Closed
Bug 1250195
Opened 9 years ago
Closed 9 years ago
Assertion failure: false, at js/src/vm/SelfHosting.cpp:300 (ComputeIterationSpace called on non-array-type)
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla48
Tracking | Status | |
---|---|---|
firefox47 | --- | unaffected |
firefox48 | --- | fixed |
People
(Reporter: decoder, Assigned: bbouvier)
Details
(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update])
Attachments
(1 file)
3.46 KB,
patch
|
pnkfelix
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision e1cf617a1f28 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe --no-threads --disable-oom-functions --baseline-eager --ion-eager):
var i1 = SIMD.Int32x4();
var uint32 = TypedObject.uint32;
function fromOneDimArrayOfUint8ToUint32s() {
var type = uint32.array(4);
var r1 = type.from(i1, j => j*2);
}
fromOneDimArrayOfUint8ToUint32s();
Backtrace:
Program received signal SIGSEGV, Segmentation fault.
0x0000000000b064f1 in intrinsic_AssertionFailed (cx=<optimized out>, argc=<optimized out>, vp=<optimized out>) at js/src/vm/SelfHosting.cpp:300
#0 0x0000000000b064f1 in intrinsic_AssertionFailed (cx=<optimized out>, argc=<optimized out>, vp=<optimized out>) at js/src/vm/SelfHosting.cpp:300
#1 0x0000000000abf772 in js::CallJSNative (cx=0x7ffff6907800, native=0xb06450 <intrinsic_AssertionFailed(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235
#2 0x0000000000ab8ac1 in js::Invoke (cx=cx@entry=0x7ffff6907800, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:478
#3 0x0000000000ab95ec in js::Invoke (cx=cx@entry=0x7ffff6907800, thisv=..., fval=..., argc=argc@entry=1, argv=argv@entry=0x7fffffff9820, rval=..., rval@entry=...) at js/src/vm/Interpreter.cpp:530
#4 0x0000000000614656 in js::jit::DoCallFallback (cx=0x7ffff6907800, frame=0x7fffffff9888, stub_=<optimized out>, argc=<optimized out>, vp=0x7fffffff9810, res=...) at js/src/jit/BaselineIC.cpp:6136
#5 0x00007ffff7ff1abf in ?? ()
[...]
#33 0x0000000000000000 in ?? ()
rax 0x0 0
rbx 0x7ffff6f79868 140737336809576
rcx 0x7ffff6ca5870 140737333844080
rdx 0x0 0
rsi 0x7ffff6f7a9d0 140737336814032
rdi 0x7ffff6f791c0 140737336807872
rbp 0x7fffffff9160 140737488327008
rsp 0x7fffffff9130 140737488326960
r8 0x7ffff7fe07c0 140737354008512
r9 0x240800000000 39616778338304
r10 0x7fffffff8ef0 140737488326384
r11 0x7ffff6c27ee0 140737333329632
r12 0x7ffff7e43250 140737352315472
r13 0x0 0
r14 0x7fffffff9190 140737488327056
r15 0xb06450 11560016
rip 0xb064f1 <intrinsic_AssertionFailed(JSContext*, unsigned int, JS::Value*)+161>
=> 0xb064f1 <intrinsic_AssertionFailed(JSContext*, unsigned int, JS::Value*)+161>: movl $0x12c,0x0
0xb064fc <intrinsic_AssertionFailed(JSContext*, unsigned int, JS::Value*)+172>: callq 0x4a60b0 <abort()>
Additional assertion info:
Self-hosted JavaScript assertion info: "js/src/builtin/TypedObject.js:1104: ComputeIterationSpace called on non-array-type"
Assignee | ||
Updated•9 years ago
|
Flags: needinfo?(nmatsakis)
Updated•9 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
Comment 1•9 years ago
|
||
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/3e2ee1ed422e
user: Benjamin Bouvier
date: Thu Jul 09 19:15:24 2015 +0200
summary: Bug 1173722: Part 1 - Capitalize all the SIMD types names; r=nbp
This iteration took 217.746 seconds to run.
Benjamin, you needinfo'ed Niko here, but autoBisect points at your patch from bug 1173722 here, so not setting needinfo? from you... yet. :)
Blocks: 1173722
Assignee | ||
Comment 3•9 years ago
|
||
(In reply to Gary Kwong [:gkw] [:nth10sd] from comment #2)
> Benjamin, you needinfo'ed Niko here, but autoBisect points at your patch
> from bug 1173722 here, so not setting needinfo? from you... yet. :)
It makes sense that autobisect stopped at this revision: before this revision one had to use SIMD.int32x4 in place of SIMD.Int32x4, so the test case should be varying on the revision. After 3e2ee1ed422e, SIMD.Int32x4; before 3e2ee1ed422e included, SIMD.int32x4. I am not sure whether autobisect can do this :-)
Assignee | ||
Comment 4•9 years ago
|
||
As a matter of fact, it isn't blocking this particular bug.
No longer blocks: 1173722
Assignee | ||
Comment 5•9 years ago
|
||
Gary, can you relaunch autobisect with the following test case, which should resist the renaming (and another change that made SIMD ctor parameters facultative):
var i1 = (SIMD.int32x4 || SIMD.Int32x4)(0,0,0,0);
var uint32 = TypedObject.uint32;
function fromOneDimArrayOfUint8ToUint32s() {
var type = uint32.array(4);
var r1 = type.from(i1, j => j*2);
}
fromOneDimArrayOfUint8ToUint32s();
Flags: needinfo?(gary)
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/29e5dcfb97f7
user: Tom Schuster
date: Tue Oct 06 17:04:09 2015 +0100
summary: Bug 1211832 - Disable functions that can easily cause artificial OOMs. r=jonco
I got this result. Benjamin/Tom, is bug 1211832 a likely regressor?
Flags: needinfo?(gary)
Flags: needinfo?(evilpies)
Flags: needinfo?(bbouvier)
Assignee | ||
Comment 7•9 years ago
|
||
I guess you're still running with --disable-oom-functions, as specified in comment 0. This revision is the one that implements it :-) Getting rid of the flag should lead us even deeper...
Flags: needinfo?(gary)
Flags: needinfo?(evilpies)
Flags: needinfo?(bbouvier)
In that case, I don't have something conclusive.
It seems to still reproduce in November 2014, m-c rev 54be5416ae5d, which is one of the furthest back we can easily go.
Flags: needinfo?(gary) → needinfo?(bbouvier)
Assignee | ||
Comment 9•9 years ago
|
||
That confirms what I suspected: it's been there for a while... Let's see what nmatsakis or pnkfelix have to say about this (they wrote this code, it seems).
Flags: needinfo?(bbouvier)
Assignee | ||
Comment 10•9 years ago
|
||
The patch is actually trivial.
Assignee: nobody → bbouvier
Status: NEW → ASSIGNED
Flags: needinfo?(nmatsakis)
Attachment #8727371 -
Flags: review?(nmatsakis)
Comment 11•9 years ago
|
||
Comment on attachment 8727371 [details] [diff] [review]
typedobject.from.patch
Review of attachment 8727371 [details] [diff] [review]:
-----------------------------------------------------------------
::: js/src/builtin/TypedObject.js
@@ -959,5 @@
>
> if (!IsObject(this) || !ObjectIsTypeDescr(this))
> ThrowTypeError(JSMSG_TYPEDOBJECT_BAD_ARGS);
>
> - var untypedInput = !IsObject(a) || !ObjectIsTypedObject(a);
just to be clear: the only change to behavior (and thus the actual bug fix) is solely the change to this one line, right?
I.e. the other stuff below is just changes you've made to improve readability (or perhaps expected-performance)?
Assignee | ||
Comment 12•9 years ago
|
||
That's right: I've just removed a few else-after-return and obviously equivalent control flows.
Comment 13•9 years ago
|
||
Okay. (My personal style is to leave code alone unless there's an obvious readability or performance win associated with the change, but I don't want to block this changeset based on that personal preference.)
Updated•9 years ago
|
Attachment #8727371 -
Flags: review?(nmatsakis) → review+
Comment 14•9 years ago
|
||
Comment 15•9 years ago
|
||
bugherder |
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
status-firefox48:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla48
Assignee | ||
Comment 16•9 years ago
|
||
TypedObject still nightly-only.
You need to log in
before you can comment on or make changes to this bug.
Description
•