Closed Bug 873660 Opened 11 years ago Closed 11 years ago

Assertion failure: (ptrBits & 0x7) == 0, at ../dist/include/js/Value.h with --ion-regalloc=backtracking

Categories

(Core :: JavaScript Engine, defect)

x86_64
macOS
defect
Not set
critical

Tracking

()

RESOLVED FIXED
Tracking Status
firefox22 --- unaffected
firefox23 --- unaffected
firefox24 --- fixed
firefox-esr17 --- unaffected
b2g18 --- unaffected

People

(Reporter: gkw, Unassigned)

References

Details

(4 keywords)

Attachments

(1 file)

Attached file stack
(function () {
    eval("\
        'a'.replace(/a/, arguments.callee)\
    ")
})()

asserts js debug shell on m-c changeset 5c240ee646fb with --ion-eager --no-jm --ion-regalloc=backtracking at Assertion failure: (ptrBits & 0x7) == 0,

s-s because this assertion is scary.

Full configuration command with needed environment variables is:
CC="clang -Qunused-arguments" AR=ar CXX="clang++ -Qunused-arguments" sh ./configure --target=x86_64-apple-darwin11.4.0 --enable-optimize --enable-debug --enable-profiling --enable-gczeal --enable-debug-symbols --enable-methodjit --enable-type-inference --disable-tests --enable-more-deterministic --enable-threadsafe  --with-ccache

Not sure if --enable-threadsafe or --with-system-nspr is needed, I had removed some threadsafe-specific flags that were pointing to specific directories on my computer.
Flags: needinfo?(bhackett1024)
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   129263:d12788533ab7
user:        Kannan Vijayan
date:        Thu Apr 18 16:47:25 2013 -0400
summary:     Bug 860145 - Allow Ion to compile functions which require heavyweight arguments-object construction. r=jandem r=nbp

OK, now I'm not sure what caused this.
Flags: needinfo?(kvijayan)
Marking sec-high because that assertion is often bad.

Gary, does this still reproduce?  Bug 860145 was relanded with some fixes, so maybe this has gone away.
Flags: needinfo?(gary)
Keywords: sec-high
> Gary, does this still reproduce?  Bug 860145 was relanded with some fixes,
> so maybe this has gone away.

I can still reproduce with m-c rev c21ef3664c67 (a recent tip).

--enable-more-deterministic and --enable-threadsafe are not needed.
Flags: needinfo?(gary)
An even more recent landing in bug 868206 may have fixed this.

Verifying with autoBisect now.
Flags: needinfo?(kvijayan)
Flags: needinfo?(bhackett1024)
autoBisect shows this is probably related to the following changeset:

The first good revision is:
changeset:   132599:3bfbd1ed214d
user:        Brian Hackett
date:        Tue May 21 21:40:44 2013 -0600
summary:     Bug 868206 - Various fixes for the backtracking register allocator, r=jandem.
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: