Closed
Bug 885976
Opened 11 years ago
Closed 11 years ago
OdinMonkey: Assertion failure: isInterpreter(), at vm/Stack.h
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla25
Tracking | Status | |
---|---|---|
firefox23 | --- | unaffected |
firefox24 | --- | fixed |
firefox25 | --- | verified |
People
(Reporter: gkw, Assigned: jandem)
Details
(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update])
Attachments
(2 files, 1 obsolete file)
7.62 KB,
text/plain
|
Details | |
1.54 KB,
patch
|
luke
:
review+
bajaj
:
approval-mozilla-aurora+
|
Details | Diff | Splinter Review |
x = {}
x.valueOf = (function(stdlib, foreign) {
"use asm"
var ff = foreign.ff
function f(y) {
y = +y;
ff(0)
}
return f
})(this, {
ff: Object.preventExtensions
});
+ x
asserts js debug shell on m-c changeset cea75ce9a559 without any CLI arguments at Assertion failure: isInterpreter(), at vm/Stack.h
Updated•11 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
Comment 1•11 years ago
|
||
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: http://hg.mozilla.org/mozilla-central/rev/f5eca934fa16
user: Jan de Mooij
date: Fri Jun 21 08:28:06 2013 +0200
summary: Bug 881902 - Remove ContextStack and StackSpace. r=luke,njn
This iteration took 286.692 seconds to run.
Reporter | ||
Comment 2•11 years ago
|
||
jandem, is bug 881902 a possible regressor?
Flags: needinfo?(jdemooij)
Assignee | ||
Comment 3•11 years ago
|
||
When we enter Odin, we push an (inactive) JitActivation for FFI calls into Ion. Then we call a native (Object.preventExtensions) from asm.js, the native enters the decompiler and the inactive JitActivation confuses ScriptFrameIter::numFrameSlots.
This patch makes ScriptFrameIter::numFrameSlots a bit nicer/more robust.
Assignee: general → jdemooij
Status: NEW → ASSIGNED
Attachment #766276 -
Flags: review?(luke)
Flags: needinfo?(jdemooij)
Assignee | ||
Comment 4•11 years ago
|
||
Attachment #766276 -
Attachment is obsolete: true
Attachment #766276 -
Flags: review?(luke)
Attachment #766279 -
Flags: review?(luke)
Updated•11 years ago
|
Attachment #766279 -
Flags: review?(luke) → review+
Assignee | ||
Comment 5•11 years ago
|
||
Assignee | ||
Updated•11 years ago
|
status-firefox23:
--- → unaffected
status-firefox24:
--- → affected
status-firefox25:
--- → affected
tracking-firefox24:
--- → ?
tracking-firefox25:
--- → ?
Comment 6•11 years ago
|
||
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla25
Updated•11 years ago
|
Assignee | ||
Comment 7•11 years ago
|
||
Comment on attachment 766279 [details] [diff] [review]
Patch
[Approval Request Comment]
Bug caused by (feature/regressing bug #): Bug 881902
User impact if declined: Crashes
Testing completed (on m-c, etc.): On m-c
Risk to taking this patch (and alternatives if risky): Very low
String or IDL/UUID changes made by this patch: None
Attachment #766279 -
Flags: approval-mozilla-aurora?
Comment 8•11 years ago
|
||
Low risk uplift, approving for uplift but no need to track, unless we have any crash--signatures to be associated with crash-stats.
Updated•11 years ago
|
Attachment #766279 -
Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Updated•11 years ago
|
tracking-firefox24:
? → ---
tracking-firefox25:
? → ---
Comment 9•11 years ago
|
||
Comment 10•11 years ago
|
||
Is it ok to test this with http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2013/06/2013-06-21-mozilla-central-debug/jsshell-mac64.zip ?
I get "./js testcase
warning: successfully compiled asm.js code (total compilation time 1ms)
testcase:13:0 TypeError: 0 is not an object", so cannot reproduce the initial problem.
Reporter | ||
Comment 11•11 years ago
|
||
Try the binary from 2013-06-22 or the day after. Or probably this needs a deterministic shell, but I didn't check (the downloaded binaries are not compiled with --enable-more-deterministic).
Comment 12•11 years ago
|
||
Thanks Gary.
Reproduced with 2013-06-22-mozilla-central-debug/jsshell-mac64.
Verified fixed FF 25 2013-10-06-mozilla-beta-debug, Mac OS X 10.8.4
Reporter | ||
Comment 13•11 years ago
|
||
Sure! In the future, you might want to check that the revision is at least rev cea75ce9a559 in this case, it is usually specified in the initial bug report.
e.g. http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2013/06/2013-06-22-mozilla-central-debug/firefox-24.0a1.en-US.debug-mac64.txt
Comment 14•11 years ago
|
||
You're right, I was thinking the 2013-06-21 build has at least that revision (cause it was filed in that day), without checking.
But still don't know how is possible to file a bug today and to reproduce only on tomorrow's build.
Reporter | ||
Comment 15•11 years ago
|
||
> But still don't know how is possible to file a bug today and to reproduce
> only on tomorrow's build.
I probably updated and fuzzed the rev on the same day (after the nightly binary was produced), finding this bug in the same day, so this rev will only appear in the binary on the next day.
You need to log in
before you can comment on or make changes to this bug.
Description
•