Closed
Bug 1356424
Opened 9 years ago
Closed 9 years ago
Assertion failure: numFailures_ > 0 (numFailures_ should not overflow), at js/src/jit/ICState.h:113
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla55
| Tracking | Status | |
|---|---|---|
| firefox-esr52 | --- | unaffected |
| firefox53 | --- | unaffected |
| firefox54 | --- | unaffected |
| firefox55 | --- | fixed |
People
(Reporter: gkw, Assigned: jandem)
Details
(Keywords: assertion, bugmon, testcase, Whiteboard: [jsbugmon:update,bisect])
Attachments
(2 files)
The following testcase crashes on mozilla-central revision 3243c8fc3ce7 (build with --enable-debug, run with --fuzzing-safe --no-threads --ion-eager --wasm-always-baseline):
x = [];
Object.defineProperty(x, 0, {
set: function () {
try {
x.sort(function () {});
} catch (e) {}
}
}).unshift(0);
Backtrace:
#0 0x00000000006182bc in js::jit::ICState::trackNotAttached (this=<optimized out>) at js/src/jit/ICState.h:113
#1 0x00000000005f7595 in js::jit::DoSetElemFallback (cx=<optimized out>, frame=<optimized out>, stub_=<optimized out>, stack=0x7ffc388594d0, objv=..., index=..., rhs=...) at js/src/jit/BaselineIC.cpp:1032
#2 0x000025761cd67f11 in ?? ()
#3 0x00007ffc388594c8 in ?? ()
#4 0x00007ffc38859480 in ?? ()
/snip
For detailed crash information, see attachment.
|
Reporter | |
Comment 1•9 years ago
|
||
|
|
Reporter | |
Comment 2•9 years ago
|
||
Actually --wasm-always-baseline is not needed.
|
Assignee | |
Updated•9 years ago
|
Flags: needinfo?(jdemooij)
|
|
Assignee | |
Comment 3•9 years ago
|
||
I can't reproduce this on Mac, but I'm pretty sure this is the same problem as bug 1350171 - I just forgot to update DoSetElemFallback in that bug :(
Gary, can you confirm this patch fixes it?
Assignee: nobody → jdemooij
Status: NEW → ASSIGNED
Flags: needinfo?(jdemooij)
Attachment #8859566 -
Flags: review?(hv1989)
Attachment #8859566 -
Flags: feedback?(gary)
|
||
Comment 4•9 years ago
|
||
Comment on attachment 8859566 [details] [diff] [review]
Patch
Review of attachment 8859566 [details] [diff] [review]:
-----------------------------------------------------------------
I remember looking at all canAttachStub calls to make sure this check was there.
I must have overlooked, sorry.
Thanks!
Attachment #8859566 -
Flags: review?(hv1989) → review+
|
|
Reporter | |
Comment 5•9 years ago
|
||
Comment on attachment 8859566 [details] [diff] [review]
Patch
Yes, this fixes the bug. Thanks!
Attachment #8859566 -
Flags: feedback?(gary) → feedback+
Pushed by jandemooij@gmail.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/77edd84ad552
Fix DoSetElemFallback to try to transition before attaching an add-slot stub. r=h4writer
|
||
Comment 7•9 years ago
|
||
| bugherder | ||
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla55
|
||
Updated•9 years ago
|
status-firefox53:
--- → unaffected
status-firefox54:
--- → unaffected
status-firefox-esr52:
--- → unaffected
You need to log in
before you can comment on or make changes to this bug.
Description
•