Closed
Bug 942604
Opened 11 years ago
Closed 11 years ago
Assertion failure: consumer->isConsistentFloat32Use(), at jit/IonAnalysis.cpp
Categories
(Core :: JavaScript Engine: JIT, defect)
Tracking
()
RESOLVED
FIXED
mozilla28
People
(Reporter: gkw, Assigned: djvj)
References
Details
(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update])
Attachments
(2 files, 1 obsolete file)
4.54 KB,
text/plain
|
Details | |
1.47 KB,
patch
|
bbouvier
:
review+
lsblakk
:
approval-mozilla-beta+
|
Details | Diff | Splinter Review |
for (var j = 0; j < 999; ++j) { try { (function() { function f(x) { x = (new Float32Array)[i >> 2]; {}(w) = arguments[0] } return f })()(); } catch (e) {} } asserts js debug shell on m-c changeset 74ab61b8d0f0 without any CLI arguments at Assertion failure: consumer->isConsistentFloat32Use(), at jit/IonAnalysis.cpp My configure flags are: CC="clang -Qunused-arguments" AR=ar CXX="clang++ -Qunused-arguments" sh ./configure --target=x86_64-apple-darwin12.5.0 --enable-optimize --enable-debug --enable-profiling --enable-gczeal --enable-debug-symbols --enable-methodjit --enable-type-inference --disable-tests --enable-more-deterministic --with-ccache --enable-threadsafe <other NSPR options>
Reporter | ||
Comment 1•11 years ago
|
||
autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: http://hg.mozilla.org/mozilla-central/rev/2963a336e7ec user: Kannan Vijayan date: Mon Sep 30 10:24:30 2013 -0400 summary: Bug 921120 - Enable Ion-compilation of JSOP_SETARG for functions which use magic arguments. r=nbp Kannan, is bug 921120 a likely regressor?
Blocks: 921120
Flags: needinfo?(kvijayan)
Assignee | ||
Comment 2•11 years ago
|
||
Yeah. MSetFrameArgument doesn't handle Float32 incomings. Taking bug.
Assignee: general → kvijayan
Flags: needinfo?(kvijayan)
Assignee | ||
Comment 3•11 years ago
|
||
Fixes this by adding a ToDouble prior to to MSetFrameArgument if the incoming value is typed Float32.
Attachment #8338003 -
Flags: review?(benj)
Comment 4•11 years ago
|
||
Comment on attachment 8338003 [details] [diff] [review] bug-942604.patch Review of attachment 8338003 [details] [diff] [review]: ----------------------------------------------------------------- Good news! You can do simpler, just by making MSetFrameArgument a NoFloatPolicy for the value argument (see also MArrayPush for instance). Then you don't have to worry about adding yourself the ToDouble before the operation.
Attachment #8338003 -
Flags: review?(benj)
Assignee | ||
Comment 5•11 years ago
|
||
Fixed patch as per recommendation.
Attachment #8338003 -
Attachment is obsolete: true
Attachment #8338545 -
Flags: review?(benj)
Comment 6•11 years ago
|
||
Comment on attachment 8338545 [details] [diff] [review] Updated patch. Review of attachment 8338545 [details] [diff] [review]: ----------------------------------------------------------------- Cool, thanks!
Attachment #8338545 -
Flags: review?(benj) → review+
Assignee | ||
Comment 7•11 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/ce322969a746
https://hg.mozilla.org/mozilla-central/rev/ce322969a746
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla28
Comment 9•11 years ago
|
||
Comment on attachment 8338545 [details] [diff] [review] Updated patch. decoder said he hits this one on beta and uplifting should be trivial. [Approval Request Comment] Bug caused by (feature/regressing bug #): 888109 User impact if declined: correctness issues Testing completed (on m-c, etc.): testing on m-i and m-c completed Risk to taking this patch (and alternatives if risky): very low, if not no risk at all String or IDL/UUID changes made by this patch: N/A
Attachment #8338545 -
Flags: approval-mozilla-beta?
Updated•11 years ago
|
Attachment #8338545 -
Flags: approval-mozilla-beta? → approval-mozilla-beta+
Updated•11 years ago
|
status-firefox27:
--- → affected
status-firefox28:
--- → fixed
You need to log in
before you can comment on or make changes to this bug.
Description
•