Closed Bug 1326152 Opened 9 years ago Closed 9 years ago

Assertion failure: stub->numOptimizedStubs() < MaxOptimizedCacheIRStubs, at js/src/jit/BaselineCacheIRCompiler.cpp:785

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla53
Tracking Flags:
Tracking Status
firefox53 --- fixed

People

(Reporter: gkw, Assigned: evilpies)

References

Details

(Keywords: assertion, bugmon, testcase, Whiteboard: [jsbugmon:update])

Attachments

(1 file)

Detailed Crash Information
125.89 KB, text/plain
Details
The following testcase crashes on mozilla-central revision 143bb4b9249e (build with --enable-debug --enable-more-deterministic, run with --fuzzing-safe --no-threads --baseline-eager --no-ion): var realEval = eval; (function () { this.__defineGetter__("eval", arguments.callee); try { eval(); } catch (e) {} delete this.eval; this.eval = realEval; })(); Backtrace: 0 js-dbg-64-dm-clang-darwin-143bb4b9249e 0x000000010744e283 js::jit::AttachBaselineCacheIRStub(JSContext*, js::jit::CacheIRWriter const&, js::jit::CacheKind, js::jit::ICStubEngine, JSScript*, js::jit::ICFallbackStub*) + 1315 (BaselineCacheIRCompiler.cpp:785) 1 js-dbg-64-dm-clang-darwin-143bb4b9249e 0x000000010748225c js::jit::DoGetNameFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICGetName_Fallback*, JS::Handle<JSObject*>, JS::MutableHandle<JS::Value>) + 1196 (BaselineIC.cpp:2550) 2 ??? 0x0000000108bdc50d 0 + 4441621773 3 ??? 0x0000000108bdae1d 0 + 4441615901 4 js-dbg-64-dm-clang-darwin-143bb4b9249e 0x000000010749b3e9 EnterBaseline(JSContext*, js::jit::EnterJitData&) + 713 (BaselineJIT.cpp:159) /snip For detailed crash information, see attachment.
autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/094c2806ef37 user: Tom Schuster date: Sat Dec 24 14:35:23 2016 +0100 summary: Bug 1324566 - Port Baseline GetName_Env to CacheIR. r=jandem Tom, is bug 1324566 a likely regressor?
Blocks: 1324566
Flags: needinfo?(evilpies)
Looks like we're missing the check for max number of stubs. The old code in DoGetNameFallback set |attached| to true in this case, we can probably clean this up once all GetName stubs have been converted.
I think this should be fixed now on m-i.
Flags: needinfo?(evilpies)
autoBisect shows this is probably related to the following changeset: The first good revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/1832a6e47f1c user: Tom Schuster date: Fri Dec 30 17:38:08 2016 +0100 summary: Bug 1324566 - Port Baseline GlobalNameAccessor to CacheIR. r=jandem Yes, this should be fixed in m-c rev 1832a6e47f1c.
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Assignee: nobody → evilpies
No longer blocks: 1324566
status-firefox53: affectedfixed
Depends on: 1324566
Target Milestone: --- → mozilla53
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: