Closed
Bug 732864
Opened 12 years ago
Closed 12 years ago
IonMonkey: Assertion failure: JSOp(*pc) == JSOP_CALL, at js/src/ion/TypeOracle.h:156
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: decoder, Assigned: nbp)
References
Details
(Keywords: assertion, testcase)
Attachments
(2 files)
3.27 KB,
text/javascript
|
Details | |
1.80 KB,
patch
|
dvander
:
review+
|
Details | Diff | Splinter Review |
The attached testcase crashes on ionmonkey revision 1fd6c40d3852 (run with --ion -n -m).
Reporter | ||
Comment 1•12 years ago
|
||
Crash trace: Program received signal SIGSEGV, Segmentation fault. 0x0838550e in js::ion::IonJSFrameLayout::calleeToken (this=0x1eedd772) at ../ion/shared/IonFrames-x86-shared.h:87 87 return calleeToken_; (gdb) bt #0 0x0838550e in js::ion::IonJSFrameLayout::calleeToken (this=0x1eedd772) at ../ion/shared/IonFrames-x86-shared.h:87 #1 0x08383f87 in InvalidateActivation (cx=0x86e0d98, ionTop=0xffffbf28 "\030\277\377\377\020\302p\367\377\377\377\377", invalidateAll=false) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/ion/Ion.cpp:1010 #2 0x08384440 in js::ion::Invalidate (cx=0x86e0d98, invalid=..., resetUses=true) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/ion/Ion.cpp:1116 #3 0x0811b5da in js::types::TypeCompartment::processPendingRecompiles (this=0x86e15dc, cx=0x86e0d98) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/jsinfer.cpp:2148 #4 0x080a5353 in js::types::AutoEnterTypeInference::~AutoEnterTypeInference (this=0xffffbe04, __in_chrg=<value optimized out>) at ../jsinferinlines.h:235 #5 0x081248ed in js::types::TypeMonitorResult (cx=0x86e0d98, script=0xf7706420, pc=0x86ebc3a "5", rval=...) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/jsinfer.cpp:5170 #6 0x081542f9 in js::types::TypeScript::Monitor (cx=0x86e0d98, script=0xf7706420, pc=0x86ebc3a "5", rval=...) at ../jsinferinlines.h:575 #7 0x0845d51e in js::ion::InvalidationBailout (sp=0xffffbed8, frameSizeOut=0xffffbed4) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/ion/Bailouts.cpp:461 #8 0x004143c2 in ?? ()
Comment 2•12 years ago
|
||
This is a reduced testcase. Fails on --ion -n (32bit) too: function BigInteger() { } function bnpCopyTo(g) { var this_array = g.array; for (var i = g.t; i >= 0; --i) ; g.t = g.t; } function bnpFromString(n) { n.t = 0; var i = 100; while (--i >= 0) { n.t++; } } n = new BigInteger(); n.array = new Array(); bnpFromString(n); g = new BigInteger(); g.array = new Array(); g.t = 100; bnpCopyTo(g);
Assignee | ||
Updated•12 years ago
|
Assignee: general → nicolas.b.pierron
Assignee | ||
Comment 3•12 years ago
|
||
I can no longer reproduce the original bug on top of https://hg.mozilla.org/projects/ionmonkey/rev/ea48d5e141e7 I only got an error with --ion --ion-eager on both x86 and x64 with both test-cases. Assertion failure: JSOp(*pc) == JSOP_CALL, at js/src/ion/TypeOracle.h:156
Assignee | ||
Updated•12 years ago
|
Assignee | ||
Comment 4•12 years ago
|
||
Attachment #604216 -
Flags: review?(dvander)
Assignee | ||
Updated•12 years ago
|
Status: NEW → ASSIGNED
Comment on attachment 604216 [details] [diff] [review] Match TypeInferenceOracle assertions for getCallTarget. Review of attachment 604216 [details] [diff] [review]: ----------------------------------------------------------------- ::: js/src/ion/TypeOracle.h @@ +153,5 @@ > > /* |pc| must be a |JSOP_CALL|. */ > virtual types::TypeSet *getCallTarget(JSScript *caller, uint32 argc, jsbytecode *pc) { > + // Same assertion as TypeInferenceOracle::getCallTarget. > + JS_ASSERT(JSOp(*pc) == JSOP_CALL || JSOp(*pc) == JSOP_NEW || r=me simpler if JS_ASSERT(js_CodeSpec[*pc] & JOF_INVOKE) works though
Attachment #604216 -
Flags: review?(dvander) → review+
Assignee | ||
Comment 6•12 years ago
|
||
https://hg.mozilla.org/projects/ionmonkey/rev/8a9d061f5008
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Reporter | ||
Comment 7•11 years ago
|
||
A testcase for this bug was automatically identified at js/src/jit-test/tests/ion/bug732864.js.
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•