Closed Bug 905989 Opened 7 years ago Closed 7 years ago

Assertion failure: target->isInterpretedConstructor(), at jit/IonBuilder.cpp:5274

Categories

(Core :: JavaScript Engine, defect, critical)

x86
Linux
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla26

People

(Reporter: decoder, Assigned: jandem)

References

(Blocks 2 open bugs)

Details

(Keywords: assertion, testcase, Whiteboard: [jsbugmon:update])

Attachments

(2 files, 1 obsolete file)

The following testcase asserts on mozilla-central revision 1ed5a88cd4d0 (threadsafe build, run with --fuzzing-safe --ion-eager):


function TestCase(n, d, e, a) {};
function reportCompare() {
  new TestCase();
}
reportCompare();
TestCase = ParallelArray;
try {
  reportCompare();
} catch(exc1) {}
reportCompare();
Whiteboard: [jsbugmon:update,bisect]
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   http://hg.mozilla.org/mozilla-central/rev/ba172ee1f140
parent:      142714:31c08ca022b3
user:        Jan de Mooij
date:        Thu Aug 15 09:36:02 2013 +0200
summary:     Bug 892787 - Fix the JITs to not optimize constructor calls if the callee is not a constructor. r=h4writer

This iteration took 187.631 seconds to run.
Needinfo from Jan based on comment 2.
Flags: needinfo?(jdemooij)
Attached patch PatchSplinter Review
I forgot to add || target->isNativeConstructor() to the check in IonBuilder::makeCall.

I also moved the constructor check to getPolyCallTargets. The sooner we check for non-constructors the better.
Assignee: general → jdemooij
Status: NEW → ASSIGNED
Attachment #791272 - Flags: review?(hv1989)
Flags: needinfo?(jdemooij)
Another testcase that crashes the following js shell:

https://ftp.mozilla.org/pub/mozilla.org/firefox/tinderbox-builds/mozilla-central-macosx64-debug/1376692276/jsshell-mac64.zip


s = newGlobal()
function f(code) {
    try {
      evalcx(code, s);
    } catch(e) {
    }
  };
f("\
   \"use strict\";\
   Object.defineProperty(this,\"t1\",{\
        get:function(){\
            p = new ParallelArray()\
        }\
    });\
    t1.s();\
    function x(){\
        0[\"\"] = t1\
    }\
");
f("\
   a1 = x;\
   ParallelArray = a1;\
   schedulegc(7);\
   Object.y(t1, {})\
");
f("t1.y()")
Comment on attachment 791272 [details] [diff] [review]
Patch

Review of attachment 791272 [details] [diff] [review]:
-----------------------------------------------------------------

Nice catch! Sorry, I didn't think about this case during last review.
Attachment #791272 - Flags: review?(hv1989) → review+
Attachment #791239 - Attachment is obsolete: true
https://hg.mozilla.org/mozilla-central/rev/2872a52eb8a8
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla26
You need to log in before you can comment on or make changes to this bug.