Closed
Bug 1261326
Opened 8 years ago
Closed 8 years ago
Assertion failure: value->type() == MIRType_Object || value->type() == MIRType_Null || value->type() == MIRType_Value, at js/src/jit/IonBuilder.cpp:12564
Categories
(Core :: JavaScript Engine: JIT, defect)
Tracking
()
RESOLVED
FIXED
mozilla48
Tracking | Status | |
---|---|---|
firefox48 | --- | fixed |
People
(Reporter: decoder, Assigned: jandem)
Details
(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update])
Attachments
(1 file)
2.38 KB,
patch
|
bhackett1024
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision bccb11375f2a (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe --no-threads --baseline-eager): x = x = ""; function Obj1(x) this.x = x; arr = []; o = {}; for (i = 0; i < 10000; i++) new Obj1(o); Obj1(''); Backtrace: Program received signal SIGSEGV, Segmentation fault. 0x00000000006c9169 in js::jit::IonBuilder::storeUnboxedValue (this=this@entry=0x7fffffffba90, obj=obj@entry=0x7ffff699e280, elements=elements@entry=0x7ffff699e280, elementsOffset=elementsOffset@entry=16, scaledOffset=scaledOffset@entry=0x7ffff699e328, unboxedType=unboxedType@entry=JSVAL_TYPE_OBJECT, value=value@entry=0x7ffff699b810, preBarrier=preBarrier@entry=true) at js/src/jit/IonBuilder.cpp:12562 #0 0x00000000006c9169 in js::jit::IonBuilder::storeUnboxedValue (this=this@entry=0x7fffffffba90, obj=obj@entry=0x7ffff699e280, elements=elements@entry=0x7ffff699e280, elementsOffset=elementsOffset@entry=16, scaledOffset=scaledOffset@entry=0x7ffff699e328, unboxedType=unboxedType@entry=JSVAL_TYPE_OBJECT, value=value@entry=0x7ffff699b810, preBarrier=preBarrier@entry=true) at js/src/jit/IonBuilder.cpp:12562 #1 0x00000000006c9845 in js::jit::IonBuilder::storeUnboxedProperty (this=this@entry=0x7fffffffba90, obj=obj@entry=0x7ffff699e280, offset=<optimized out>, unboxedType=<optimized out>, value=value@entry=0x7ffff699b810) at js/src/jit/IonBuilder.cpp:12528 #2 0x00000000006ef714 in js::jit::IonBuilder::setPropTryInlineAccess (this=this@entry=0x7fffffffba90, emitted=emitted@entry=0x7fffffffb750, obj=0x7ffff699e280, name=name@entry=0x7ffff7e00b68, value=0x7ffff699b810, barrier=barrier@entry=false, objTypes=objTypes@entry=0x7ffff699e1b8) at js/src/jit/IonBuilder.cpp:12685 #3 0x0000000000700bdd in js::jit::IonBuilder::jsop_setprop (this=this@entry=0x7fffffffba90, name=0x7ffff7e00b68) at js/src/jit/IonBuilder.cpp:12229 #4 0x00000000006f9654 in js::jit::IonBuilder::inspectOpcode (this=this@entry=0x7fffffffba90, op=op@entry=JSOP_SETPROP) at js/src/jit/IonBuilder.cpp:2030 #5 0x00000000006fa098 in js::jit::IonBuilder::traverseBytecode (this=this@entry=0x7fffffffba90) at js/src/jit/IonBuilder.cpp:1523 #6 0x00000000006fb052 in js::jit::IonBuilder::buildInline (this=this@entry=0x7fffffffba90, callerBuilder=callerBuilder@entry=0x7ffff6994270, callerResumePoint=callerResumePoint@entry=0x7ffff699b988, callInfo=...) at js/src/jit/IonBuilder.cpp:1090 #7 0x00000000006fb69c in js::jit::IonBuilder::inlineScriptedCall (this=this@entry=0x7ffff6994270, callInfo=..., target=<optimized out>) at js/src/jit/IonBuilder.cpp:5129 #8 0x00000000006fc190 in js::jit::IonBuilder::inlineSingleCall (this=0x7ffff6994270, callInfo=..., targetArg=<optimized out>) at js/src/jit/IonBuilder.cpp:5637 #9 0x00000000006fd8dc in js::jit::IonBuilder::inlineCallsite (this=this@entry=0x7ffff6994270, targets=..., callInfo=...) at js/src/jit/IonBuilder.cpp:5693 #10 0x00000000006fdc6d in js::jit::IonBuilder::jsop_call (this=this@entry=0x7ffff6994270, argc=1, constructing=<optimized out>) at js/src/jit/IonBuilder.cpp:6631 #11 0x00000000006f9688 in js::jit::IonBuilder::inspectOpcode (this=this@entry=0x7ffff6994270, op=op@entry=JSOP_CALL) at js/src/jit/IonBuilder.cpp:1889 #12 0x00000000006fa098 in js::jit::IonBuilder::traverseBytecode (this=this@entry=0x7ffff6994270) at js/src/jit/IonBuilder.cpp:1523 #13 0x00000000006fa8d5 in js::jit::IonBuilder::build (this=this@entry=0x7ffff6994270) at js/src/jit/IonBuilder.cpp:918 #14 0x00000000006ade69 in js::jit::IonCompile (cx=cx@entry=0x7ffff6908800, script=script@entry=0x7ffff7e6f160, baselineFrame=baselineFrame@entry=0x7fffffffcc28, osrPc=<optimized out>, constructing=<optimized out>, recompile=<optimized out>, optimizationLevel=optimizationLevel@entry=js::jit::Normal) at js/src/jit/Ion.cpp:2143 #15 0x00000000006ae8ec in js::jit::Compile (cx=0x7ffff6908800, script=..., script@entry=..., osrFrame=osrFrame@entry=0x7fffffffcc28, osrPc=osrPc@entry=0x7ffff518e839 "ず", constructing=<optimized out>, forceRecompile=forceRecompile@entry=false) at js/src/jit/Ion.cpp:2375 #16 0x00000000006af3a2 in BaselineCanEnterAtBranch (pc=0x7ffff518e839 "ず", osrFrame=0x7fffffffcc28, script=..., cx=0x7ffff6908800) at js/src/jit/Ion.cpp:2562 #17 js::jit::IonCompileScriptForBaseline (cx=cx@entry=0x7ffff6908800, frame=frame@entry=0x7fffffffcc28, pc=pc@entry=0x7ffff518e839 "ず") at js/src/jit/Ion.cpp:2620 #18 0x0000000000616697 in js::jit::DoWarmUpCounterFallbackOSR (cx=0x7ffff6908800, frame=0x7fffffffcc28, stub=0x7ffff51bc4f8, infoPtr=0x7fffffffcc00) at js/src/jit/BaselineIC.cpp:141 #19 0x00007ffff7ff2679 in ?? () [...] #30 0x0000000000000000 in ?? () rax 0x0 0 rbx 0x7fffffffba90 140737488337552 rcx 0x7ffff6ca5870 140737333844080 rdx 0x0 0 rsi 0x7ffff6f7a9d0 140737336814032 rdi 0x7ffff6f791c0 140737336807872 rbp 0x7fffffffb540 140737488336192 rsp 0x7fffffffb500 140737488336128 r8 0x7ffff7fdf7c0 140737354004416 r9 0x6372732f736a2f6c 7165916604736876396 r10 0x7fffffffb2c0 140737488335552 r11 0x7ffff6c27ee0 140737333329632 r12 0x7ffff699e280 140737330668160 r13 0x7ffff699e328 140737330668328 r14 0x10 16 r15 0x7fffffffba90 140737488337552 rip 0x6c9169 <js::jit::IonBuilder::storeUnboxedValue(js::jit::MDefinition*, js::jit::MDefinition*, int, js::jit::MDefinition*, JSValueType, js::jit::MDefinition*, bool)+121> => 0x6c9169 <js::jit::IonBuilder::storeUnboxedValue(js::jit::MDefinition*, js::jit::MDefinition*, int, js::jit::MDefinition*, JSValueType, js::jit::MDefinition*, bool)+121>: movl $0x3114,0x0 0x6c9174 <js::jit::IonBuilder::storeUnboxedValue(js::jit::MDefinition*, js::jit::MDefinition*, int, js::jit::MDefinition*, JSValueType, js::jit::MDefinition*, bool)+132>: callq 0x4aa040 <abort()> Marking s-s as these types of asserts can indicate sec-high/critical issues.
Updated•8 years ago
|
Component: JavaScript Engine → JavaScript Engine: JIT
Updated•8 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
Comment 1•8 years ago
|
||
JSBugMon: Bisection requested, result: === Treeherder Build Bisection Results by autoBisect === The "good" changeset has the timestamp "20160227063626" and the hash "4cba1f83f797b5cf6013a47683eff3f66e7d139b". The "bad" changeset has the timestamp "20160227083326" and the hash "62b2390a22b28cda8000e5a1524ab96104361900". Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=4cba1f83f797b5cf6013a47683eff3f66e7d139b&tochange=62b2390a22b28cda8000e5a1524ab96104361900
Not sure if the regression window in comment 1 is accurate, so setting needinfo? from Jan as a start.
Flags: needinfo?(jdemooij)
autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/bd00e87978b2 user: Jan de Mooij date: Sat Feb 27 17:32:44 2016 +0100 summary: Bug 1216130 part 2 - Add test. r=bhackett Seems like this changeset added the assert.
Assignee | ||
Comment 4•8 years ago
|
||
Usually this assert holds because of the checks we do in PropertyWriteNeedsTypeBarrier. Here, though, we get the ObjectGroup from the Baseline IC so we don't check it in PropertyWriteNeedsTypeBarrier. This patch just disables this path if the group is one that can't actually show up at runtime - I think that's a nice check to have for other reasons as well, so I also added it to the getprop path. I think this is just a bogus assert - the group guard will always fail so the correctness bug the assert is guarding against is not really an issue.
Assignee: nobody → jdemooij
Status: NEW → ASSIGNED
Flags: needinfo?(jdemooij)
Attachment #8742923 -
Flags: review?(bhackett1024)
Updated•8 years ago
|
Attachment #8742923 -
Flags: review?(bhackett1024) → review+
Comment 6•8 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/5d3ac1da48e0
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla48
You need to log in
before you can comment on or make changes to this bug.
Description
•