Closed
Bug 763948
Opened 12 years ago
Closed 11 years ago
Assertion failure: !fe->isConstant(), at methodjit/FrameState-inl.h:552
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
WONTFIX
People
(Reporter: decoder, Unassigned)
Details
(Keywords: assertion, testcase, Whiteboard: [js:t] [jsbugmon:origRev=e9bf05c14376])
The following test asserts on mozilla-central revision e9bf05c14376 (options -m -n -a):
Object.prototype.inheritsFrom = function (shuper) {
this.superConstructor = shuper;
}
function Strength(strengthValue, name) {
this.strengthValue = strengthValue;
}
Strength.weaker = function (s1, s2) {
return this ( UTCDate.stack , 'No Crash').super > s2.strengthValue;
}
Strength.REQUIRED = new Strength(0, "required");
function BinaryConstraint(var1, var2, strength) {
this.v1 = var1;
this.v2 = var2;
if (Strength.weaker(this.v1.walkStrength, this.v2.walkStrength)) {}
}
function EqualityConstraint(var1, var2, strength) {
EqualityConstraint.superConstructor.call(this, var1, var2, strength);
}
EqualityConstraint.inheritsFrom(BinaryConstraint);
function Variable(name, initialValue) {
}
function chainTest(n) {
var prev = null, first = null, last = null;
for (var i = 0; i <= n; i++) {
var name = "v" + i;
var v = new Variable(name);
if (prev != null)
new EqualityConstraint(prev, v, Strength.REQUIRED);
prev = v;
}
}
chainTest(100);
|
||
Updated•12 years ago
|
Whiteboard: js-triage-needed → [js:p3]
|
|
||
Updated•12 years ago
|
Whiteboard: [js:p3] → [js:t]
|
Reporter | |
Updated•12 years ago
|
Whiteboard: [js:t] → [js:t][jsbugmon:update,bisect]
|
|
Reporter | |
Updated•12 years ago
|
Whiteboard: [js:t][jsbugmon:update,bisect] → [js:t] [jsbugmon:update]
|
|
Reporter | |
Comment 1•12 years ago
|
||
JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: 76029:9b9fd467eb5f parent: 75176:583cb8819d62 user: Shu-yu Guo date: Tue Jul 05 22:54:19 2011 -0700 summary: Add swap and pick support to TI. bug 668353. r=bhackett Oops! We didn't test rev 583cb8819d62, a parent of the blamed revision! Let's do that now. Rev 583cb8819d62: Found cached shell... Testing... gdb -n -batch -x /home/decoder/LangFuzz/fuzzing/util/gdb-quick.txt /home/decoder/Desktop/autobisect-cache/js-dbg-64-583cb8819d62-linux core.23582 Exit status: CRASHED signal 6 (SIGABRT) (0.222 seconds) bad (interesting) Bisect lied to us! Parent rev 583cb8819d62 was also bad!
|
||
Comment 2•12 years ago
|
||
This bisection is unlikely to be correct.
|
|
Reporter | |
Comment 3•12 years ago
|
||
(In reply to Gary Kwong [:gkw, :nth10sd] from comment #2) > This bisection is unlikely to be correct. Yea, the parent is a merge and also fails. Should I rerun bisect with different arguments manually here?
|
|
||
Comment 4•12 years ago
|
||
(In reply to Christian Holler (:decoder) from comment #3) > (In reply to Gary Kwong [:gkw, :nth10sd] from comment #2) > > This bisection is unlikely to be correct. > > Yea, the parent is a merge and also fails. Should I rerun bisect with > different arguments manually here? You could. Try setting the latest changeset to break to be the parent (-e option in autoBisectJs), and look out for the assertion failure (or "isConstant" but this might be a red herring if it points to a changeset that just introduced or renamed the assert) again. However, it might still lie again. :-/
|
|
Reporter | |
Updated•12 years ago
|
Whiteboard: [js:t] [jsbugmon:update] → [js:t] [jsbugmon:update,ignore]
|
|
Reporter | |
Comment 5•12 years ago
|
||
JSBugMon: The testcase found in this bug no longer reproduces (tried revision fdfaef738a00).
|
|
||
Comment 6•12 years ago
|
||
We made more improvements to autoBisectJs. Hope this shows up a better bisection result.
Whiteboard: [js:t] [jsbugmon:update,ignore] → [js:t] [jsbugmon:update,origRev=e9bf05c14376,bisect]
|
|
Reporter | |
Updated•12 years ago
|
Whiteboard: [js:t] [jsbugmon:update,origRev=e9bf05c14376,bisect] → [js:t] [jsbugmon:update,origRev=e9bf05c14376,ignore]
|
|
Reporter | |
Comment 7•12 years ago
|
||
JSBugMon: The testcase found in this bug no longer reproduces (tried revision e5af3d785252).
|
|
Reporter | |
Updated•12 years ago
|
Whiteboard: [js:t] [jsbugmon:update,origRev=e9bf05c14376,ignore] → [js:t] [jsbugmon:origRev=e9bf05c14376,bisectfix]
|
|
Reporter | |
Updated•12 years ago
|
Whiteboard: [js:t] [jsbugmon:origRev=e9bf05c14376,bisectfix] → [js:t] [jsbugmon:origRev=e9bf05c14376]
|
|
Reporter | |
Comment 8•12 years ago
|
||
JSBugMon: Fix Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first good revision is: changeset: 106709:4225ee7e35a0 user: Brian Hackett date: Wed Aug 22 19:00:33 2012 -0600 summary: Allow compiling scripts off thread with Ion, bug 774253. r=dvander This iteration took 104.196 seconds to run.
|
|
Reporter | |
Comment 9•12 years ago
|
||
Brian, could you comment on the bisection in comment 8?
Flags: needinfo?(bhackett1024)
|
||
Comment 10•12 years ago
|
||
Hmm, I doubt that 4225ee7e35a0 fixed anything in JM, though it did touch a few parts of JM. A stack would be helpful for the original assert.
Flags: needinfo?(bhackett1024)
|
||
Comment 11•11 years ago
|
||
JM was removed, won't be fixed on branches unless it's causing top crashes or something.
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → WONTFIX
You need to log in
before you can comment on or make changes to this bug.
Description
•