Closed
Bug 902744
Opened 12 years ago
Closed 12 years ago
Assertion failure: mir->type() != MIRType_Value, at ion/shared/Lowering-shared-inl.h
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla26
| Tracking | Status | |
|---|---|---|
| firefox23 | --- | disabled |
| firefox24 | --- | disabled |
| firefox25 | --- | disabled |
| firefox26 | + | fixed |
| firefox-esr17 | --- | unaffected |
| firefox-esr24 | --- | disabled |
| b2g18 | --- | unaffected |
People
(Reporter: gkw, Assigned: shu)
References
Details
(4 keywords, Whiteboard: [jsbugmon:])
Attachments
(1 file)
|
1.27 KB,
patch
|
nmatsakis
:
review+
|
Details | Diff | Splinter Review |
function f(code) {
try {
Function(code)()
} catch (e) {}
}
f("\
x = ArrayBuffer;\
Object.defineProperty(this, \"m\", {\
get: function() {\
y.scatter([0, 0], undefined, f1)\
}\
});\
y = new ParallelArray;\
z = y.shape;\
Array.prototype.push.call(z, x);\
f1 = (function() {\
y.scan(function() {})\
});\
Array.prototype.reverse.call(z);\
Object.defineProperty(z, 7, {\
get: f1,\
});\
Array.prototype.pop.call(z);\
");
f("\
Array.prototype.reverse.call(z);\
");
f("\
m;\
");
f("\
y = ParallelArray(6, function(){});\
m;\
m;\
")
asserts js debug 32-bit threadsafe shell on m-c changeset 79b5c74ef97b with --baseline-eager at Assertion failure: mir->type() != MIRType_Value, at ion/shared/Lowering-shared-inl.h
Tested on Windows 7. The patch in bug 901391 does not fix this problem. s-s because that bug seems s-s. Will try running autoBisect.
|
||
Updated•12 years ago
|
Whiteboard: [jsbugmon:update] → [jsbugmon:]
|
|
||
Comment 1•12 years ago
|
||
JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.
|
Assignee | |
Comment 2•12 years ago
|
||
Unrelated to bug 901391. This is a longer standing bug due to incorrect inlining of the NewDenseArray intrinsic.
Assignee: general → shu
Attachment #787294 -
Flags: review?
|
|
Assignee | |
Comment 3•12 years ago
|
||
I can't r? :nmatsakis on the patch, bugzilla complains about incorrect user groups.
decoder, what's up with that?
|
Reporter | |
Comment 4•12 years ago
|
||
Niko needs to be cc'ed first as he does not have access to s-s bugs by default.
|
|
Reporter | |
Updated•12 years ago
|
Attachment #787294 -
Flags: review? → review?(nmatsakis)
|
|
Assignee | |
Comment 5•12 years ago
|
||
But it used to auto cc the reviewer, no?
|
|
Reporter | |
Comment 6•12 years ago
|
||
(In reply to Shu-yu Guo [:shu] from comment #5)
> But it used to auto cc the reviewer, no?
The auto-cc only works if he has permissions to view the bug (prior to being cc'ed), in this case, the security bugs.
|
|
Reporter | |
Comment 7•12 years ago
|
||
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: http://hg.mozilla.org/mozilla-central/rev/ed26fdbe8444
user: Shu-yu Guo
date: Sat May 04 20:53:21 2013 -0700
summary: Bug 646597 - Make functions made by the Function constructor compile-and-go. Most of patch was originally written by jorendorff. (r=luke)
Blocks: 646597
|
|
Reporter | |
Comment 8•12 years ago
|
||
Assuming bug 646597 is the correct regressor, this means this bug goes back to Firefox 23.
status-firefox23:
--- → affected
status-firefox24:
--- → affected
status-firefox25:
--- → affected
status-firefox26:
--- → affected
tracking-firefox24:
--- → ?
tracking-firefox25:
--- → ?
tracking-firefox26:
--- → ?
|
|
Assignee | |
Comment 9•12 years ago
|
||
That's not really the regressor. this probably has been around since we landed self hosted parallel arrays
|
|
Reporter | |
Comment 10•12 years ago
|
||
(In reply to Shu-yu Guo [:shu] from comment #9)
> That's not really the regressor. this probably has been around since we
> landed self hosted parallel arrays
Probably bug 829602 then? Which means it goes back to Firefox 22.
|
|
Assignee | |
Comment 11•12 years ago
|
||
(In reply to Gary Kwong [:gkw] [:nth10sd] from comment #10)
> (In reply to Shu-yu Guo [:shu] from comment #9)
> > That's not really the regressor. this probably has been around since we
> > landed self hosted parallel arrays
>
> Probably bug 829602 then? Which means it goes back to Firefox 22.
Code was added in 807853 but had no way to be triggered until 829602.
|
|
Assignee | |
Comment 12•12 years ago
|
||
Keep in mind that while it goes back to FF22, ParallelArray is *ifdef'd out* on everything but Nightly, so that code has no way to be triggered afaik outside of Nightly.
|
||
Updated•12 years ago
|
Attachment #787294 -
Flags: review?(nmatsakis) → review+
|
|
Reporter | |
Comment 13•12 years ago
|
||
(In reply to Shu-yu Guo [:shu] from comment #12)
> Keep in mind that while it goes back to FF22, ParallelArray is *ifdef'd out*
> on everything but Nightly, so that code has no way to be triggered afaik
> outside of Nightly.
Adjusting flags as follows.
|
||
Updated•12 years ago
|
tracking-firefox24:
? → ---
tracking-firefox25:
? → ---
|
||
Comment 14•12 years ago
|
||
might be worth also a testcase or ? :)
fixed in mozilla-central
https://hg.mozilla.org/mozilla-central/rev/928f0878d1cd
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla26
|
|
||
Updated•12 years ago
|
Flags: in-testsuite?
|
||
Updated•12 years ago
|
status-b2g18:
--- → unaffected
status-firefox-esr17:
--- → unaffected
status-firefox-esr24:
--- → disabled
|
|
||
Updated•10 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•