Closed Bug 894782 Opened 11 years ago Closed 11 years ago

Assertion failure: found, at ion/CodeGenerator.cpp

Categories

(Core :: JavaScript Engine, defect)

x86_64
macOS
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla25

People

(Reporter: gkw, Assigned: shu)

References

Details

(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:])

Attachments

(2 files)

Attached file stack
print(ParallelArray())
String(Object.create(ParallelArray(8077, function() {})))

asserts js debug shell on m-c changeset 582ffcd0459a with --baseline-eager at Assertion failure: found, at ion/CodeGenerator.cpp
Whiteboard: [jsbugmon:update] → [jsbugmon:]
JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   http://hg.mozilla.org/mozilla-central/rev/0960402d8145
user:        Jan de Mooij
date:        Tue Jul 16 21:34:02 2013 +0200
summary:     Bug 852421 - Remove MarkTypeObjectUnknownProperties call from Object.create. r=bhackett
Blocks: 852421
Gary, do you also have tests without ParallelArray in it? I think this is a pre-existing ParallelArray TI issue.
Flags: needinfo?(gary)
Attached patch fixSplinter Review
Summary of discussion over IRC:

This is a bug in the poly inline dispatch in how callsite clones are dealt with. Callsite clones are supposed to be a "just-in-time" replacement, with the original function being used for everything user visible (like guarding against) until we need to enter the function, when the clone is swapped in.

The entries in InlinePropertyTable only seem to be used for comparisons for guarding against the set of functions to be inlined. So we should be using the originals, but currently we are using the clones.

This only manifests with ParallelArrays because nothing else uses callsite cloning to get extra precision yet.
Assignee: general → shu
Attachment #777040 - Flags: review?(jdemooij)
Flags: needinfo?(gary)
Comment on attachment 777040 [details] [diff] [review]
fix

Review of attachment 777040 [details] [diff] [review]:
-----------------------------------------------------------------

Thanks for fixing this so quickly.

Please also add the testcase, r=me with that.
Attachment #777040 - Flags: review?(jdemooij) → review+
https://hg.mozilla.org/mozilla-central/rev/0bf0cbaabe6f
Status: NEW → RESOLVED
Closed: 11 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla25
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: