Closed Bug 1274048 Opened 8 years ago Closed 8 years ago

Assertion failure: high > low, at js/src/vm/CodeCoverage.cpp:255

Categories

(Core :: JavaScript Engine, defect)

x86_64
macOS
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla49
Tracking Status
firefox49 --- fixed

People

(Reporter: gkw, Unassigned)

References

Details

(Keywords: assertion, testcase, Whiteboard: [jsbugmon:update])

Attachments

(2 files)

The following testcase crashes on mozilla-central revision c4449eab07d3 (build with --enable-debug --enable-more-deterministic, run with --fuzzing-safe --no-threads --no-baseline --no-ion):

function f() {
    throw new Error;
}
function g() {
    switch (h()) {}
}
getLcovInfo();


Backtrace:

0   js-dbg-64-dm-clang-darwin-c4449eab07d3	0x000000010ada48cf js::coverage::LCovSource::writeScript(JSScript*) + 5007 (CodeCoverage.cpp:255)
1   js-dbg-64-dm-clang-darwin-c4449eab07d3	0x000000010ada49ef js::coverage::LCovCompartment::collectCodeCoverageInfo(JSCompartment*, JSObject*, JSScript*) + 79 (CodeCoverage.cpp:403)
2   js-dbg-64-dm-clang-darwin-c4449eab07d3	0x000000010ad25d14 js::GetCodeCoverageSummary(JSContext*, unsigned long*) + 1332 (jsopcode.cpp:2067)
3   js-dbg-64-dm-clang-darwin-c4449eab07d3	0x000000010b0954c5 GetLcovInfo(JSContext*, unsigned int, JS::Value*) + 213 (TestingFunctions.cpp:3376)
4   js-dbg-64-dm-clang-darwin-c4449eab07d3	0x000000010ae8f59e js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) + 222 (jscntxtinlines.h:236)
/snip

For detailed crash information, see attachment.
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/ae61f4fcb292
user:        Nicolas B. Pierron
date:        Tue May 17 17:15:52 2016 +0000
summary:     Bug 1261826 part 8 - Add JSOP_JUMPTARGET opcode. r=jandem,jorendorff,shu

Nicolas, is bug 1261826 a likely regressor?
Blocks: 1261826
Flags: needinfo?(nicolas.b.pierron)
(In reply to Gary Kwong [:gkw] [:nth10sd] from comment #2)
> autoBisect shows this is probably related to the following changeset:
> 
> The first bad revision is:
> changeset:   https://hg.mozilla.org/mozilla-central/rev/ae61f4fcb292
> user:        Nicolas B. Pierron
> date:        Tue May 17 17:15:52 2016 +0000
> summary:     Bug 1261826 part 8 - Add JSOP_JUMPTARGET opcode.
> r=jandem,jorendorff,shu
> 
> Nicolas, is bug 1261826 a likely regressor?

Yes, this is more than likely.
I will keep the ni? and fix that within the upcoming week.
Flags: needinfo?(nicolas.b.pierron)
Comment on attachment 8754443 [details] [diff] [review]
Code Coverage: Fix assertion to account for empty switch statements.

Review of attachment 8754443 [details] [diff] [review]:
-----------------------------------------------------------------

::: js/src/vm/CodeCoverage.cpp
@@ +251,5 @@
>  
>              // Get the low and high from the tableswitch
>              int32_t low = GET_JUMP_OFFSET(pc + JUMP_OFFSET_LEN * 1);
>              int32_t high = GET_JUMP_OFFSET(pc + JUMP_OFFSET_LEN * 2);
> +            MOZ_ASSERT(high - low + 1 >= 0);

MOZ_ASSERT(high + 1 >= low)?
Attachment #8754443 - Flags: review?(bhackett1024) → review+
(In reply to Brian Hackett (:bhackett) from comment #5)
> > +            MOZ_ASSERT(high - low + 1 >= 0);
> 
> MOZ_ASSERT(high + 1 >= low)?

This would cause a false positive assertion on overflow if high is INT32_MAX.

Also, the above expression is the one which is just above the "size_t numCase" variable defined the same way.
https://hg.mozilla.org/mozilla-central/rev/7f12d87c72c2
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla49
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: