Closed Bug 870007 Opened 12 years ago Closed 12 years ago

Assertion failure: pn, at ion/AsmJS.cpp:1159 or Crash [@ ~ModuleCompiler]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla24
Tracking Flags:
Tracking Status
firefox23 --- fixed
firefox24 --- verified

People

(Reporter: decoder, Assigned: bbouvier)

Details

(Keywords: assertion, testcase)

Attachments

(2 files, 3 obsolete files)

[crash-signature] Machine-readable crash signature
945 bytes, text/plain
Details
Same fix with qref
1.27 KB, patch
bbouvier
: review+
bajaj
: approval-mozilla-aurora+
Details | Diff | Splinter Review
The following testcase asserts on mozilla-central revision 41ff3b67b692 (run with --ion-eager): assertEq((function() { 'use asm'; function _main() { var $1=0, $2=0, $3=0, $4=0, $5=0, $6=0, $7=0, $8=0, $9=0, $10=0, label=0; switch (label | 0) { case 1: case (2147483647): } } return _main; })()(), 1);
Assignee: general → bbouvier
Attached patch proposed fix (obsolete) — Splinter Review
This crash would happen as in CheckSwitchRange, if the switch table is larger than 512Mb, fail would be called with stmt, which is NULL here (end condition of the for loop above).
Attachment #747037 - Flags: review?(luke)
Comment on attachment 747037 [details] [diff] [review] proposed fix Nice, thanks!
Attachment #747037 - Flags: review?(luke) → review+
Attached patch proposed fix compatible with tip (obsolete) — Splinter Review
Oops, forgot to pull tip before making the patch. This version is compatible with tip.
Attachment #747037 - Attachment is obsolete: true
Attachment #747014 - Attachment is obsolete: true
[Approval Request Comment] Bug caused by (feature/regressing bug #): 870007 User impact if declined: low. Risk to taking this patch (and alternatives if risky): no risk. Same patch file as the one reviewed by Luke.
Attachment #747098 - Attachment is obsolete: true
Attachment #754629 - Flags: review+
Attachment #754629 - Flags: approval-mozilla-aurora?
https://hg.mozilla.org/mozilla-central/rev/50d9e3c1574f
Status: NEW → RESOLVED
Closed: 12 years ago
Flags: in-testsuite?
Resolution: --- → FIXED
Target Milestone: --- → mozilla24
Attachment #754629 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Running jsshell-win32 from a build before the fix with the testcase I got: "Assertion failure: pn, at e:/builds/moz2_slave/m-cen-w32-d-000000000000000000/bu ild/js/src/ion/AsmJS.cpp:1175" After the fix (FF 24b5): "test.js:6:7 warning: asm.js type error: all switch statements generate tables; t his table would be too big test.js:11:0 Error: Assertion failed: got (void 0), expected 1" Is it ok ?
Flags: needinfo?(choller)
Yes, this is likely correct :)
Flags: needinfo?(choller)
Thanks Christian. Verified based on comment 11
Status: RESOLVED → VERIFIED
status-firefox24: fixedverified
Off-topic: Why do I get on Linux "No such file or directory" error when trying to run ./js from jsshell-linux-i686.zip ?
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: