Closed Bug 887772 Opened 8 years ago Closed 8 years ago

Assertion failure: numPredecessors() >= 2, at ion\MIRGraph.h:316

Categories

(Core :: JavaScript Engine, defect)

x86
Windows 7
defect
Not set
normal

Tracking

()

RESOLVED DUPLICATE of bug 880377

People

(Reporter: cbook, Assigned: nmatsakis)

References

()

Details

(Keywords: assertion, sec-high, testcase)

Attachments

(2 files)

Attached file stack
Assertion failure: numPredecessors() >= 2, at c:\work\mozilla\builds\aurora\mozilla\js\src\ion\MIRGraph.h:316 found via bughunter and crashes on load (working on a testcase).

crashes on aurora and mc nightly debug builds on windows 7 

Stack is attached too
Attached file testcase
will also try to reduce it a little more
Keywords: testcase
Thanks! I will take a look next week :)
Assignee: general → jdemooij
Status: NEW → ASSIGNED
I'm going to assume violating IonMonkey CFG invariants is a bad thing until proven otherwise...
Keywords: sec-high
Thanks Tomcat, great testcase! Here's a script that asserts in the shell:

function do_tabmagic() {
    var tabmain = {};
    if (tabmain != undefined)
        var x = new Int32Array();
    if (x != undefined) {
        for (var j = 0; j < 1; j++){
            for (var i = 0; i < 10000; i++) {
            }
        }
    }
}
do_tabmagic();
Niko, this is an UCE problem. We end up with a loop header with one predecessor and this breaks some invariants.

We should probably not remove any predecessors of loop headers if we are not going to remove the loop header itself, but needinfo?-ing you since you're more familiar with UCE.
Assignee: jdemooij → nmatsakis
Flags: needinfo?(nmatsakis)
I believe this is a dup of bug 880377. I had started on a fix some time ago but never finished it. I wasn't able to find a satisfying way to express the nodes that should not be removed and it fell of my radar. Let me take another look at this.
Flags: needinfo?(nmatsakis)
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 880377
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.