Closed
Bug 1263532
Opened 8 years ago
Closed 8 years ago
Assertion failure: isOptimizable, at js/src/jsstr.cpp:3863
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla48
Tracking | Status | |
---|---|---|
firefox47 | --- | unaffected |
firefox48 | --- | fixed |
People
(Reporter: gkw, Assigned: arai)
References
Details
(Keywords: assertion, testcase, Whiteboard: [jsbugmon:update])
Attachments
(1 file)
2.09 KB,
patch
|
h4writer
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision 29d5a4175c8b (build with --enable-debug --enable-more-deterministic, run with --fuzzing-safe --no-threads --ion-osr=off): // Adapted from randomly chosen test: js/src/jit-test/tests/ion/testStringMatch.js setJitCompilerOption("ion.warmup.trigger", 1); function f(g) { for (var i = 0; i < 99; i++) { "abc".match("b."); g(); } } f(function() {}); f(function() { Object.defineProperty(RegExp.prototype, "sticky", { get: function() {} }); }); Backtrace: 0 js-dbg-64-dm-clang-darwin-29d5a4175c8b 0x000000010067c827 js::FlatStringMatch(JSContext*, unsigned int, JS::Value*) + 1943 (jsstr.cpp:3863) 1 ??? 0x0000000102aef324 0 + 4339987236 autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/1a3a6133271c user: Tooru Fujisawa date: Sat Sep 05 22:01:43 2015 +0900 summary: Bug 887016 - Part 13: Implement RegExp.prototype[@@split] and call it from String.prototype.split. r=h4writer,till Setting s-s because previous regressors from this bug have been s-s, so setting it pending further evaluation.
Reporter | ||
Comment 1•8 years ago
|
||
arai-san, is bug 887016 a likely regressor?
Assignee | ||
Comment 2•8 years ago
|
||
There were 2 issues: 1. bug 1263549, that makes inlined RegExpPrototypeOptimizable useless (but it fallbacks to correct path) 2. in 2nd |f| call, either a. IsStringMatchOptimizable doesn't call RegExpPrototypeOptimizable b. String_match doesn't call IsStringMatchOptimizable and jumps into FlatStringMatch then because of 2, FlatStringMatch is executed after modifying sticky property (RegExpPrototypeOptimizable should return false). will continue investigating.
Assignee | ||
Comment 3•8 years ago
|
||
setMovable in MRegExpPrototypeOptimizable ctor makes it movable out of loop :P will fix it shortly.
Flags: needinfo?(arai.unmht)
Assignee | ||
Comment 4•8 years ago
|
||
Just removed setMovable from MRegExpPrototypeOptimizable and MRegExpInstanceOptimizable.
Assignee: nobody → arai.unmht
Attachment #8739903 -
Flags: review?(hv1989)
Comment 5•8 years ago
|
||
Comment on attachment 8739903 [details] [diff] [review] Do not make RegExpPrototypeOptimizable and RegExpInstanceOptimizable movable. Review of attachment 8739903 [details] [diff] [review]: ----------------------------------------------------------------- For correctness this is good. But is this still a problem when the sticky etc flags are flags again, instead of getters/setters. If that is the case we might want to make them movable again.
Attachment #8739903 -
Flags: review?(hv1989) → review+
Assignee | ||
Comment 6•8 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/72eb3fec4eb8284aa0ddb02480be79457f342813 Bug 1263532 - Do not make RegExpPrototypeOptimizable and RegExpInstanceOptimizable movable. r=h4writer
Comment 7•8 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/72eb3fec4eb8
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla48
Updated•8 years ago
|
Group: javascript-core-security → core-security-release
Updated•8 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•