Closed Bug 723574 Opened 12 years ago Closed 9 years ago

Assertion failure: fe->isType(JSVAL_TYPE_DOUBLE)

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: bc, Unassigned)

References

(
URL
)

Details

(Keywords: assertion, regression, testcase)

Attachments

(2 files)

testcase
1.69 KB, text/html
Details
slightly different testcase
1.48 KB, text/html
Details 
1. http://www.gigolom.biz/messageread.php?id=2735617 in Beta/11, Aurora/12, Nightly/13

2. Assertion failure: fe->isType(JSVAL_TYPE_DOUBLE), at c:\work\mozilla\builds\aurora\mozilla\js\src\methodjit\FrameState-inl.h:625

Operating system: Windows NT
                  6.1.7601 Service Pack 1
CPU: x86
     GenuineIntel family 6 model 37 stepping 1
     1 CPU

Crash reason:  EXCEPTION_ACCESS_VIOLATION_WRITE
Crash address: 0x0

Thread 0 (crashed)
 0  mozjs.dll!CrashInJS [jsutil.cpp : 87 + 0x0]
    eip = 0x68d559b3   esp = 0x0038782c   ebp = 0x0038782c   ebx = 0x00000000
    esi = 0x042fb258   edi = 0x00000127   eax = 0xffffffff   ecx = 0x89c914b7
    edx = 0x6f0b1d48   efl = 0x00210202
    Found by: given as instruction pointer in context
 1  mozjs.dll!JS_Assert [jsutil.cpp : 114 + 0x4]
    eip = 0x68d5598f   esp = 0x00387834   ebp = 0x00387834
    Found by: call frame info
 2  mozjs.dll!js::mjit::FrameState::tempFPRegForData(js::mjit::FrameEntry *) [FrameState-inl.h : 625 + 0x26]
    eip = 0x68e2b8f8   esp = 0x0038783c   ebp = 0x00387854
    Found by: call frame info
 3  mozjs.dll!js::mjit::FrameState::ensureInteger(js::mjit::FrameEntry *) [FrameState.cpp : 1902 + 0xb]
    eip = 0x68e67ee9   esp = 0x0038785c   ebp = 0x0038789c
    Found by: call frame info
 4  mozjs.dll!js::mjit::Compiler::generateMethod() [Compiler.cpp : 1999 + 0x14]
    eip = 0x68e2206d   esp = 0x003878a4   ebp = 0x00387e14
    Found by: call frame info
 5  mozjs.dll!js::mjit::Compiler::performCompilation() [Compiler.cpp : 543 + 0x7]
    eip = 0x68e156bc   esp = 0x00387e1c   ebp = 0x00387e70
    Found by: call frame info
 6  mozjs.dll!js::mjit::Compiler::compile() [Compiler.cpp : 159 + 0x7]
    eip = 0x68e13d17   esp = 0x00387e78   ebp = 0x00387e88
    Found by: call frame info
 7  mozjs.dll!js::mjit::CanMethodJIT(JSContext *,JSScript *,unsigned char *,bool,js::mjit::CompileRequest) [Compiler.cpp : 996 + 0xa]
    eip = 0x68e1a2e4   esp = 0x00387e90   ebp = 0x0038c068
    Found by: call frame info
 8  mozjs.dll!js::Interpret(JSContext *,js::StackFrame *,js::InterpMode) [jsinterp.cpp : 1800 + 0x22]
    eip = 0x68c89058   esp = 0x0038c070   ebp = 0x0038ca1c
    Found by: call frame info
I can reproduce locally and will start reducing it.
Attached file testcase 

    
  
Keywords: testcase

    
    

    
  
Do you have a regression range?

    
    

    
  
Both the page and the test case seem to work for me in today's nightly.

    
    

    
  
I just reproduced with a debug nightly build on mac os x from 2012-02-07. I'll rebuild and see.

    
    

    
  
Both the url and the test case assert within seconds with a fresh debug build of Nightly on Mac OS X.

    
    

    
  


  
http://dev.sencha.com/deploy/ext-4.0.7-gpl/examples/charts/BarRenderer.html
Saving this to disk does not reproduce though.

Linux and Windows 32bit builds but not Linux 64 bit builds nor OSX 64 bit builds.

#0  0x00110424 in __kernel_vsyscall ()
#1  0x0059f760 in raise () from /lib/libpthread.so.0
#2  0x0302b169 in js::mjit::FrameState::tempFPRegForData (this=0xbffeff24, fe=0xa241028)
    at /work/mozilla/builds/nightly/mozilla/js/src/methodjit/FrameState-inl.h:625
#3  0x03071200 in js::mjit::FrameState::ensureInteger (this=0xbffeff24, fe=0xa241028)
    at /work/mozilla/builds/nightly/mozilla/js/src/methodjit/FrameState.cpp:1906
#4  0x03036a93 in js::mjit::Compiler::generateMethod (this=0xbffef9ac) at /work/mozilla/builds/nightly/mozilla/js/src/methodjit/Compiler.cpp:2020
#5  0x0302f935 in js::mjit::Compiler::performCompilation (this=0xbffef9ac)
    at /work/mozilla/builds/nightly/mozilla/js/src/methodjit/Compiler.cpp:549
#6  0x0302e678 in js::mjit::Compiler::compile (this=0xbffef9ac) at /work/mozilla/builds/nightly/mozilla/js/src/methodjit/Compiler.cpp:146
#7  0x03031454 in js::mjit::CanMethodJIT (cx=0x8be2620, script=0xb32c5f90, pc=0x96898c4 "mV", construct=false, request=
    js::mjit::CompileRequest_Interpreter) at /work/mozilla/builds/nightly/mozilla/js/src/methodjit/Compiler.cpp:1000
#8  0x02e778ab in js::Interpret (cx=0x8be2620, entryFrame=0xb3eff210, interpMode=js::JSINTERP_NORMAL)
    at /work/mozilla/builds/nightly/mozilla/js/src/jsinterp.cpp:1787

    
    

    
  
bisection flagged a bogus changeset on Oct 26, but bug 678687 does look like a good candidate

Brian Hackett — Try to coerce doubles to integers on tripped type barriers, bug 678687. r=dvander

    
  
Blocks: 678687
Keywords: regression

    
  
Whiteboard: js-triage-needed

    
    

    
  
The first bad revision is:
changeset:   79123:5622da118913
parent:      79103:7ba4cea5382d
user:        Brian Hackett <bhackett1024@gmail.com>
date:        Sat Oct 22 07:20:56 2011 -0700
summary:     Get more precise known type tag for type sets containing any object, bug 685472. r=dvander
Blocks: 685472

    
  
Whiteboard: js-triage-needed
Assignee: general → nobody

    
    

    
  
Retested with OSX 10.{6,8,9}, RHEL6 {32,64}bit, Windows 7 {32,64}bit, Beta/38, Aurora/39, Nightly/40 and no crash. -> WFM.
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → WORKSFORME

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: