Closed Bug 1356424 Opened 7 years ago Closed 7 years ago

Assertion failure: numFailures_ > 0 (numFailures_ should not overflow), at js/src/jit/ICState.h:113

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla55
Tracking Flags:
Tracking Status
firefox-esr52 --- unaffected
firefox53 --- unaffected
firefox54 --- unaffected
firefox55 --- fixed

People

(Reporter: gkw, Assigned: jandem)

Details

(Keywords: assertion, bugmon, testcase, Whiteboard: [jsbugmon:update,bisect])

Attachments

(2 files)

Detailed Crash Information
4.64 KB, text/plain
Details
Patch
1.15 KB, patch
h4writer
: review+
gkw
: feedback+
Details | Diff | Splinter Review 
The following testcase crashes on mozilla-central revision 3243c8fc3ce7 (build with --enable-debug, run with --fuzzing-safe --no-threads --ion-eager --wasm-always-baseline):

x = [];
Object.defineProperty(x, 0, {
    set: function () {
        try {
            x.sort(function () {});
        } catch (e) {}
    }
}).unshift(0);

Backtrace:

#0  0x00000000006182bc in js::jit::ICState::trackNotAttached (this=<optimized out>) at js/src/jit/ICState.h:113
#1  0x00000000005f7595 in js::jit::DoSetElemFallback (cx=<optimized out>, frame=<optimized out>, stub_=<optimized out>, stack=0x7ffc388594d0, objv=..., index=..., rhs=...) at js/src/jit/BaselineIC.cpp:1032
#2  0x000025761cd67f11 in ?? ()
#3  0x00007ffc388594c8 in ?? ()
#4  0x00007ffc38859480 in ?? ()
/snip

For detailed crash information, see attachment.
Actually --wasm-always-baseline is not needed.
Flags: needinfo?(jdemooij)
Attached patch PatchSplinter Review 
I can't reproduce this on Mac, but I'm pretty sure this is the same problem as bug 1350171 - I just forgot to update DoSetElemFallback in that bug :(

Gary, can you confirm this patch fixes it?
Assignee: nobody → jdemooij
Status: NEW → ASSIGNED
Flags: needinfo?(jdemooij)
Attachment #8859566 - Flags: review?(hv1989)
Attachment #8859566 - Flags: feedback?(gary)
Comment on attachment 8859566 [details] [diff] [review]
Patch

Review of attachment 8859566 [details] [diff] [review]:
-----------------------------------------------------------------

I remember looking at all canAttachStub calls to make sure this check was there.
I must have overlooked, sorry.
Thanks!
Attachment #8859566 - Flags: review?(hv1989) → review+
Comment on attachment 8859566 [details] [diff] [review]
Patch

Yes, this fixes the bug. Thanks!
Attachment #8859566 - Flags: feedback?(gary) → feedback+
Pushed by jandemooij@gmail.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/77edd84ad552
Fix DoSetElemFallback to try to transition before attaching an add-slot stub. r=h4writer
https://hg.mozilla.org/mozilla-central/rev/77edd84ad552
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
status-firefox55: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla55
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: