Closed Bug 1250195 Opened 9 years ago Closed 9 years ago

Assertion failure: false, at js/src/vm/SelfHosting.cpp:300 (ComputeIterationSpace called on non-array-type)

Categories

(Core :: JavaScript Engine, defect)

x86_64
Linux
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla48
Tracking Status
firefox47 --- unaffected
firefox48 --- fixed

People

(Reporter: decoder, Assigned: bbouvier)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update])

Attachments

(1 file)

The following testcase crashes on mozilla-central revision e1cf617a1f28 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe --no-threads --disable-oom-functions --baseline-eager --ion-eager): var i1 = SIMD.Int32x4(); var uint32 = TypedObject.uint32; function fromOneDimArrayOfUint8ToUint32s() { var type = uint32.array(4); var r1 = type.from(i1, j => j*2); } fromOneDimArrayOfUint8ToUint32s(); Backtrace: Program received signal SIGSEGV, Segmentation fault. 0x0000000000b064f1 in intrinsic_AssertionFailed (cx=<optimized out>, argc=<optimized out>, vp=<optimized out>) at js/src/vm/SelfHosting.cpp:300 #0 0x0000000000b064f1 in intrinsic_AssertionFailed (cx=<optimized out>, argc=<optimized out>, vp=<optimized out>) at js/src/vm/SelfHosting.cpp:300 #1 0x0000000000abf772 in js::CallJSNative (cx=0x7ffff6907800, native=0xb06450 <intrinsic_AssertionFailed(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235 #2 0x0000000000ab8ac1 in js::Invoke (cx=cx@entry=0x7ffff6907800, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:478 #3 0x0000000000ab95ec in js::Invoke (cx=cx@entry=0x7ffff6907800, thisv=..., fval=..., argc=argc@entry=1, argv=argv@entry=0x7fffffff9820, rval=..., rval@entry=...) at js/src/vm/Interpreter.cpp:530 #4 0x0000000000614656 in js::jit::DoCallFallback (cx=0x7ffff6907800, frame=0x7fffffff9888, stub_=<optimized out>, argc=<optimized out>, vp=0x7fffffff9810, res=...) at js/src/jit/BaselineIC.cpp:6136 #5 0x00007ffff7ff1abf in ?? () [...] #33 0x0000000000000000 in ?? () rax 0x0 0 rbx 0x7ffff6f79868 140737336809576 rcx 0x7ffff6ca5870 140737333844080 rdx 0x0 0 rsi 0x7ffff6f7a9d0 140737336814032 rdi 0x7ffff6f791c0 140737336807872 rbp 0x7fffffff9160 140737488327008 rsp 0x7fffffff9130 140737488326960 r8 0x7ffff7fe07c0 140737354008512 r9 0x240800000000 39616778338304 r10 0x7fffffff8ef0 140737488326384 r11 0x7ffff6c27ee0 140737333329632 r12 0x7ffff7e43250 140737352315472 r13 0x0 0 r14 0x7fffffff9190 140737488327056 r15 0xb06450 11560016 rip 0xb064f1 <intrinsic_AssertionFailed(JSContext*, unsigned int, JS::Value*)+161> => 0xb064f1 <intrinsic_AssertionFailed(JSContext*, unsigned int, JS::Value*)+161>: movl $0x12c,0x0 0xb064fc <intrinsic_AssertionFailed(JSContext*, unsigned int, JS::Value*)+172>: callq 0x4a60b0 <abort()> Additional assertion info: Self-hosted JavaScript assertion info: "js/src/builtin/TypedObject.js:1104: ComputeIterationSpace called on non-array-type"
Flags: needinfo?(nmatsakis)
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/3e2ee1ed422e user: Benjamin Bouvier date: Thu Jul 09 19:15:24 2015 +0200 summary: Bug 1173722: Part 1 - Capitalize all the SIMD types names; r=nbp This iteration took 217.746 seconds to run.
Benjamin, you needinfo'ed Niko here, but autoBisect points at your patch from bug 1173722 here, so not setting needinfo? from you... yet. :)
Blocks: 1173722
(In reply to Gary Kwong [:gkw] [:nth10sd] from comment #2) > Benjamin, you needinfo'ed Niko here, but autoBisect points at your patch > from bug 1173722 here, so not setting needinfo? from you... yet. :) It makes sense that autobisect stopped at this revision: before this revision one had to use SIMD.int32x4 in place of SIMD.Int32x4, so the test case should be varying on the revision. After 3e2ee1ed422e, SIMD.Int32x4; before 3e2ee1ed422e included, SIMD.int32x4. I am not sure whether autobisect can do this :-)
As a matter of fact, it isn't blocking this particular bug.
No longer blocks: 1173722
Gary, can you relaunch autobisect with the following test case, which should resist the renaming (and another change that made SIMD ctor parameters facultative): var i1 = (SIMD.int32x4 || SIMD.Int32x4)(0,0,0,0); var uint32 = TypedObject.uint32; function fromOneDimArrayOfUint8ToUint32s() { var type = uint32.array(4); var r1 = type.from(i1, j => j*2); } fromOneDimArrayOfUint8ToUint32s();
Flags: needinfo?(gary)
autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/29e5dcfb97f7 user: Tom Schuster date: Tue Oct 06 17:04:09 2015 +0100 summary: Bug 1211832 - Disable functions that can easily cause artificial OOMs. r=jonco I got this result. Benjamin/Tom, is bug 1211832 a likely regressor?
Flags: needinfo?(gary)
Flags: needinfo?(evilpies)
Flags: needinfo?(bbouvier)
I guess you're still running with --disable-oom-functions, as specified in comment 0. This revision is the one that implements it :-) Getting rid of the flag should lead us even deeper...
Flags: needinfo?(gary)
Flags: needinfo?(evilpies)
Flags: needinfo?(bbouvier)
In that case, I don't have something conclusive. It seems to still reproduce in November 2014, m-c rev 54be5416ae5d, which is one of the furthest back we can easily go.
Flags: needinfo?(gary) → needinfo?(bbouvier)
That confirms what I suspected: it's been there for a while... Let's see what nmatsakis or pnkfelix have to say about this (they wrote this code, it seems).
Flags: needinfo?(bbouvier)
The patch is actually trivial.
Assignee: nobody → bbouvier
Status: NEW → ASSIGNED
Flags: needinfo?(nmatsakis)
Attachment #8727371 - Flags: review?(nmatsakis)
Comment on attachment 8727371 [details] [diff] [review] typedobject.from.patch Review of attachment 8727371 [details] [diff] [review]: ----------------------------------------------------------------- ::: js/src/builtin/TypedObject.js @@ -959,5 @@ > > if (!IsObject(this) || !ObjectIsTypeDescr(this)) > ThrowTypeError(JSMSG_TYPEDOBJECT_BAD_ARGS); > > - var untypedInput = !IsObject(a) || !ObjectIsTypedObject(a); just to be clear: the only change to behavior (and thus the actual bug fix) is solely the change to this one line, right? I.e. the other stuff below is just changes you've made to improve readability (or perhaps expected-performance)?
That's right: I've just removed a few else-after-return and obviously equivalent control flows.
Okay. (My personal style is to leave code alone unless there's an obvious readability or performance win associated with the change, but I don't want to block this changeset based on that personal preference.)
Attachment #8727371 - Flags: review?(nmatsakis) → review+
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla48
TypedObject still nightly-only.
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: