Assertion failure: op < JSOP_LIMIT, at js/src/jsopcode.h:604

RESOLVED FIXED in Firefox 56

Status

()

Core
JavaScript Engine
--
critical
RESOLVED FIXED
2 years ago
6 months ago

People

(Reporter: gkw, Assigned: nbp)

Tracking

(Blocks: 1 bug, {assertion, testcase})

Trunk
mozilla56
x86_64
Mac OS X
assertion, testcase
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox-esr52 wontfix, firefox55 wontfix, firefox56 fixed)

Details

(Whiteboard: [jsbugmon:update,ignore])

Attachments

(1 attachment)

(Reporter)

Description

2 years ago
The following testcase crashes on mozilla-central revision 5f95858f8ddf (build with --enable-debug --enable-more-deterministic, run with --fuzzing-safe --no-threads --ion-eager --ion-pgo=on):

function f(x) {
    switch (1) {
        default: switch (1) {}
    }
};
f();
getLcovInfo();


Backtrace:

0   js-dbg-64-dm-clang-darwin-5f95858f8ddf	0x0000000104a5a2fb js::coverage::LCovSource::writeScript(JSScript*) + 4859 (jsopcode.h:604)
1   js-dbg-64-dm-clang-darwin-5f95858f8ddf	0x0000000104a5a52f js::coverage::LCovCompartment::collectCodeCoverageInfo(JSCompartment*, JSObject*, JSScript*) + 79 (CodeCoverage.cpp:420)
2   js-dbg-64-dm-clang-darwin-5f95858f8ddf	0x00000001049a9614 js::GetCodeCoverageSummary(JSContext*, unsigned long*) + 1604 (jsopcode.cpp:2065)
3   js-dbg-64-dm-clang-darwin-5f95858f8ddf	0x0000000104d4a915 GetLcovInfo(JSContext*, unsigned int, JS::Value*) + 229 (TestingFunctions.cpp:3415)
4   js-dbg-64-dm-clang-darwin-5f95858f8ddf	0x0000000104b154ce js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) + 222 (jscntxtinlines.h:236)
/snip

For detailed crash information, see attachment.
(Reporter)

Comment 1

2 years ago
Created attachment 8763289 [details]
Detailed Crash Information
(Reporter)

Comment 2

2 years ago
=== Treeherder Build Bisection Results by autoBisect ===

The "good" changeset has the timestamp "20160602061152" and the hash "3d68250b133166b7d65dc99c963fac5fa0ef1439".
The "bad" changeset has the timestamp "20160602064143" and the hash "e838c11fd532d3bf3d7562fe56337a7a1bcd3c6b".

Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=3d68250b133166b7d65dc99c963fac5fa0ef1439&tochange=e838c11fd532d3bf3d7562fe56337a7a1bcd3c6b

Nicolas, is bug 1274588 a likely regressor?
Blocks: 1274588
Flags: needinfo?(nicolas.b.pierron)
(In reply to Gary Kwong [:gkw] [:nth10sd] from comment #2)
> Nicolas, is bug 1274588 a likely regressor?

Yes, this is likely.

Note, this is a low priority as the releng team depends on the Devtools implementation and not the LCov implementation at the moment. Also note that the LCov implementation is not exposed to the web either.

Updated

6 months ago
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]

Comment 4

6 months ago
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 04b6be50a252).
(Reporter)

Comment 5

6 months ago
autoBisect shows this is probably related to the following changeset:

The first good revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/da3b6b55ed0b
user:        Nicolas B. Pierron
date:        Thu Jul 20 16:20:14 2017 +0000
summary:     Bug 1304569 - JS Code Coverage: Simplify checks for the last found case-statement body. r=bhackett

Nicolas, is bug 1304569 a likely fix?
(In reply to Gary Kwong [:gkw] [:nth10sd] from comment #5)
> Nicolas, is bug 1304569 a likely fix?

Yes, it is.
Status: NEW → RESOLVED
Last Resolved: 6 months ago
Flags: needinfo?(nicolas.b.pierron)
Resolution: --- → DUPLICATE
Duplicate of bug: 1304569
(Reporter)

Comment 7

6 months ago
Fix is known -> switching resolution to FIXED by bug 1304569.
Resolution: DUPLICATE → FIXED
Assignee: nobody → nicolas.b.pierron
status-firefox50: affected → ---
status-firefox55: --- → wontfix
status-firefox56: --- → fixed
status-firefox-esr52: --- → wontfix
Depends on: 1304569
Target Milestone: --- → mozilla56
You need to log in before you can comment on or make changes to this bug.