Closed
Bug 1274048
Opened 8 years ago
Closed 8 years ago
Assertion failure: high > low, at js/src/vm/CodeCoverage.cpp:255
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla49
Tracking | Status | |
---|---|---|
firefox49 | --- | fixed |
People
(Reporter: gkw, Unassigned)
References
Details
(Keywords: assertion, testcase, Whiteboard: [jsbugmon:update])
Attachments
(2 files)
30.62 KB,
text/plain
|
Details | |
1.59 KB,
patch
|
bhackett1024
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision c4449eab07d3 (build with --enable-debug --enable-more-deterministic, run with --fuzzing-safe --no-threads --no-baseline --no-ion): function f() { throw new Error; } function g() { switch (h()) {} } getLcovInfo(); Backtrace: 0 js-dbg-64-dm-clang-darwin-c4449eab07d3 0x000000010ada48cf js::coverage::LCovSource::writeScript(JSScript*) + 5007 (CodeCoverage.cpp:255) 1 js-dbg-64-dm-clang-darwin-c4449eab07d3 0x000000010ada49ef js::coverage::LCovCompartment::collectCodeCoverageInfo(JSCompartment*, JSObject*, JSScript*) + 79 (CodeCoverage.cpp:403) 2 js-dbg-64-dm-clang-darwin-c4449eab07d3 0x000000010ad25d14 js::GetCodeCoverageSummary(JSContext*, unsigned long*) + 1332 (jsopcode.cpp:2067) 3 js-dbg-64-dm-clang-darwin-c4449eab07d3 0x000000010b0954c5 GetLcovInfo(JSContext*, unsigned int, JS::Value*) + 213 (TestingFunctions.cpp:3376) 4 js-dbg-64-dm-clang-darwin-c4449eab07d3 0x000000010ae8f59e js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) + 222 (jscntxtinlines.h:236) /snip For detailed crash information, see attachment.
Reporter | ||
Comment 1•8 years ago
|
||
Reporter | ||
Comment 2•8 years ago
|
||
autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/ae61f4fcb292 user: Nicolas B. Pierron date: Tue May 17 17:15:52 2016 +0000 summary: Bug 1261826 part 8 - Add JSOP_JUMPTARGET opcode. r=jandem,jorendorff,shu Nicolas, is bug 1261826 a likely regressor?
Blocks: 1261826
Flags: needinfo?(nicolas.b.pierron)
Comment 3•8 years ago
|
||
(In reply to Gary Kwong [:gkw] [:nth10sd] from comment #2) > autoBisect shows this is probably related to the following changeset: > > The first bad revision is: > changeset: https://hg.mozilla.org/mozilla-central/rev/ae61f4fcb292 > user: Nicolas B. Pierron > date: Tue May 17 17:15:52 2016 +0000 > summary: Bug 1261826 part 8 - Add JSOP_JUMPTARGET opcode. > r=jandem,jorendorff,shu > > Nicolas, is bug 1261826 a likely regressor? Yes, this is more than likely. I will keep the ni? and fix that within the upcoming week.
Comment 4•8 years ago
|
||
Attachment #8754443 -
Flags: review?(bhackett1024)
Updated•8 years ago
|
Flags: needinfo?(nicolas.b.pierron)
Comment 5•8 years ago
|
||
Comment on attachment 8754443 [details] [diff] [review] Code Coverage: Fix assertion to account for empty switch statements. Review of attachment 8754443 [details] [diff] [review]: ----------------------------------------------------------------- ::: js/src/vm/CodeCoverage.cpp @@ +251,5 @@ > > // Get the low and high from the tableswitch > int32_t low = GET_JUMP_OFFSET(pc + JUMP_OFFSET_LEN * 1); > int32_t high = GET_JUMP_OFFSET(pc + JUMP_OFFSET_LEN * 2); > + MOZ_ASSERT(high - low + 1 >= 0); MOZ_ASSERT(high + 1 >= low)?
Attachment #8754443 -
Flags: review?(bhackett1024) → review+
Comment 6•8 years ago
|
||
(In reply to Brian Hackett (:bhackett) from comment #5) > > + MOZ_ASSERT(high - low + 1 >= 0); > > MOZ_ASSERT(high + 1 >= low)? This would cause a false positive assertion on overflow if high is INT32_MAX. Also, the above expression is the one which is just above the "size_t numCase" variable defined the same way.
Comment 8•8 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/7f12d87c72c2
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla49
You need to log in
before you can comment on or make changes to this bug.
Description
•