Closed Bug 957004 Opened 10 years ago Closed 10 years ago

Assertion failure: !hasLazyType(), at vm/ObjectImpl.h

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla30
Tracking Flags:
Tracking Status
firefox28 --- fixed
firefox29 --- fixed
firefox30 --- fixed
b2g-v1.3 --- fixed
b2g-v1.3T --- fixed
b2g-v1.4 --- fixed

People

(Reporter: gkw, Assigned: till)

References

Details

(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update])

Attachments

(2 files)

stack
4.17 KB, text/plain
Details
Guard against object being lazily typed in IsPackedArray self-hosting intrinsic.
1.44 KB, patch
jandem
: review+
lsblakk
: approval-mozilla-aurora+
lsblakk
: approval-mozilla-beta+
Details | Diff | Splinter Review
Attached file stack 
Array.prototype.push(0);
Array.prototype.indexOf()

asserts js debug shell on m-c changeset ce917d3dd7c8 with --no-baseline --no-ion at Assertion failure: !hasLazyType(), at vm/ObjectImpl.h

My configure flags are:

CC="clang -Qunused-arguments" AR=ar CXX="clang++ -Qunused-arguments" sh ./configure --target=x86_64-apple-darwin12.5.0 --enable-optimize --enable-debug --enable-profiling --enable-gczeal --enable-debug-symbols --enable-methodjit --enable-type-inference --disable-tests --with-ccache --enable-threadsafe <other NSPR options>

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   http://hg.mozilla.org/mozilla-central/rev/7b039ed2dbac
user:        Till Schneidereit
date:        Fri Nov 29 17:54:36 2013 +0100
summary:     Bug 911578 - Use self-hosting intrinsic isPackedArray to optimize loops in array extras. r=jandem

Till, is bug 911578 a likely regressor?
Flags: needinfo?(till)
And another bug I dragged my feet on way to long. :(

Jandem, this is *very* straight-foward. Biggest question is if it's ok to land the test, too. Should obviously land on Aurora at the same time as on m-c, so if you don't give me an r+ over the day, please request uplift and then set checkin-needed. Thanks and sorry!
Attachment #8383535 - Flags: review?(jdemooij)
Assignee: nobody → till
Status: NEW → ASSIGNED
Flags: needinfo?(till)
Attachment #8383535 - Flags: review?(jdemooij) → review+
Comment on attachment 8383535 [details] [diff] [review]
Guard against object being lazily typed in IsPackedArray self-hosting intrinsic.

[Approval Request Comment]
Bug caused by (feature/regressing bug #): 911578
User impact if declined: potentially increased crash rate
Testing completed (on m-c, etc.): manual testing and verification, just landed on m-i.
Risk to taking this patch (and alternatives if risky): extremely low, skips an optimization if it's invalid, by checking a flag.
String or IDL/UUID changes made by this patch: none
Attachment #8383535 - Flags: approval-mozilla-aurora?
Comment on attachment 8383535 [details] [diff] [review]
Guard against object being lazily typed in IsPackedArray self-hosting intrinsic.

[Approval Request Comment]
See explanation in Aurora request - I didn't see that this landed in the 28 time frame.
Attachment #8383535 - Flags: approval-mozilla-beta?
We are waiting for the landing of the patch in m-c to approve the uplifts.
status-firefox28: --- → affected
status-firefox29: --- → affected
status-firefox30: --- → affected
https://hg.mozilla.org/mozilla-central/rev/3f90a1832ac4
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla30
Attachment #8383535 - Flags: approval-mozilla-beta?
Attachment #8383535 - Flags: approval-mozilla-beta+
Attachment #8383535 - Flags: approval-mozilla-aurora?
Attachment #8383535 - Flags: approval-mozilla-aurora+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: