Closed Bug 916752 Opened 11 years ago Closed 11 years ago

Assertion failure: outputType == MIRType_Value, at jit/Lowering.cpp:1961 with GC

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla27
Tracking Flags:
Tracking Status
firefox26 --- affected

People

(Reporter: decoder, Assigned: h4writer)

References

Details

(Keywords: assertion, testcase, Whiteboard: [jsbugmon:update])

Attachments

(2 files, 1 obsolete file)

bug916752-asserts
1.81 KB, patch
jandem
: review+
Details | Diff | Splinter Review
[crash-signature] Machine-readable crash signature
702 bytes, text/plain
Details 
The following testcase asserts on mozilla-central revision dc909122bcf5 (run with --fuzzing-safe --ion-eager):


function test() { return "x,y,z"; };
function testClear() {
  test().split(',');
}
loadFile("1");
loadFile("testClear();");
loadFile("2");
loadFile("gc();");
loadFile("testClear();");
loadFile("new test(0);");
function loadFile(lfVarx) {
        if (lfVarx.substr(-3) != ".js" && lfVarx.length != 1) {
            switch (lfRunTypeId) {
                case 2: new Function(lfVarx)(); break;
                default: evaluate(lfVarx); break;
            }
        } else if (!isNaN(lfVarx)) {
            lfRunTypeId = parseInt(lfVarx);
    }
}
Whiteboard: [jsbugmon:update,bisect]
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   http://hg.mozilla.org/mozilla-central/rev/a1bd3bb5a0ba
user:        Hannes Verschore
date:        Fri Sep 06 15:10:54 2013 +0200
summary:     Bug 909717: IonBuilder: Introduce typed typebarriers, r=jandem

This iteration took 1.370 seconds to run.
Flags: needinfo?(hv1989)
Assignee: general → hv1989
Flags: needinfo?(hv1989)
Interesting we didn't had a testcase exercising this path in the testsuite. This is again bogus asserts. When we are definitely bailing the type is changed to the input type (not to MIRType_Value).
Attachment #805881 - Flags: review?(jdemooij)
@decoder: This bug may get opened. Is not security sensitive.
Group: core-security
Attachment #805881 - Flags: review?(jdemooij) → review+
https://hg.mozilla.org/mozilla-central/rev/e21c1e60414f
Status: NEW → RESOLVED
Closed: 11 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla27

        Attachment #805267 -
        Attachment is obsolete: true

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: