TI: "Assertion failure: Bad rejoin getter op,"

RESOLVED FIXED

Status

()

Core
JavaScript Engine
--
critical
RESOLVED FIXED
6 years ago
5 years ago

People

(Reporter: gkw, Assigned: jandem)

Tracking

(Blocks: 2 bugs, {assertion, testcase})

Trunk
x86
Linux
assertion, testcase
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

(Reporter)

Description

6 years ago
var a;
a()

asserts js debug shell on JM changeset 32e8c937a409 with -m, -j, -a and -n at Assertion failure: Bad rejoin getter op, when passed in as a CLI argument to a 32-bit Linux shell.

(gdb) bt
#0  0xf7fdf430 in __kernel_vsyscall ()
#1  0xf7fb5ba0 in raise (sig=6) at ../nptl/sysdeps/unix/sysv/linux/pt-raise.c:42
#2  0x081fdc65 in JS_Assert (s=0x8444cf8 "Bad rejoin getter op", file=0x8443d5c "/home/fuzz1/Desktop/jsfunfuzz-dbg-32-jm-69153-32e8c937a409/compilePath/js/src/methodjit/InvokeHelpers.cpp", ln=1561)
    at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-jm-69153-32e8c937a409/compilePath/js/src/jsutil.cpp:89
#3  0x083535dd in js_InternalInterpret (returnData=0xffff0002, returnType=0x851af20, returnReg=0x0, f=...)
    at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-jm-69153-32e8c937a409/compilePath/js/src/methodjit/InvokeHelpers.cpp:1561
#4  0x082b6518 in JaegerInterpoline () at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-jm-69153-32e8c937a409/compilePath/js/src/methodjit/MethodJIT.cpp:152
#5  0x000f4240 in ?? ()
#6  0x00000000 in ?? ()
(Reporter)

Comment 1

6 years ago
Original assertion was:

Assertion failure: Unknown value,

#0  0xf7774430 in __kernel_vsyscall ()
#1  0xf774aba0 in raise (sig=6) at ../nptl/sysdeps/unix/sysv/linux/pt-raise.c:42
#2  0x081fdc65 in JS_Assert (s=0x83cb980 "Unknown value", file=0x83cb8fc "/home/fuzz1/Desktop/jsfunfuzz-dbg-32-jm-69153-32e8c937a409/compilePath/js/src/jsinferinlines.h", ln=80) at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-jm-69153-32e8c937a409/compilePath/js/src/jsutil.cpp:89
#3  0x08080f96 in js::types::GetValueType (cx=0x95c6028, val=...) at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-jm-69153-32e8c937a409/compilePath/js/src/jsinferinlines.h:80
#4  0x081192f6 in JSScript::typeCheckBytecode (this=0x964d348, cx=0x95c6028, pc=0x964d46d "V", sp=0xf6e790d8) at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-jm-69153-32e8c937a409/compilePath/js/src/jsinfer.cpp:4206
#5  0x0837e5a9 in TypeCheckNextBytecode (cx=0x95c6028, script=0x964d348, n=3, regs=...) at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-jm-69153-32e8c937a409/compilePath/js/src/jsinterp.cpp:2173
#6  0x0839d513 in js::Interpret (cx=0x95c6028, entryFrame=0xf6e79088, inlineCallCount=0, interpMode=js::JSINTERP_SAFEPOINT) at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-jm-69153-32e8c937a409/compilePath/js/src/jsinterp.cpp:5196
#7  0x08353797 in js_InternalInterpret (returnData=0xf6d1e6c0, returnType=0xffff0007, returnReg=0x82b6540, f=...) at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-jm-69153-32e8c937a409/compilePath/js/src/methodjit/InvokeHelpers.cpp:1612
#8  0x082b6518 in JaegerInterpoline () at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-jm-69153-32e8c937a409/compilePath/js/src/methodjit/MethodJIT.cpp:152
#9  0x000f4240 in ?? ()
#10 0x00000000 in ?? ()
Getting this as well a lot on LangFuzz, voting to fix this before the other issues.
(Assignee)

Comment 3

6 years ago
Created attachment 531274 [details] [diff] [review]
Patch

Add JSOP_CALLGLOBAL to interpoline.
Assignee: general → jandemooij
Status: NEW → ASSIGNED
Attachment #531274 - Flags: review?(bhackett1024)
Comment on attachment 531274 [details] [diff] [review]
Patch

Review of attachment 531274 [details] [diff] [review]:
-----------------------------------------------------------------
Attachment #531274 - Flags: review?(bhackett1024) → review+
(Assignee)

Comment 5

6 years ago
http://hg.mozilla.org/projects/jaegermonkey/rev/015bd3ff1be6
Status: ASSIGNED → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED
A testcase for this bug was automatically identified at js/src/jit-test/tests/jaeger/recompile/bug655949.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.