Closed
Bug 1385310
Opened 7 years ago
Closed 7 years ago
Assertion failure: uint32_t(parent->key_ >> 32) <= uint32_t(child->key_ >> 32) && uint32_t(child->key_) <= uint32_t(parent->key_), at js/src/vm/Xdr.cpp:267
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
RESOLVED
FIXED
mozilla57
| Tracking | Status | |
|---|---|---|
| firefox57 | --- | fixed |
People
(Reporter: nbp, Assigned: arai)
References
Details
Attachments
(2 files)
|
2.54 KB,
application/x-javascript
|
Details | |
|
5.38 KB,
patch
|
nbp
:
review+
|
Details | Diff | Splinter Review |
Seen while testing JSBC eager mode on mochitest[1]. This assertion appears while encoding the bytecode for a page. [1] https://treeherder.mozilla.org/logviewer.html#?job_id=118957112&repo=try&lineNumber=6048
| Comment hidden (Intermittent Failures Robot) |
|
Reporter | |
Comment 2•7 years ago
|
||
I managed to reproduce this issue under rr, with: mach mochitest --setpref dom.script_loader.bytecode_cache.strategy=-1 dom/base/test/test_bug418986-1.html
Status: NEW → ASSIGNED
|
|
Reporter | |
Comment 3•7 years ago
|
||
This issue is caused by the XDR incremental encoding for the following content:
var test = function () {
// Returns generator object that iterates through values.
let prefVals = (for (prefVal of [false, true]) prefVal);
for (x of prefVals) ;
}
The prefVals is being converted into a function which has a bad sourceStart_ location set to 0, instead of the beginning of the expression. Which causes the previous assertion in the incremental encoder as we expect all functions to be stacked in terms of start/end positions.Flags: needinfo?(arai.unmht)
|
|
Reporter | |
Comment 4•7 years ago
|
||
|
Assignee | |
Updated•7 years ago
|
Assignee: nicolas.b.pierron → arai.unmht
Flags: needinfo?(arai.unmht)
|
|
Assignee | |
Comment 5•7 years ago
|
||
https://treeherder.mozilla.org/#/jobs?repo=try&revision=00d77cb651b328c6b375b630f9c204669d4d308c
|
|
Assignee | |
Comment 6•7 years ago
|
||
Fixed bufStart and toStringStart of generator comprehension function to `begin`, that points "(" before "for".
Also, added FunctionBox::setStart with offset parameter, to pass not-current offset.
Attachment #8895541 -
Flags: review?(nicolas.b.pierron)
|
|
Reporter | |
Comment 7•7 years ago
|
||
Comment on attachment 8895541 [details] [diff] [review] Set bufStart and toStringStart for generator expression functions. Review of attachment 8895541 [details] [diff] [review]: ----------------------------------------------------------------- Thanks :) ::: js/src/jit-test/tests/xdr/bug1385310.js @@ +6,5 @@ > + > +var test = function (isContent) { > + > + /* > + SimpleTest.waitForExplicitFinish(); nit: my bad, I forgot to save the removal of these /**/ comments before uploading the minimal test case.
Attachment #8895541 -
Flags: review?(nicolas.b.pierron) → review+
Pushed by arai_a@mac.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/e360f8351242 Set bufStart and toStringStart for generator expression functions. r=nbp
|
|
Assignee | |
Comment 9•7 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/e360f835124223f465b2d035582a1f725298faa9 Bug 1385310 - Set bufStart and toStringStart for generator expression functions. r=nbp
|
||
Comment 10•7 years ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/e360f8351242
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
status-firefox57:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla57
You need to log in
before you can comment on or make changes to this bug.
Description
•