Last Comment Bug 655949 - TI: "Assertion failure: Bad rejoin getter op,"
: TI: "Assertion failure: Bad rejoin getter op,"
: assertion, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: x86 Linux
: -- critical (vote)
: ---
Assigned To: Jan de Mooij [:jandem]
: Jason Orendorff [:jorendorff]
Depends on:
Blocks: jsfunfuzz infer-regress
  Show dependency treegraph
Reported: 2011-05-10 00:29 PDT by Gary Kwong [:gkw] [:nth10sd]
Modified: 2013-01-14 08:18 PST (History)
5 users (show)
choller: in‑testsuite+
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---

Patch (1.48 KB, patch)
2011-05-10 02:10 PDT, Jan de Mooij [:jandem]
bhackett1024: review+
Details | Diff | Splinter Review

Description Gary Kwong [:gkw] [:nth10sd] 2011-05-10 00:29:37 PDT
var a;

asserts js debug shell on JM changeset 32e8c937a409 with -m, -j, -a and -n at Assertion failure: Bad rejoin getter op, when passed in as a CLI argument to a 32-bit Linux shell.

(gdb) bt
#0  0xf7fdf430 in __kernel_vsyscall ()
#1  0xf7fb5ba0 in raise (sig=6) at ../nptl/sysdeps/unix/sysv/linux/pt-raise.c:42
#2  0x081fdc65 in JS_Assert (s=0x8444cf8 "Bad rejoin getter op", file=0x8443d5c "/home/fuzz1/Desktop/jsfunfuzz-dbg-32-jm-69153-32e8c937a409/compilePath/js/src/methodjit/InvokeHelpers.cpp", ln=1561)
    at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-jm-69153-32e8c937a409/compilePath/js/src/jsutil.cpp:89
#3  0x083535dd in js_InternalInterpret (returnData=0xffff0002, returnType=0x851af20, returnReg=0x0, f=...)
    at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-jm-69153-32e8c937a409/compilePath/js/src/methodjit/InvokeHelpers.cpp:1561
#4  0x082b6518 in JaegerInterpoline () at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-jm-69153-32e8c937a409/compilePath/js/src/methodjit/MethodJIT.cpp:152
#5  0x000f4240 in ?? ()
#6  0x00000000 in ?? ()
Comment 1 Gary Kwong [:gkw] [:nth10sd] 2011-05-10 00:41:42 PDT
Original assertion was:

Assertion failure: Unknown value,

#0  0xf7774430 in __kernel_vsyscall ()
#1  0xf774aba0 in raise (sig=6) at ../nptl/sysdeps/unix/sysv/linux/pt-raise.c:42
#2  0x081fdc65 in JS_Assert (s=0x83cb980 "Unknown value", file=0x83cb8fc "/home/fuzz1/Desktop/jsfunfuzz-dbg-32-jm-69153-32e8c937a409/compilePath/js/src/jsinferinlines.h", ln=80) at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-jm-69153-32e8c937a409/compilePath/js/src/jsutil.cpp:89
#3  0x08080f96 in js::types::GetValueType (cx=0x95c6028, val=...) at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-jm-69153-32e8c937a409/compilePath/js/src/jsinferinlines.h:80
#4  0x081192f6 in JSScript::typeCheckBytecode (this=0x964d348, cx=0x95c6028, pc=0x964d46d "V", sp=0xf6e790d8) at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-jm-69153-32e8c937a409/compilePath/js/src/jsinfer.cpp:4206
#5  0x0837e5a9 in TypeCheckNextBytecode (cx=0x95c6028, script=0x964d348, n=3, regs=...) at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-jm-69153-32e8c937a409/compilePath/js/src/jsinterp.cpp:2173
#6  0x0839d513 in js::Interpret (cx=0x95c6028, entryFrame=0xf6e79088, inlineCallCount=0, interpMode=js::JSINTERP_SAFEPOINT) at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-jm-69153-32e8c937a409/compilePath/js/src/jsinterp.cpp:5196
#7  0x08353797 in js_InternalInterpret (returnData=0xf6d1e6c0, returnType=0xffff0007, returnReg=0x82b6540, f=...) at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-jm-69153-32e8c937a409/compilePath/js/src/methodjit/InvokeHelpers.cpp:1612
#8  0x082b6518 in JaegerInterpoline () at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-jm-69153-32e8c937a409/compilePath/js/src/methodjit/MethodJIT.cpp:152
#9  0x000f4240 in ?? ()
#10 0x00000000 in ?? ()
Comment 2 Christian Holler (:decoder) 2011-05-10 01:04:48 PDT
Getting this as well a lot on LangFuzz, voting to fix this before the other issues.
Comment 3 Jan de Mooij [:jandem] 2011-05-10 02:10:39 PDT
Created attachment 531274 [details] [diff] [review]

Add JSOP_CALLGLOBAL to interpoline.
Comment 4 Brian Hackett (:bhackett) 2011-05-10 05:47:35 PDT
Comment on attachment 531274 [details] [diff] [review]

Review of attachment 531274 [details] [diff] [review]:
Comment 5 Jan de Mooij [:jandem] 2011-05-10 06:10:41 PDT
Comment 6 Christian Holler (:decoder) 2013-01-14 08:18:58 PST
A testcase for this bug was automatically identified at js/src/jit-test/tests/jaeger/recompile/bug655949.js.

Note You need to log in before you can comment on or make changes to this bug.