Closed Bug 942604 Opened 12 years ago Closed 12 years ago

Assertion failure: consumer->isConsistentFloat32Use(), at jit/IonAnalysis.cpp

Categories

(Core :: JavaScript Engine: JIT, defect)

Product:
Core
Component:
JavaScript Engine: JIT
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla28
Tracking Flags:
Tracking Status
firefox27 --- fixed
firefox28 --- fixed

People

(Reporter: gkw, Assigned: djvj)

References

Details

(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update])

Attachments

(2 files, 1 obsolete file)

stack
4.54 KB, text/plain
Details
Updated patch.
1.47 KB, patch
bbouvier
: review+
lsblakk
: approval-mozilla-beta+
Details | Diff | Splinter Review
Attached file stack
for (var j = 0; j < 999; ++j) { try { (function() { function f(x) { x = (new Float32Array)[i >> 2]; {}(w) = arguments[0] } return f })()(); } catch (e) {} } asserts js debug shell on m-c changeset 74ab61b8d0f0 without any CLI arguments at Assertion failure: consumer->isConsistentFloat32Use(), at jit/IonAnalysis.cpp My configure flags are: CC="clang -Qunused-arguments" AR=ar CXX="clang++ -Qunused-arguments" sh ./configure --target=x86_64-apple-darwin12.5.0 --enable-optimize --enable-debug --enable-profiling --enable-gczeal --enable-debug-symbols --enable-methodjit --enable-type-inference --disable-tests --enable-more-deterministic --with-ccache --enable-threadsafe <other NSPR options>
autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: http://hg.mozilla.org/mozilla-central/rev/2963a336e7ec user: Kannan Vijayan date: Mon Sep 30 10:24:30 2013 -0400 summary: Bug 921120 - Enable Ion-compilation of JSOP_SETARG for functions which use magic arguments. r=nbp Kannan, is bug 921120 a likely regressor?
Blocks: 921120
Flags: needinfo?(kvijayan)
Yeah. MSetFrameArgument doesn't handle Float32 incomings. Taking bug.
Assignee: general → kvijayan
Flags: needinfo?(kvijayan)
Attached patch bug-942604.patch (obsolete) — Splinter Review
Fixes this by adding a ToDouble prior to to MSetFrameArgument if the incoming value is typed Float32.
Attachment #8338003 - Flags: review?(benj)
Comment on attachment 8338003 [details] [diff] [review] bug-942604.patch Review of attachment 8338003 [details] [diff] [review]: ----------------------------------------------------------------- Good news! You can do simpler, just by making MSetFrameArgument a NoFloatPolicy for the value argument (see also MArrayPush for instance). Then you don't have to worry about adding yourself the ToDouble before the operation.
Attachment #8338003 - Flags: review?(benj)
Attached patch Updated patch.Splinter Review
Fixed patch as per recommendation.
Attachment #8338003 - Attachment is obsolete: true
Attachment #8338545 - Flags: review?(benj)
Comment on attachment 8338545 [details] [diff] [review] Updated patch. Review of attachment 8338545 [details] [diff] [review]: ----------------------------------------------------------------- Cool, thanks!
Attachment #8338545 - Flags: review?(benj) → review+
https://hg.mozilla.org/mozilla-central/rev/ce322969a746
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla28
Comment on attachment 8338545 [details] [diff] [review] Updated patch. decoder said he hits this one on beta and uplifting should be trivial. [Approval Request Comment] Bug caused by (feature/regressing bug #): 888109 User impact if declined: correctness issues Testing completed (on m-c, etc.): testing on m-i and m-c completed Risk to taking this patch (and alternatives if risky): very low, if not no risk at all String or IDL/UUID changes made by this patch: N/A
Attachment #8338545 - Flags: approval-mozilla-beta?
Attachment #8338545 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: