Closed
Bug 1307523
Opened 8 years ago
Closed 8 years ago
Assertion failure: hasInt32UpperBound(), or Assertion failure: hasInt32LowerBound(), at js/src/jit/RangeAnalysis.h:572
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla52
| Tracking | Status | |
|---|---|---|
| firefox52 | --- | fixed |
People
(Reporter: gkw, Assigned: sandervv)
References
Details
(Keywords: assertion, bugmon, testcase, Whiteboard: [fuzzblocker][jsbugmon:ignore])
Attachments
(1 file)
|
31.33 KB,
text/plain
|
Details |
The following testcase crashes on mozilla-central revision 42c95d88aaaa (build with --enable-debug --enable-more-deterministic, run with --fuzzing-safe --no-threads --ion-eager):
(function() {
x % (2147483647 >>> 0) ? 1 : 0
})()
Backtrace:
0 js-dbg-64-dm-clang-darwin-42c95d88aaaa 0x000000010bb38f93 js::jit::MMod::computeRange(js::jit::TempAllocator&) + 1155 (RangeAnalysis.h:572)
1 js-dbg-64-dm-clang-darwin-42c95d88aaaa 0x000000010bb3bc19 js::jit::RangeAnalysis::analyze() + 249 (MIR.h:706)
2 js-dbg-64-dm-clang-darwin-42c95d88aaaa 0x000000010b9c6a8c js::jit::OptimizeMIR(js::jit::MIRGenerator*) + 4092 (Ion.cpp:1714)
3 js-dbg-64-dm-clang-darwin-42c95d88aaaa 0x000000010b9d2c1a js::jit::CompileBackEnd(js::jit::MIRGenerator*) + 74 (Ion.cpp:2008)
4 js-dbg-64-dm-clang-darwin-42c95d88aaaa 0x000000010b9d4a53 js::jit::Compile(JSContext*, JS::Handle<JSScript*>, js::jit::BaselineFrame*, unsigned char*, bool, bool) + 3827 (Ion.cpp:2289)
/snip
For detailed crash information, see attachment.
|
Reporter | |
Comment 1•8 years ago
|
||
|
|
Reporter | |
Comment 2•8 years ago
|
||
autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/6e75141df030 user: Sander Mathijs van Veen date: Mon Oct 03 02:36:00 2016 -0400 summary: Bug 1302367 - Use unsigned integer modulo instead of ModD opcode. r=nbp, r=jandem Sander, is bug 1302367 a likely regressor?
Blocks: 1302367
Flags: needinfo?(sandervv)
|
|
Reporter | |
Comment 3•8 years ago
|
||
Note that this is a fuzzblocker. "Assertion failure: hasInt32UpperBound()," may be a related assertion failure.
Summary: Assertion failure: hasInt32LowerBound(), at js/src/jit/RangeAnalysis.h:572 → Assertion failure: hasInt32UpperBound(), or Assertion failure: hasInt32LowerBound(), at js/src/jit/RangeAnalysis.h:572
Pushed by gkwong@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/7d42989271c4 Backed out changeset 6e75141df030, rs=jandem over IRC
|
|
Reporter | |
Comment 5•8 years ago
|
||
Unfortunately it's such a severe fuzzblocker that we've had to back it out.
Keywords: leave-open
|
||
Comment 7•8 years ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/7d42989271c4
|
|
Reporter | |
Comment 8•8 years ago
|
||
The testcase would have been "fixed" by the backout, updating jsbugmon parameters.
Whiteboard: [fuzzblocker][jsbugmon:update] → [fuzzblocker][jsbugmon:ignore]
|
|
Reporter | |
Comment 9•8 years ago
|
||
Please also first request fuzzing for the updated patch by setting feedback? from me and/or :decoder to ensure we have a stable patch going in.
|
Assignee | |
Updated•8 years ago
|
Assignee: nobody → sandervv
|
|
Reporter | |
Comment 10•8 years ago
|
||
The patch was backed out, and bug 1302367 was re-fixed and re-landed several days later. Shall we marked this as FIXED?
Flags: needinfo?(sandervv)
|
|
Assignee | |
Comment 11•8 years ago
|
||
This is fixed indeed
Status: NEW → RESOLVED
Closed: 8 years ago
Flags: needinfo?(sandervv)
Resolution: --- → FIXED
|
||
Updated•7 years ago
|
Target Milestone: --- → mozilla52
|
||
Comment 12•6 years ago
|
||
Removing leave-open keyword from resolved bugs, per :sylvestre.
Keywords: leave-open
You need to log in
before you can comment on or make changes to this bug.
Description
•