Closed
Bug 845325
Opened 12 years ago
Closed 12 years ago
IonMonkey: Assertion failure: !types->unknown(), at ion/IonMacroAssembler.cpp:55 or Crash on Heap
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
| Tracking | Status | |
|---|---|---|
| firefox21 | --- | unaffected |
| firefox22 | --- | fixed |
| firefox-esr17 | --- | unaffected |
| b2g18 | --- | unaffected |
People
(Reporter: decoder, Unassigned)
References
Details
(Keywords: assertion, crash, testcase, Whiteboard: [jsbugmon:][adv-main22-])
The following testcase asserts on mozilla-central revision aaefec5d34f8 (run with --ion-eager):
var callStack = new Array();
function TestCase(n, d, e, a)
this.passed = getTestCaseResult(e, a);
function reportCompare (expected, actual, description) {
var testcase = new TestCase("unknown-test-name", description, expected, actual);
}
function enterFunc (funcName)
callStack.push(funcName);
function exitFunc (funcName) {
var lastFunc = callStack.pop();
reportCompare(funcName, lastFunc, "Test driver failure wrong exit function ");
}
function getTestCaseResult(expected, actual) {
return actual == expected;
}
enterFunc ('test');
exitFunc ('test');
Array.prototype.__defineSetter__(32, function() {});
exitFunc ('test');
|
Reporter | |
Comment 1•12 years ago
|
||
Crash looks pretty harmless, but in jitted code, so I can't tell what's going on:
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7fedcaf in ?? ()
(gdb) bt
#0 0x00007ffff7fedcaf in ?? ()
#1 0xfffbfffff6039b20 in ?? ()
#2 0x00007ffff6123d80 in ?? ()
#3 0x00007ffff7fe8792 in ?? ()
#4 0x0000000000000141 in ?? ()
#5 0x00007ffff6037e40 in ?? ()
#6 0x0000000000000001 in ?? ()
#7 0xfff9000000000000 in ?? ()
#8 0xfffafffff6123d80 in ?? ()
#9 0x0000000000b75c20 in ?? ()
#10 0x00007fffffffd0a0 in ?? ()
#11 0x00007ffff62f20a8 in ?? ()
#12 0x000000000000ffff in ?? ()
#13 0x0000000000000000 in ?? ()
(gdb) x /i $pc
=> 0x7ffff7fedcaf: mov (%rdx),%rbp
(gdb) info reg rdx
rdx 0x0 0
|
|
Reporter | |
Updated•12 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
|
|
Reporter | |
Comment 2•12 years ago
|
||
JSBugMon: Bisection requested, result:
Due to skipped revisions, the first bad revision could be any of:
changeset: 122584:b831500ca4be
user: David Anderson
date: Thu Feb 21 13:52:09 2013 -0800
summary: Prevent GC from occuring during IC linking (bug 837714, r=bhackett).
changeset: 122585:437c955ff06d
user: Nicolas B. Pierron
date: Wed Jan 30 07:41:01 2013 -0800
summary: Bug 796114 - Inline with type-checked arguments. r=h4writer
changeset: 122586:5054f997ef77
user: Gregory Szorc
date: Thu Feb 21 14:11:54 2013 -0800
summary: Bug 841074 - Statically declare fields on FHR measurements; r=rnewman
changeset: 122587:6c126d076b0d
user: Phil Ringnalda
date: Thu Feb 21 14:26:04 2013 -0800
summary: Back out b831500ca4be (bug 837714) for bustage
This iteration took 11.835 seconds to run.
|
|
Reporter | |
Comment 3•12 years ago
|
||
Bisect isn't exact but I assume it's "Bug 796114 - Inline with type-checked arguments."?
|
||
Comment 4•12 years ago
|
||
(In reply to Christian Holler (:decoder) from comment #3)
> Bisect isn't exact but I assume it's "Bug 796114 - Inline with type-checked
> arguments."?
Yes this is likely a case where the excluded type case is not handled by our generic guarding system.
|
||
Comment 5•12 years ago
|
||
fyi,crash automation hit this assert on windows Nightly/22 at http://med.over.net/forum5/read.php?151%2C8505611
|
||
Updated•12 years ago
|
|
|
||
Comment 6•12 years ago
|
||
CC jandem, as he is investigating a similar issue on delta blue.
status-firefox21:
unaffected → ---
status-firefox22:
affected → ---
|
|
||
Updated•12 years ago
|
status-firefox21:
--- → unaffected
status-firefox22:
--- → affected
|
|
Reporter | |
Updated•12 years ago
|
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
|
|
Reporter | |
Comment 7•12 years ago
|
||
JSBugMon: The testcase found in this bug no longer reproduces (tried revision eccf45749400).
|
|
Reporter | |
Updated•12 years ago
|
Whiteboard: [jsbugmon:update,ignore] → [jsbugmon:bisectfix]
|
|
Reporter | |
Updated•12 years ago
|
Whiteboard: [jsbugmon:bisectfix] → [jsbugmon:]
|
|
Reporter | |
Comment 8•12 years ago
|
||
JSBugMon: Fix Bisection requested, result:
autoBisect shows this is probably related to the following changeset:
The first good revision is:
changeset: 124004:1250c1464755
user: Jan de Mooij
date: Wed Mar 06 19:13:05 2013 +0100
summary: Bug 847045 - Avoid frequent ExcludeType bailouts. r=nbp
This iteration took 113.431 seconds to run.
|
|
Reporter | |
Comment 9•12 years ago
|
||
Jan, is the fix in comment 8 likely the right one?
Flags: needinfo?(jdemooij)
|
||
Comment 10•12 years ago
|
||
(In reply to Christian Holler (:decoder) from comment #9)
> Jan, is the fix in comment 8 likely the right one?
Yes that should have fixed this one.
Status: NEW → RESOLVED
Closed: 12 years ago
Flags: needinfo?(jdemooij)
Resolution: --- → FIXED
|
|
Reporter | |
Updated•12 years ago
|
Status: RESOLVED → VERIFIED
|
|
Reporter | |
Comment 11•12 years ago
|
||
JSBugMon: This bug has been automatically verified fixed.
|
||
Updated•12 years ago
|
status-b2g18:
--- → unaffected
status-firefox-esr17:
--- → unaffected
|
||
Updated•11 years ago
|
Whiteboard: [jsbugmon:] → [jsbugmon:][adv-main22-]
|
|
||
Updated•11 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•