Closed
Bug 1341339
Opened 9 years ago
Closed 9 years ago
Assertion failure: !hasFlags(1 << InWorklist), at js/src/jit/MIR.h:733
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla54
| Tracking | Status | |
|---|---|---|
| firefox52 | --- | unaffected |
| firefox53 | --- | fixed |
| firefox54 | --- | fixed |
People
(Reporter: decoder, Assigned: shu)
References
Details
(4 keywords, Whiteboard: [jsbugmon:])
Attachments
(1 file)
|
1.50 KB,
patch
|
jandem
:
review+
lizzard
:
approval-mozilla-aurora+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision d84beb192e57 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-stdcxx-compat --disable-profiling --enable-debug --enable-optimize, run with --ion-eager):
let m = parseModule(`
function* values() {}
var iterator = values();
for (var i=0; i < 10000; ++i) {
for (var x of iterator) {}
}
`);
m.declarationInstantiation();
m.evaluation();
Backtrace:
received signal SIGSEGV, Segmentation fault.
0x00000000006da820 in js::jit::MDefinition::setInWorklist (this=<optimized out>) at js/src/jit/MIR.h:733
#0 0x00000000006da820 in js::jit::MDefinition::setInWorklist (this=<optimized out>) at js/src/jit/MIR.h:733
#1 js::jit::IonBuilder::processIterators (this=this@entry=0x7ffff02a02b8) at js/src/jit/IonBuilder.cpp:893
#2 0x00000000006e605e in js::jit::IonBuilder::build (this=this@entry=0x7ffff02a02b8) at js/src/jit/IonBuilder.cpp:856
#3 0x0000000000430308 in js::jit::IonCompile (cx=cx@entry=0x7ffff6921000, script=<optimized out>, baselineFrame=baselineFrame@entry=0x7fffffffb4a8, osrPc=osrPc@entry=0x7ffff03c62e3 "\343\202Q\f\f\270", recompile=<optimized out>, optimizationLevel=<optimized out>) at js/src/jit/Ion.cpp:2267
#4 0x00000000006fa1b8 in js::jit::Compile (cx=cx@entry=0x7ffff6921000, script=script@entry=..., osrFrame=osrFrame@entry=0x7fffffffb4a8, osrPc=osrPc@entry=0x7ffff03c62e3 "\343\202Q\f\f\270", forceRecompile=<optimized out>) at js/src/jit/Ion.cpp:2525
#5 0x00000000006faafb in BaselineCanEnterAtBranch (pc=0x7ffff03c62e3 "\343\202Q\f\f\270", osrFrame=0x7fffffffb4a8, script=..., cx=0x7ffff6921000) at js/src/jit/Ion.cpp:2716
#6 js::jit::IonCompileScriptForBaseline (cx=cx@entry=0x7ffff6921000, frame=frame@entry=0x7fffffffb4a8, pc=pc@entry=0x7ffff03c62e3 "\343\202Q\f\f\270") at js/src/jit/Ion.cpp:2774
#7 0x00000000005e8086 in js::jit::DoWarmUpCounterFallbackOSR (cx=0x7ffff6921000, frame=0x7fffffffb4a8, stub=0x7ffff69e2218, infoPtr=0x7fffffffb458) at js/src/jit/BaselineIC.cpp:143
#8 0x000018425caa74de in ?? ()
[...]
#18 0x0000000000000000 in ?? ()
rax 0x0 0
rbx 0x7fffffffaf50 140737488334672
rcx 0x7ffff6c28a2d 140737333332525
rdx 0x0 0
rsi 0x7ffff6ef7770 140737336276848
rdi 0x7ffff6ef6540 140737336272192
rbp 0x7fffffffaff0 140737488334832
rsp 0x7fffffffaf00 140737488334592
r8 0x7ffff6ef7770 140737336276848
r9 0x7ffff7fe4740 140737354024768
r10 0x58 88
r11 0x7ffff6b9f750 140737332770640
r12 0x1 1
r13 0x8 8
r14 0x7ffff02a02b8 140737222673080
r15 0x1 1
rip 0x6da820 <js::jit::IonBuilder::processIterators()+896>
=> 0x6da820 <js::jit::IonBuilder::processIterators()+896>: movl $0x0,0x0
0x6da82b <js::jit::IonBuilder::processIterators()+907>: ud2
|
||
Comment 1•9 years ago
|
||
Shu, NI you because you changed processIterators recently.
Flags: needinfo?(shu)
|
||
Updated•9 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:bisect]
|
|
||
Comment 2•9 years ago
|
||
JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.
|
|
||
Updated•9 years ago
|
Whiteboard: [jsbugmon:bisect] → [jsbugmon:]
|
Assignee | |
Comment 3•9 years ago
|
||
Attachment #8839763 -
Flags: review?(jdemooij)
|
|
Assignee | |
Updated•9 years ago
|
Flags: needinfo?(shu)
|
|
||
Updated•9 years ago
|
Attachment #8839763 -
Flags: review?(jdemooij) → review+
|
||
Updated•9 years ago
|
Assignee: nobody → shu
Pushed by shu@rfrn.org:
https://hg.mozilla.org/integration/mozilla-inbound/rev/2bd07604e754
Check for duplicates in processIterators. (r=jandem)
|
||
Comment 5•9 years ago
|
||
| bugherder | ||
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla54
|
|
||
Comment 6•9 years ago
|
||
IIUC, this was a regression from bug 1333946. Assuming that's the case, please request Aurora approval on this when you get a chance.
Blocks: 1333946
status-firefox52:
--- → unaffected
status-firefox53:
--- → affected
Flags: needinfo?(shu)
Flags: in-testsuite+
|
|
Assignee | |
Comment 7•9 years ago
|
||
Comment on attachment 8839763 [details] [diff] [review]
Check for duplicates in processIterators.
Approval Request Comment
[Feature/Bug causing the regression]: bug 1333946
[User impact if declined]: actually, probably nothing, as this is a DEBUG-only assert
[Is this code covered by automated tests?]: yes, on central
[Has the fix been verified in Nightly?]: yes
[Needs manual test from QE? If yes, steps to reproduce]: nope
[List of other uplifts needed for the feature/fix]: nope
[Is the change risky?]: nope
[Why is the change risky/not risky?]: nope
[String changes made/needed]: none
Flags: needinfo?(shu)
Attachment #8839763 -
Flags: approval-mozilla-aurora?
|
||
Comment 8•9 years ago
|
||
Comment on attachment 8839763 [details] [diff] [review]
Check for duplicates in processIterators.
Adds a test, fixes an assert, let's uplift to aurora.
Attachment #8839763 -
Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
|
|
||
Comment 9•9 years ago
|
||
| bugherder uplift | ||
You need to log in
before you can comment on or make changes to this bug.
Description
•