Closed Bug 893732 Opened 11 years ago Closed 11 years ago

Assertion failure: a.isGeneralReg(), at ../ion/shared/CodeGenerator-shared-inl.h:31

Tracking

()

Status:

RESOLVED FIXED

Milestone:

mozilla25

People

(Reporter: decoder, Assigned: bhackett1024)

References

Details

(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update])

Attachments

(2 files)

[crash-signature] Machine-readable crash signature 11 years ago Christian Holler (:decoder) 797 bytes, text/plain		Details
patch 11 years ago Brian Hackett [Laid off!] 3.17 KB, patch	jandem : review+	Details \| Diff \| Splinter Review

Christian Holler (:decoder)

Reporter

Description

•

11 years ago

The following testcase asserts on mozilla-central revision 18467a85acf6 (run with --fuzzing-safe --ion-eager):


var arr = new Int8Array(100);
function f(a) {
  for(var i=0; i<30; i++) {
    x = a[85.3];
  }
}
f(arr);

Christian Holler (:decoder)

Reporter

Comment 1

•

11 years ago

Attached file [crash-signature] Machine-readable crash signature — Details

Christian Holler (:decoder)

Reporter

Updated

•

11 years ago

Whiteboard: [jsbugmon:update,bisect]

Christian Holler (:decoder)

Reporter

Updated

•

11 years ago

Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]

Christian Holler (:decoder)

Reporter

Comment 2

•

11 years ago

JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   http://hg.mozilla.org/mozilla-central/rev/0670cdaf7e9c
user:        Brian Hackett
date:        Thu Jul 11 15:08:26 2013 -0600
summary:     Bug 891400 - Improve pattern matching on static typed array accesses, r=jandem.

This iteration took 0.973 seconds to run.

Christian Holler (:decoder)

Reporter

Comment 3

•

11 years ago

Needinfo from Brian based on comment 2 :)

Flags: needinfo?(bhackett1024)

Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)

Updated

•

11 years ago

Blocks: 891400

Keywords: regression

Brian Hackett [Laid off!]

Assignee

Comment 6

•

11 years ago

Attached patch patch — Details — Splinter Review

convertShiftToMaskForStaticTypedArray can now produce non-int32 indexes, and there was no type policy in place to ensure these were converted to integers.

Assignee: general → bhackett1024

Attachment #777846 - Flags: review?(jdemooij)

Flags: needinfo?(bhackett1024)

Jan de Mooij [:jandem]

Updated

•

11 years ago

Attachment #777846 - Flags: review?(jdemooij) → review+

Brian Hackett [Laid off!]

Assignee

Comment 7

•

11 years ago

https://hg.mozilla.org/integration/mozilla-inbound/rev/d7af6a55966c

Ryan VanderMeulen [:RyanVM]

Comment 8

•

11 years ago

https://hg.mozilla.org/mozilla-central/rev/d7af6a55966c

Status: NEW → RESOLVED

Closed: 11 years ago

Flags: in-testsuite+

Resolution: --- → FIXED

Target Milestone: --- → mozilla25

You need to log in before you can comment on or make changes to this bug.

Bugzilla

Quick Search

Assertion failure: a.isGeneralReg(), at ../ion/shared/CodeGenerator-shared-inl.h:31

Categories

(Core :: JavaScript Engine, defect)

Tracking

()

People

(Reporter: decoder, Assigned: bhackett1024)

References

Details

(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update])

Crash Data

Security

(public)

User Story

Attachments

(2 files)

Description

Comment 1

Updated

Updated

Comment 2

Comment 3

Updated

Comment 6

Updated

Comment 7

Comment 8

Attachment

General

Description

File Name

Content Type