TM: Crash [@ nanojit::Assembler::freeRsrcOf] or "Assertion failed: p->isQuad() (../nanojit/Nativei386.cpp:1325)" or "Assertion failure: s0->isQuad(), at ../jstracer.cpp" or "Assertion failure: m != TT_INT32 || isInt32(*vp), at ../jstracer.cpp" with Math

VERIFIED FIXED

Status

()

P1
critical
VERIFIED FIXED
9 years ago
8 years ago

People

(Reporter: gkw, Assigned: gal)

Tracking

(Blocks: 1 bug, 5 keywords)

Trunk
x86
Mac OS X
assertion, crash, regression, testcase, verified1.9.2
Points:
---
Dependency tree / graph
Bug Flags:
blocking1.9.2 +
in-testsuite +

Firefox Tracking Flags

(status1.9.2 beta1-fixed)

Details

(Whiteboard: fixed-in-tracemonkey, crash signature)

Attachments

(1 attachment)

(Reporter)

Description

9 years ago
for each(l in ['', 0, 0, ]) {
    print(Math.round(false))
}

asserts js debug shell with -j at Assertion failure: s0->isQuad(), at ../jstracer.cpp:1337

autoBisect shows this is probably related to bug 511307:

The first bad revision is:
changeset:   31632:ccf91ba2d62a
user:        Andreas Gal
date:        Wed Aug 19 15:31:10 2009 -0700
summary:     Specialize math functions to integer arithmetic where appropriate (511307, r=dvander).
Flags: blocking1.9.2?
(Reporter)

Comment 1

9 years ago
for (x = 0; x < 3; ++x) {
  a = Math.floor('')
}

crashes js opt shell with -j at nanojit::Assembler::freeRsrcOf at null and asserts js debug shell with -j at Assertion failed: p->isQuad() (../nanojit/Nativei386.cpp:1325)

autoBisect also points fingers at bug 511307.
Summary: TM: "Assertion failure: s0->isQuad(), at ../jstracer.cpp" with Math → TM: Crash [@ nanojit::Assembler::freeRsrcOf] or "Assertion failed: p->isQuad() (../nanojit/Nativei386.cpp:1325)" or "Assertion failure: s0->isQuad(), at ../jstracer.cpp" with Math
(Reporter)

Comment 2

9 years ago
options().n;
(function () {
    Math
})()
for (let x in [0, 0]) {
    ''.replace((Math.min(3, /x/)))
}

asserts js debug shell with -j at Assertion failure: m != TT_INT32 || isInt32(*vp), at ../jstracer.cpp:3206, autoBisect fingering out bug 511307 too.
Keywords: crash
Summary: TM: Crash [@ nanojit::Assembler::freeRsrcOf] or "Assertion failed: p->isQuad() (../nanojit/Nativei386.cpp:1325)" or "Assertion failure: s0->isQuad(), at ../jstracer.cpp" with Math → TM: Crash [@ nanojit::Assembler::freeRsrcOf] or "Assertion failed: p->isQuad() (../nanojit/Nativei386.cpp:1325)" or "Assertion failure: s0->isQuad(), at ../jstracer.cpp" or "Assertion failure: m != TT_INT32 || isInt32(*vp), at ../jstracer.cpp" with Math
(Reporter)

Comment 3

9 years ago
(In reply to comment #1)
> for (x = 0; x < 3; ++x) {
>   a = Math.floor('')
> }
> 
> crashes js opt shell with -j at nanojit::Assembler::freeRsrcOf at null and
> asserts js debug shell with -j at Assertion failed: p->isQuad()
> (../nanojit/Nativei386.cpp:1325)
> 
> autoBisect also points fingers at bug 511307.

Now this morphed to asserting only at Assertion failure: s0->isQuad(), at ../jstracer.cpp:1337. That said, I still see nanojit::Assembler::freeRsrcOf js opt null deref crashes, I'll need to wait for a reduced testcase first.
(Assignee)

Updated

9 years ago
Assignee: general → gal
(Assignee)

Comment 4

9 years ago
Confirmed on TM tip. Good test case.
(Assignee)

Comment 5

9 years ago
Created attachment 396798 [details] [diff] [review]
patch
(Assignee)

Updated

9 years ago
Attachment #396798 - Flags: review?(dvander)
Attachment #396798 - Flags: review?(dvander) → review+
(Assignee)

Comment 6

9 years ago
http://hg.mozilla.org/tracemonkey/rev/d4faaf65fefb
Whiteboard: fixed-in-tracemonkey
(Reporter)

Updated

9 years ago
Status: NEW → ASSIGNED

Updated

9 years ago
Flags: blocking1.9.2? → blocking1.9.2+
http://hg.mozilla.org/mozilla-central/rev/d4faaf65fefb
Status: ASSIGNED → RESOLVED
Last Resolved: 9 years ago
Resolution: --- → FIXED

Updated

9 years ago
Priority: -- → P1

Comment 9

9 years ago
js/src/trace-test/tests/basic/testIntFloor.js
Flags: in-testsuite+

Comment 10

9 years ago
v 1.9.3, 1.9.2
Status: RESOLVED → VERIFIED
Keywords: verified1.9.2
Crash Signature: [@ nanojit::Assembler::freeRsrcOf]
You need to log in before you can comment on or make changes to this bug.