Closed
Bug 1311061
Opened 9 years ago
Closed 9 years ago
Assertion failure: builder->script()->canIonCompile(), at js/src/jit/Ion.cpp:2221
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla52
| Tracking | Status | |
|---|---|---|
| firefox49 | --- | wontfix |
| firefox50 | --- | wontfix |
| firefox51 | --- | fix-optional |
| firefox52 | --- | fixed |
People
(Reporter: decoder, Assigned: jandem)
Details
(4 keywords, Whiteboard: [jsbugmon:update])
Attachments
(1 file)
|
1.69 KB,
patch
|
h4writer
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision dc89484d4b45 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug --enable-optimize, run with --fuzzing-safe --ion-offthread-compile=off --ion-eager):
function get(target, property, receiver) {
if (property === "prototype")
return 42;
return Reflect.get(actual = i, ...yield);
}
(new new Proxy(get, { get }))();
Backtrace:
received signal SIGSEGV, Segmentation fault.
0x000000000068e0a5 in js::jit::IonCompile (cx=cx@entry=0x7ffff695f000, script=<optimized out>, baselineFrame=baselineFrame@entry=0x0, osrPc=<optimized out>, constructing=<optimized out>, recompile=<optimized out>, optimizationLevel=js::jit::OptimizationLevel::Normal) at js/src/jit/Ion.cpp:2221
#0 0x000000000068e0a5 in js::jit::IonCompile (cx=cx@entry=0x7ffff695f000, script=<optimized out>, baselineFrame=baselineFrame@entry=0x0, osrPc=<optimized out>, constructing=<optimized out>, recompile=<optimized out>, optimizationLevel=js::jit::OptimizationLevel::Normal) at js/src/jit/Ion.cpp:2221
#1 0x000000000068e629 in js::jit::Compile (cx=cx@entry=0x7ffff695f000, script=script@entry=..., osrFrame=osrFrame@entry=0x0, osrPc=osrPc@entry=0x0, constructing=<optimized out>, forceRecompile=forceRecompile@entry=false) at js/src/jit/Ion.cpp:2484
#2 0x000000000068e81b in js::jit::CanEnter (cx=cx@entry=0x7ffff695f000, state=...) at js/src/jit/Ion.cpp:2581
#3 0x0000000000b18ce3 in js::RunScript (cx=cx@entry=0x7ffff695f000, state=...) at js/src/vm/Interpreter.cpp:380
#4 0x0000000000b190e5 in js::InternalCallOrConstruct (cx=cx@entry=0x7ffff695f000, args=..., construct=construct@entry=js::CONSTRUCT) at js/src/vm/Interpreter.cpp:476
#5 0x0000000000b1a061 in InternalConstruct (cx=cx@entry=0x7ffff695f000, args=...) at js/src/vm/Interpreter.cpp:551
#6 0x0000000000b1a35b in js::Construct (cx=cx@entry=0x7ffff695f000, fval=fval@entry=..., args=..., newTarget=..., objp=..., objp@entry=...) at js/src/vm/Interpreter.cpp:600
#7 0x0000000000a56164 in js::ScriptedProxyHandler::construct (this=<optimized out>, cx=0x7ffff695f000, proxy=..., args=...) at js/src/proxy/ScriptedProxyHandler.cpp:1187
#8 0x0000000000a45ad3 in js::Proxy::construct (cx=cx@entry=0x7ffff695f000, proxy=proxy@entry=..., args=...) at js/src/proxy/Proxy.cpp:419
#9 0x0000000000a45bc1 in js::proxy_Construct (cx=cx@entry=0x7ffff695f000, argc=<optimized out>, vp=<optimized out>) at js/src/proxy/Proxy.cpp:698
#10 0x0000000000b1dc31 in js::CallJSNative (cx=cx@entry=0x7ffff695f000, native=native@entry=0xa45b40 <js::proxy_Construct(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:239
#11 0x0000000000b20726 in js::CallJSNativeConstructor (cx=cx@entry=0x7ffff695f000, native=0xa45b40 <js::proxy_Construct(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:272
#12 0x0000000000b19fa4 in InternalConstruct (cx=cx@entry=0x7ffff695f000, args=...) at js/src/vm/Interpreter.cpp:561
#13 0x0000000000b1a26d in js::ConstructFromStack (cx=cx@entry=0x7ffff695f000, args=...) at js/src/vm/Interpreter.cpp:587
#14 0x00000000005f895f in js::jit::DoCallFallback (cx=0x7ffff695f000, frame=0x7fffffffce28, stub_=<optimized out>, argc=<optimized out>, vp=0x7fffffffcdd8, res=...) at js/src/jit/BaselineIC.cpp:5991
#15 0x00007ffff7e45cca in ?? ()
[...]
#25 0x0000000000000000 in ?? ()
rax 0x0 0
rbx 0x0 0
rcx 0x7ffff6c28a2d 140737333332525
rdx 0x0 0
rsi 0x7ffff6ef7770 140737336276848
rdi 0x7ffff6ef6540 140737336272192
rbp 0x7fffffffc320 140737488339744
rsp 0x7fffffffc100 140737488339200
r8 0x7ffff6ef7770 140737336276848
r9 0x7ffff7fe4740 140737354024768
r10 0x58 88
r11 0x7ffff6b9f750 140737332770640
r12 0x7ffff69a4020 140737330692128
r13 0x7ffff69a4050 140737330692176
r14 0x7ffff69a41c0 140737330692544
r15 0x7ffff695f000 140737330409472
rip 0x68e0a5 <js::jit::IonCompile(JSContext*, JSScript*, js::jit::BaselineFrame*, jsbytecode*, bool, bool, js::jit::OptimizationLevel)+4021>
=> 0x68e0a5 <js::jit::IonCompile(JSContext*, JSScript*, js::jit::BaselineFrame*, jsbytecode*, bool, bool, js::jit::OptimizationLevel)+4021>: movl $0x0,0x0
0x68e0b0 <js::jit::IonCompile(JSContext*, JSScript*, js::jit::BaselineFrame*, jsbytecode*, bool, bool, js::jit::OptimizationLevel)+4032>: ud2
|
||
Updated•9 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
|
|
||
Comment 1•9 years ago
|
||
JSBugMon: Bisection requested, result:
=== Treeherder Build Bisection Results by autoBisect ===
The "good" changeset has the timestamp "20151023120235" and the hash "988c2a1702b2d22b3de198c8a9fda3a03de1052c".
The "bad" changeset has the timestamp "20151023121035" and the hash "cefec636b2d5ed2567cf3f92b4e2e198535809e6".
Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=988c2a1702b2d22b3de198c8a9fda3a03de1052c&tochange=cefec636b2d5ed2567cf3f92b4e2e198535809e6
|
||
Updated•9 years ago
|
|
Assignee | |
Comment 2•9 years ago
|
||
Creating |this| can mark the script uncompilable.
|
||
Updated•9 years ago
|
Attachment #8802472 -
Flags: review?(hv1989) → review+
Pushed by jandemooij@gmail.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/1b992940c812
Ensure the script is still Ion-compilable after creating |this|. r=h4writer
|
||
Comment 4•9 years ago
|
||
| bugherder | ||
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla52
|
||
Updated•9 years ago
|
You need to log in
before you can comment on or make changes to this bug.
Description
•