Closed
Bug 1646201
Opened 4 years ago
Closed 4 years ago
[warp] Assertion failure: def->type() == MIRType::Int32 || def->type() == MIRType::Double, at jit/MIR.h:7353
Categories
(Core :: JavaScript Engine: JIT, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1643669
| Tracking | Status | |
|---|---|---|
| firefox79 | --- | disabled |
People
(Reporter: decoder, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: assertion, regression, testcase)
Attachments
(1 file)
|
333 bytes,
text/plain
|
Details |
The following testcase crashes on mozilla-central revision 20200615-f05a0084c5f2 (debug build, run with --fuzzing-safe --ion-offthread-compile=off --warp --ion-warmup-threshold=0):
var x = new Int32Array(10);
function CanonicalNumericIndexString(argument) {
var n = Number(argument);
return n;
}
function assertCanonicalNumericIndexString(i) {
var canonical = CanonicalNumericIndexString(i);
x[canonical] = 0;
}
for (var i = -100; i < 100; i++) {
assertCanonicalNumericIndexString(String(i));
}
Backtrace:
received signal SIGSEGV, Segmentation fault.
0x000055555671ce69 in js::jit::MTypedArrayIndexToInt32::MTypedArrayIndexToInt32(js::jit::MDefinition*) ()
#0 0x000055555671ce69 in js::jit::MTypedArrayIndexToInt32::MTypedArrayIndexToInt32(js::jit::MDefinition*) ()
#1 0x0000555556b01ac0 in WarpCacheIRTranspiler::emitGuardToTypedArrayIndex(js::jit::ValOperandId, js::jit::Int32OperandId) ()
#2 0x0000555556afe503 in WarpCacheIRTranspiler::transpile(mozilla::Vector<js::jit::MDefinition*, 8ul, js::SystemAllocPolicy> const&) ()
#3 0x0000555556afd146 in js::jit::TranspileCacheIRToMIR(js::jit::MIRGenerator&, js::BytecodeLocation, js::jit::MBasicBlock*, js::jit::WarpCacheIR const*, mozilla::Vector<js::jit::MDefinition*, 8ul, js::SystemAllocPolicy> const&) ()
#4 0x0000555556af7d69 in js::jit::WarpBuilder::buildIC(js::BytecodeLocation, js::jit::CacheKind, std::initializer_list<js::jit::MDefinition*>) ()
#5 0x0000555556aea74e in js::jit::WarpBuilder::build_SetElem(js::BytecodeLocation) ()
#6 0x0000555556ae53dd in js::jit::WarpBuilder::buildBody() ()
#7 0x0000555556ae480a in js::jit::WarpBuilder::build() ()
#8 0x0000555556677aba in js::jit::CompileBackEnd(js::jit::MIRGenerator*, js::jit::WarpSnapshot*) ()
#9 0x000055555668be61 in js::jit::IonCompile(JSContext*, JS::Handle<JSScript*>, js::jit::BaselineFrame*, unsigned int, unsigned char*, bool, js::jit::OptimizationLevel) ()
#10 0x0000555556678f81 in js::jit::Compile(JSContext*, JS::Handle<JSScript*>, js::jit::BaselineFrame*, unsigned int, unsigned char*, bool) ()
#11 0x00005555566796e7 in IonCompileScriptForBaseline(JSContext*, js::jit::BaselineFrame*, unsigned int, unsigned char*) ()
#12 0x00000ed325f91875 in ?? ()
[...]
#20 0x0000000000000000 in ?? ()
rax 0x55555715b48d 93825021621389
rbx 0x7ffff4e58518 140737302070552
rcx 0x5555583de980 93825041033600
rdx 0x0 0
rsi 0x7ffff7105770 140737338431344
rdi 0x7ffff7104540 140737338426688
rbp 0x7fffffffabe0 140737488333792
rsp 0x7fffffffabd0 140737488333776
r8 0x7ffff7105770 140737338431344
r9 0x7ffff7f9bd40 140737353727296
r10 0x58 88
r11 0x7ffff6dac7a0 140737334921120
r12 0x7ffff4e57e20 140737302068768
r13 0x7 7
r14 0x7ffff4e57e20 140737302068768
r15 0x7fffffffac88 140737488333960
rip 0x55555671ce69 <js::jit::MTypedArrayIndexToInt32::MTypedArrayIndexToInt32(js::jit::MDefinition*)+201>
=> 0x55555671ce69 <_ZN2js3jit23MTypedArrayIndexToInt32C2EPNS0_11MDefinitionE+201>: movl $0x1cb9,0x0
0x55555671ce74 <_ZN2js3jit23MTypedArrayIndexToInt32C2EPNS0_11MDefinitionE+212>: callq 0x555555849bee <abort>
|
Reporter | |
Comment 1•4 years ago
|
||
|
||
Updated•4 years ago
|
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → DUPLICATE
|
||
Comment 3•4 years ago
|
||
Bugmon Analysis:
Removing bugmon keyword as no further action possible.
Please review the bug and re-add the keyword for further analysis.
You need to log in
before you can comment on or make changes to this bug.
Description
•