Closed
Bug 1307523
Opened 8 years ago
Closed 8 years ago
Assertion failure: hasInt32UpperBound(), or Assertion failure: hasInt32LowerBound(), at js/src/jit/RangeAnalysis.h:572
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla52
Tracking | Status | |
---|---|---|
firefox52 | --- | fixed |
People
(Reporter: gkw, Assigned: sandervv)
References
Details
(Keywords: assertion, bugmon, testcase, Whiteboard: [fuzzblocker][jsbugmon:ignore])
Attachments
(1 file)
31.33 KB,
text/plain
|
Details |
The following testcase crashes on mozilla-central revision 42c95d88aaaa (build with --enable-debug --enable-more-deterministic, run with --fuzzing-safe --no-threads --ion-eager): (function() { x % (2147483647 >>> 0) ? 1 : 0 })() Backtrace: 0 js-dbg-64-dm-clang-darwin-42c95d88aaaa 0x000000010bb38f93 js::jit::MMod::computeRange(js::jit::TempAllocator&) + 1155 (RangeAnalysis.h:572) 1 js-dbg-64-dm-clang-darwin-42c95d88aaaa 0x000000010bb3bc19 js::jit::RangeAnalysis::analyze() + 249 (MIR.h:706) 2 js-dbg-64-dm-clang-darwin-42c95d88aaaa 0x000000010b9c6a8c js::jit::OptimizeMIR(js::jit::MIRGenerator*) + 4092 (Ion.cpp:1714) 3 js-dbg-64-dm-clang-darwin-42c95d88aaaa 0x000000010b9d2c1a js::jit::CompileBackEnd(js::jit::MIRGenerator*) + 74 (Ion.cpp:2008) 4 js-dbg-64-dm-clang-darwin-42c95d88aaaa 0x000000010b9d4a53 js::jit::Compile(JSContext*, JS::Handle<JSScript*>, js::jit::BaselineFrame*, unsigned char*, bool, bool) + 3827 (Ion.cpp:2289) /snip For detailed crash information, see attachment.
Reporter | ||
Comment 1•8 years ago
|
||
Reporter | ||
Comment 2•8 years ago
|
||
autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/6e75141df030 user: Sander Mathijs van Veen date: Mon Oct 03 02:36:00 2016 -0400 summary: Bug 1302367 - Use unsigned integer modulo instead of ModD opcode. r=nbp, r=jandem Sander, is bug 1302367 a likely regressor?
Blocks: 1302367
Flags: needinfo?(sandervv)
Reporter | ||
Comment 3•8 years ago
|
||
Note that this is a fuzzblocker. "Assertion failure: hasInt32UpperBound()," may be a related assertion failure.
Summary: Assertion failure: hasInt32LowerBound(), at js/src/jit/RangeAnalysis.h:572 → Assertion failure: hasInt32UpperBound(), or Assertion failure: hasInt32LowerBound(), at js/src/jit/RangeAnalysis.h:572
Pushed by gkwong@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/7d42989271c4 Backed out changeset 6e75141df030, rs=jandem over IRC
Reporter | ||
Comment 5•8 years ago
|
||
Unfortunately it's such a severe fuzzblocker that we've had to back it out.
Keywords: leave-open
Comment 7•8 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/7d42989271c4
Reporter | ||
Comment 8•8 years ago
|
||
The testcase would have been "fixed" by the backout, updating jsbugmon parameters.
Whiteboard: [fuzzblocker][jsbugmon:update] → [fuzzblocker][jsbugmon:ignore]
Reporter | ||
Comment 9•8 years ago
|
||
Please also first request fuzzing for the updated patch by setting feedback? from me and/or :decoder to ensure we have a stable patch going in.
Assignee | ||
Updated•8 years ago
|
Assignee: nobody → sandervv
Reporter | ||
Comment 10•8 years ago
|
||
The patch was backed out, and bug 1302367 was re-fixed and re-landed several days later. Shall we marked this as FIXED?
Flags: needinfo?(sandervv)
Assignee | ||
Comment 11•8 years ago
|
||
This is fixed indeed
Status: NEW → RESOLVED
Closed: 8 years ago
Flags: needinfo?(sandervv)
Resolution: --- → FIXED
Updated•7 years ago
|
Target Milestone: --- → mozilla52
Comment 12•6 years ago
|
||
Removing leave-open keyword from resolved bugs, per :sylvestre.
Keywords: leave-open
You need to log in
before you can comment on or make changes to this bug.
Description
•