Closed
Bug 1313792
Opened 8 years ago
Closed 8 years ago
Assertion failure: v.isDouble(), at js/src/jit/Recover.cpp:1074
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla52
Tracking | Status | |
---|---|---|
firefox52 | --- | fixed |
People
(Reporter: gkw, Assigned: jschulte)
Details
(Keywords: assertion, bugmon, testcase, Whiteboard: [jsbugmon:update])
Attachments
(2 files, 1 obsolete file)
29.38 KB,
text/plain
|
Details | |
1.04 KB,
patch
|
jschulte
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision 1561c917ee27 (build with --enable-debug --enable-more-deterministic, run with --fuzzing-safe --no-threads --ion-eager): function f(x, y) { return (+Math.pow(0, 0 !== y === (y >>> 0 || 0) | 0)); } inputs = [4294967295]; for (var j = 0; j < 2; ++j) { for (var k = 0; k < 2; ++k) { [].push(f(inputs[j], inputs[k])); } } Backtrace: 0 js-dbg-64-dm-clang-darwin-1561c917ee27 0x000000010a6425f8 js::jit::RNaNToZero::recover(JSContext*, js::jit::SnapshotIterator&) const + 504 (Recover.cpp:1074) 1 js-dbg-64-dm-clang-darwin-1561c917ee27 0x000000010a566103 js::jit::SnapshotIterator::computeInstructionResults(JSContext*, js::jit::RInstructionResults*) const + 307 (JitFrames.cpp:2123) 2 js-dbg-64-dm-clang-darwin-1561c917ee27 0x000000010a565757 js::jit::SnapshotIterator::initInstructionResults(js::jit::MaybeReadFallback&) + 391 (JitFrames.cpp:2076) 3 js-dbg-64-dm-clang-darwin-1561c917ee27 0x000000010a3eedb5 js::jit::BailoutIonToBaseline(JSContext*, js::jit::JitActivation*, js::jit::JitFrameIterator&, bool, js::jit::BaselineBailoutInfo**, js::jit::ExceptionBailoutInfo const*) + 693 (BaselineBailouts.cpp:448) 4 js-dbg-64-dm-clang-darwin-1561c917ee27 0x000000010a3ee88c js::jit::Bailout(js::jit::BailoutStack*, js::jit::BaselineBailoutInfo**) + 316 (Bailouts.cpp:55) /snip For detailed crash information, see attachment.
Reporter | ||
Comment 1•8 years ago
|
||
Reporter | ||
Comment 2•8 years ago
|
||
autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/01d621c2dbe3 user: Johannes Schulte date: Fri Jun 24 19:02:23 2016 +0200 summary: Bug 1176230 - Try to fold ternary's with double-argument to NaNToZero. r=nbp Johannes, is bug 1176230 a likely regressor? I checked that this issue still occurs in mozilla-inbound rev tip 72764ba31b81, which contains the patch in bug 1312620.
Flags: needinfo?(j_schulte)
Assignee | ||
Comment 3•8 years ago
|
||
Flags: needinfo?(j_schulte)
Attachment #8805936 -
Flags: review?(nicolas.b.pierron)
Comment 4•8 years ago
|
||
Comment on attachment 8805936 [details] [diff] [review] fix_recover.patch Review of attachment 8805936 [details] [diff] [review]: ----------------------------------------------------------------- Thanks :)
Attachment #8805936 -
Flags: review?(nicolas.b.pierron) → review+
Comment 5•8 years ago
|
||
Comment on attachment 8805936 [details] [diff] [review] fix_recover.patch Review of attachment 8805936 [details] [diff] [review]: ----------------------------------------------------------------- Drive-by nit ::: js/src/jit/Recover.cpp @@ +1073,5 @@ > > + if (ToBoolean(v)) > + result = v; > + else > + result.setDouble(0.0); We should probably still assert this is a number? I.e. assert this is isDouble or isInt32 Next I was a bit confused about the logic here. Can you add the following comment above the condition: // x ? x : 0.0
Assignee | ||
Comment 6•8 years ago
|
||
https://treeherder.mozilla.org/#/jobs?repo=try&revision=b602a9704d2b
Assignee: nobody → j_schulte
Attachment #8805936 -
Attachment is obsolete: true
Status: NEW → ASSIGNED
Attachment #8807982 -
Flags: review+
Assignee | ||
Updated•8 years ago
|
Keywords: checkin-needed
Pushed by ryanvm@gmail.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/82d1209499f2 Handle Int32-Values in RNaNToZero. r=nbp
Keywords: checkin-needed
Comment 8•8 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/82d1209499f2
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla52
You need to log in
before you can comment on or make changes to this bug.
Description
•