1dbe350b57b1	0x000000010005666f js::frontend::Parser<js::frontend::FullParseHandler>::functionDef(js::frontend::InHandling, js::frontend::YieldHandling, JS::Handle<js::PropertyName*>, js::frontend::FunctionSyntaxKind, js::GeneratorKind, js::frontend::Parser<js::frontend::FullParseHandler>::InvokedPrediction, js::frontend::ParseNode**) + 735 (Parser.cpp:2806)
13  js-dbg-64-dm-clang-darwin-1dbe350b57b1	0x0000000100056e1f js::frontend::Parser<js::frontend::FullParseHandler>::functionExpr(js::frontend::Parser<js::frontend::FullParseHandler>::InvokedPrediction) + 447 (Parser.cpp:3331)
14  js-dbg-64-dm-clang-darwin-1dbe350b57b1	0x000000010005aabb js::frontend::Parser<js::frontend::FullParseHandler>::primaryExpr(js::frontend::YieldHandling, js::frontend::TripledotHandling, js::frontend::TokenKind, js::frontend::Parser<js::frontend::FullParseHandler>::InvokedPrediction) + 1227 (Parser.cpp:9147)
15  js-dbg-64-dm-clang-darwin-1dbe350b57b1	0x000000010005cee7 js::frontend::Parser<js::frontend::FullParseHandler>::memberExpr(js::frontend::YieldHandling, js::frontend::TripledotHandling, js::frontend::TokenKind, bool, js::frontend::Parser<js::frontend::FullParseHandler>::InvokedPrediction) + 807 (Parser.cpp:8461)
16  js-dbg-64-dm-clang-darwin-1dbe350b57b1	0x000000010005c829 js::frontend::Parser<js::frontend::FullParseHandler>::unaryExpr(js::frontend::YieldHandling, js::frontend::TripledotHandling, js::frontend::Parser<js::frontend::FullParseHandler>::InvokedPrediction) + 809 (Parser.cpp:7981)
17  js-dbg-64-dm-clang-darwin-1dbe350b57b1	0x000000010005c18c js::frontend::Parser<js::frontend::FullParseHandler>::orExpr1(js::frontend::InHandling, js::frontend::YieldHandling, js::frontend::TripledotHandling, js::frontend::Parser<js::frontend::FullParseHandler>::InvokedPrediction) + 92 (Parser.cpp:7505)
18  js-dbg-64-dm-clang-darwin-1dbe350b57b1	0x000000010005bf6f js::frontend::Parser<js::frontend::FullParseHandler>::condExpr1(js::frontend::InHandling, js::frontend::YieldHandling, js::frontend::TripledotHandling, js::frontend::Parser<js::frontend::FullParseHandler>::InvokedPrediction) + 31 (Parser.cpp:7557)
19  js-dbg-64-dm-clang-darwin-1dbe350b57b1	0x0000000100053efc js::frontend::Parser<js::frontend::FullParseHandler>::assignExpr(js::frontend::InHandling, js::frontend::YieldHandling, js::frontend::TripledotHandling, js::frontend::Parser<js::frontend::FullParseHandler>::InvokedPrediction) + 732 (Parser.cpp:7672)
20  js-dbg-64-dm-clang-darwin-1dbe350b57b1	0x000000010004d2c2 js::frontend::Parser<js::frontend::FullParseHandler>::expr(js::frontend::InHandling, js::frontend::YieldHandling, js::frontend::TripledotHandling, js::frontend::Parser<js::frontend::FullParseHandler>::InvokedPrediction) + 34 (Parser.cpp:7373)
21  js-dbg-64-dm-clang-darwin-1dbe350b57b1	0x000000010005ac47 js::frontend::Parser<js::frontend::FullParseHandler>::primaryExpr(js::frontend::YieldHandling, js::frontend::TripledotHandling, js::frontend::TokenKind, js::frontend::Parser<js::frontend::FullParseHandler>::InvokedPrediction) + 1623 (Parser.cpp:9298)
22  js-dbg-64-dm-clang-darwin-1dbe350b57b1	0x000000010005cee7 js::frontend::Parser<js::frontend::FullParseHandler>::memberExpr(js::frontend::YieldHandling, js::frontend::TripledotHandling, js::frontend::TokenKind, bool, js::frontend::Parser<js::frontend::FullParseHandler>::InvokedPrediction) + 807 (Parser.cpp:8461)
23  js-dbg-64-dm-clang-darwin-1dbe350b57b1	0x000000010005c829 js::frontend::Parser<js::frontend::FullParseHandler>::unaryExpr(js::frontend::YieldHandling, js::frontend::TripledotHandling, js::frontend::Parser<js::frontend::FullParseHandler>::InvokedPrediction) + 809 (Parser.cpp:7981)
24  js-dbg-64-dm-clang-darwin-1dbe350b57b1	0x000000010005c18c js::frontend::Parser<js::frontend::FullParseHandler>::orExpr1(js::frontend::InHandling, js::frontend::YieldHandling, js::frontend::TripledotHandling, js::frontend::Parser<js::frontend::FullParseHandler>::InvokedPrediction) + 92 (Parser.cpp:7505)
25  js-dbg-64-dm-clang-darwin-1dbe350b57b1	0x000000010005bf6f js::frontend::Parser<js::frontend::FullParseHandler>::condExpr1(js::frontend::InHandling, js::frontend::YieldHandling, js::frontend::TripledotHandling, js::frontend::Parser<js::frontend::FullParseHandler>::InvokedPrediction) + 31 (Parser.cpp:7557)
26  js-dbg-64-dm-clang-darwin-1dbe350b57b1	0x0000000100053efc js::frontend::Parser<js::frontend::FullParseHandler>::assignExpr(js::frontend::InHandling, js::frontend::YieldHandling, js::frontend::TripledotHandling, js::frontend::Parser<js::frontend::FullParseHandler>::InvokedPrediction) + 732 (Parser.cpp:7672)
27  js-dbg-64-dm-clang-darwin-1dbe350b57b1	0x000000010004d2c2 js::frontend::Parser<js::frontend::FullParseHandler>::expr(js::frontend::InHandling, js::frontend::YieldHandling, js::frontend::TripledotHandling, js::frontend::Parser<js::frontend::FullParseHandler>::InvokedPrediction) + 34 (Parser.cpp:7373)
28  js-dbg-64-dm-clang-darwin-1dbe350b57b1	0x000000010004ea03 js::frontend::Parser<js::frontend::FullParseHandler>::expressionStatement(js::frontend::YieldHandling, js::frontend::Parser<js::frontend::FullParseHandler>::InvokedPrediction) + 83 (Parser.cpp:5602)
29  js-dbg-64-dm-clang-darwin-1dbe350b57b1	0x000000010004e087 js::frontend::Parser<js::frontend::FullParseHandler>::statement(js::frontend::YieldHandling, bool) + 1575 (Parser.cpp:7213)
30  js-dbg-64-dm-clang-darwin-1dbe350b57b1	0x000000010004bb3c js::frontend::Parser<js::frontend::FullParseHandler>::statements(js::frontend::YieldHandling) + 572 (Parser.cpp:3522)
31  js-dbg-64-dm-clang-darwin-1dbe350b57b1	0x000000010004539d js::frontend::Parser<js::frontend::FullParseHandler>::globalBody() + 77 (Parser.cpp:1102)
32  js-dbg-64-dm-clang-darwin-1dbe350b57b1	0x00000001008fc382 BytecodeCompiler::compileScript(JS::Handle<JSObject*>, JS::Handle<JSScript*>) + 834 (BytecodeCompiler.cpp:524)
33  js-dbg-64-dm-clang-darwin-1dbe350b57b1	0x00000001008fe16d js::frontend::CompileScript(js::ExclusiveContext*, js::LifoAlloc*, JS::Handle<JSObject*>, JS::Handle<js::StaticScope*>, JS::Handle<JSScript*>, JS::ReadOnlyCompileOptions const&, JS::SourceBufferHolder&, JSString*, js::SourceCompressionTask*, js::ScriptSourceObject**) + 189 (BytecodeCompiler.cpp:738)
34  js-dbg-64-dm-clang-darwin-1dbe350b57b1	0x0000000100510304 Compile(JSContext*, JS::ReadOnlyCompileOptions const&, SyntacticScopeOption, JS::SourceBufferHolder&, JS::MutableHandle<JSScript*>) + 404 (RootingAPI.h:481)
35  js-dbg-64-dm-clang-darwin-1dbe350b57b1	0x000000010051068b Compile(JSContext*, JS::ReadOnlyCompileOptions const&, SyntacticScopeOption, char const*, unsigned long, JS::MutableHandle<JSScript*>) + 267 (jsapi.cpp:3975)
36  js-dbg-64-dm-clang-darwin-1dbe350b57b1	0x00000001005107dc JS::Compile(JSContext*, JS::ReadOnlyCompileOptions const&, __sFILE*, JS::MutableHandle<JSScript*>) + 108 (jsapi.cpp:4001)
37  js-dbg-64-dm-clang-darwin-1dbe350b57b1	0x000000010001eeb6 Process(JSContext*, char const*, bool, FileKind) + 3286 (js.cpp:514)
38  js-dbg-64-dm-clang-darwin-1dbe350b57b1	0x0000000100004d49 main + 11769 (js.cpp:6368)
39  js-dbg-64-dm-clang-darwin-1dbe350b57b1	0x0000000100001334 start + 52

autoBisect is running.
(Reporter)

Updated

2 years ago
Whiteboard: [jsbugmon:update] → [fuzzblocker][jsbugmon:update]
(Assignee)

Comment 1

2 years ago
Created attachment 8716272 [details] [diff] [review]
deadcode.patch

I always forget about dead code, duh. Note there is a second assertion in this code but it won't trigger because it doesn't depend on the actual MDef.
Assignee: nobody → bbouvier
Status: NEW → ASSIGNED
Attachment #8716272 - Flags: review?(luke)
(Reporter)

Comment 2

2 years ago
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   283012:3cfbbaeadb0b
user:        Benjamin Bouvier
date:        Wed Feb 03 16:04:39 2016 +0100
summary:     Bug 1242342: Replace Ternary by IfElse which return expressions; r=luke

Guessing this is related to bug 1242342.
Blocks: 1242342

Updated

2 years ago
Attachment #8716272 - Flags: review?(luke) → review+
(Reporter)

Comment 3

2 years ago
Helping out with a checkin-needed keyword for the weekend, since this [fuzzblocker] patch has a straightforward r+.
Keywords: checkin-needed

Comment 4

2 years ago
https://hg.mozilla.org/integration/mozilla-inbound/rev/33f24d250f97
Keywords: checkin-needed

Comment 5

2 years ago
bugherder
https://hg.mozilla.org/mozilla-central/rev/33f24d250f97
Status: ASSIGNED → RESOLVED
Last Resolved: 2 years ago
status-firefox47: affected → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla47

Comment 6

2 years ago
https://hg.mozilla.org/integration/mozilla-inbound/rev/4c2e56373aab
(Assignee)

Comment 7

2 years ago
Pushed the test case, as I had the intent to add it to the patch.

Comment 8

2 years ago
bugherder
https://hg.mozilla.org/mozilla-central/rev/4c2e56373aab
You need to log in before you can comment on or make changes to this bug.