Closed
Bug 932284
Opened 12 years ago
Closed 11 years ago
Assertion failure: IsBaselineEnabled(cx), at jit/Bailouts.cpp:77
Categories
(Core :: JavaScript Engine: JIT, defect)
Tracking
()
RESOLVED
FIXED
mozilla35
| Tracking | Status | |
|---|---|---|
| firefox27 | --- | affected |
People
(Reporter: decoder, Assigned: jandem)
Details
(Keywords: assertion, testcase, Whiteboard: [jsbugmon:])
Attachments
(2 files, 2 obsolete files)
|
637 bytes,
text/plain
|
Details | |
|
3.37 KB,
patch
|
nbp
:
review+
|
Details | Diff | Splinter Review |
The following testcase asserts on mozilla-central revision 518f5bff0ae4 (run with --ion-eager):
function foo() {
var func = []
for (var n = 0; n < 2; ++n) {
setJitCompilerOption("baseline.enable", n);
func[n]();
}
} foo();
|
Reporter | |
Comment 1•12 years ago
|
||
|
Assignee | |
Comment 2•12 years ago
|
||
Yeah we shouldn't allow disabling the Baseline JIT while there's JIT code on the stack I think.
Flags: needinfo?(nicolas.b.pierron)
|
||
Comment 3•12 years ago
|
||
(In reply to Jan de Mooij [:jandem] from comment #2)
> Yeah we shouldn't allow disabling the Baseline JIT while there's JIT code on
> the stack I think.
This problem will also appear if somebody flip the flag in about:config.
Flags: needinfo?(nicolas.b.pierron)
|
|
||
Comment 4•12 years ago
|
||
(In reply to Nicolas B. Pierron [:nbp] from comment #3)
> (In reply to Jan de Mooij [:jandem] from comment #2)
> > Yeah we shouldn't allow disabling the Baseline JIT while there's JIT code on
> > the stack I think.
>
> This problem will also appear if somebody flip the flag in about:config.
Also, note that being able to flip baseline on/off will give the ability to fuzz more. Especially doing even more differential testing.
|
||
Comment 5•12 years ago
|
||
Yeah, I want to be able to control future compilation for differential testing. I don't care whether already-running code stays in baseline.
|
|
Reporter | |
Comment 6•12 years ago
|
||
Attachment #823996 -
Attachment is obsolete: true
|
|
Reporter | |
Updated•12 years ago
|
Whiteboard: [jsbugmon:update]
|
|
Reporter | |
Updated•12 years ago
|
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
|
|
Reporter | |
Comment 7•12 years ago
|
||
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 2c85e4d1d678).
|
|
Reporter | |
Updated•12 years ago
|
Whiteboard: [jsbugmon:update,ignore] → [jsbugmon:bisectfix]
|
|
Reporter | |
Updated•12 years ago
|
Whiteboard: [jsbugmon:bisectfix] → [jsbugmon:]
|
|
Reporter | |
Comment 8•12 years ago
|
||
JSBugMon: Fix Bisection requested, result:
autoBisect shows this is probably related to the following changeset:
The first good revision is:
changeset: http://hg.mozilla.org/mozilla-central/rev/636620b3af0a
user: Brian Hackett
date: Tue Oct 29 16:10:59 2013 -0600
summary: Bug 930048 - Remove need to read objects directly when optimizing singleton accesses, r=jandem.
This iteration took 381.486 seconds to run.
|
|
Reporter | |
Comment 9•12 years ago
|
||
Attachment #827705 -
Attachment is obsolete: true
|
|
Reporter | |
Updated•12 years ago
|
status-firefox27:
--- → affected
|
||
Updated•11 years ago
|
Assignee: general → nobody
|
|
Reporter | |
Comment 10•11 years ago
|
||
This bug still reproduces for me all the time. Example testcase:
try {
for (var n = 0; n < 4; ++n) {
setJitCompilerOption("baseline.enable", n & 1);
func[n]();
}
} catch(exc0) {}
const root = newGlobal();
root.eval("this.dbg = new Debugger()");
root.dbg.addDebuggee(this);
Or this one on the ARM simulator:
var method_A = function() {}
var method_B = function() {}
var method_C = function() {}
var method_D = function() {}
var func = [method_A, method_B, method_C, method_D]
for (var n = 0; 16 ; ++n) {
setJitCompilerOption("baseline.enable", n & 1);
func[n]();
}
All involving setJitCompilerOption.
Jan, could you maybe figure out who's the right person to ask about this? This is probably a shell-only/debug-only fix, but it would lower the crash rates I'm seeing in the fuzzer.
Flags: needinfo?(jdemooij)
|
|
Assignee | |
Comment 11•11 years ago
|
||
Throw an exception when we try to disable the JITs with JIT code on the stack.
Assignee: nobody → jdemooij
Status: NEW → ASSIGNED
Attachment #8487818 -
Flags: review?(nicolas.b.pierron)
Flags: needinfo?(jdemooij)
|
|
||
Comment 12•11 years ago
|
||
Comment on attachment 8487818 [details] [diff] [review]
Patch
Review of attachment 8487818 [details] [diff] [review]:
-----------------------------------------------------------------
This patch sounds fine for fuzzers, but what is the fate of:
http://dxr.mozilla.org/mozilla-central/source/js/xpconnect/src/XPCJSRuntime.cpp#1497
for example if what would happen if a user change the preference under an interruption callback?
Maybe we could have a mode for the jsapi function which fails silently.
Attachment #8487818 -
Flags: review?(nicolas.b.pierron) → review+
|
|
Assignee | |
Comment 13•11 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/a5caeacb3411
(In reply to Nicolas B. Pierron [:nbp] from comment #12)
> for example if what would happen if a user change the preference under an
> interruption callback?
> Maybe we could have a mode for the jsapi function which fails silently.
Only devs or power users toggle the prefs and it hasn't been a problem so far; I think it's fine to leave this for now.
|
||
Comment 14•11 years ago
|
||
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla35
You need to log in
before you can comment on or make changes to this bug.
Description
•