Closed Bug 969778 Opened 10 years ago Closed 10 years ago

Crash [@ js::jit::LiveInterval::addRangeAtHead] or Assertion failure: false (MOZ_ASSUME_UNREACHABLE(unexpected type)), at jit/Lowering.cpp

Categories

(Core :: JavaScript Engine: JIT, defect)

Product:
Core
Component:
JavaScript Engine: JIT
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla30
Tracking Flags:
Tracking Status
firefox28 --- unaffected
firefox29 --- fixed
firefox30 --- fixed
firefox-esr24 --- unaffected
b2g-v1.3 --- unaffected

People

(Reporter: gkw, Assigned: bhackett1024)

References

Details

(5 keywords, Whiteboard: [jsbugmon:origRev=6c899a1064f3])

Crash Data

Attachments

(1 file)

debug and opt stacks
7.85 KB, text/plain
Details
Attached file debug and opt stacks 
for (var aa = 0; aa < 999999; aa++) {
    try {
        Function("\
            (function() {})([NaN, , 0])\
        ")()
    } catch (e) {};
}


crashes js opt shell on m-c changeset cafe909f7e07 with --ion-eager at js::jit::LiveInterval::addRangeAtHead and asserts js debug shell at Assertion failure: false (MOZ_ASSUME_UNREACHABLE(unexpected type)), at jit/Lowering.cpp

My configure flags are: (opt)

CC="clang -Qunused-arguments" AR=ar CXX="clang++ -Qunused-arguments" sh ./configure --target=x86_64-apple-darwin12.5.0 --enable-optimize --disable-debug --enable-profiling --enable-gczeal --enable-debug-symbols --enable-methodjit --enable-type-inference --disable-tests --enable-more-deterministic --enable-exact-rooting --with-ccache --enable-threadsafe <other NSPR options>

Debug:

CC="clang -Qunused-arguments" AR=ar CXX="clang++ -Qunused-arguments" sh ./configure --target=x86_64-apple-darwin12.5.0 --enable-optimize --enable-debug --enable-profiling --enable-gczeal --enable-debug-symbols --enable-methodjit --enable-type-inference --disable-tests --enable-more-deterministic --enable-exact-rooting --with-ccache --enable-threadsafe <other NSPR options>

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   http://hg.mozilla.org/mozilla-central/rev/dbeea0e93b56
user:        Brian Hackett
date:        Mon Dec 16 10:53:02 2013 -0800
summary:     Bug 785905 - Build Ion MIR graph off thread, r=jandem.

Brian, is bug 785905 a likely regressor?
Flags: needinfo?(bhackett1024)
Whiteboard: [jsbugmon:update] → [jsbugmon:]
JSBugMon: Cannot process bug: Error: Failed to compile specified revision cafe909f7e07 (maybe try another?)
(In reply to Christian Holler (:decoder) from comment #1)
> JSBugMon: Cannot process bug: Error: Failed to compile specified revision
> cafe909f7e07 (maybe try another?)

Retry with a later revision that fixed non-threadsafe build compilation issues.
Whiteboard: [jsbugmon:] → [jsbugmon:update,origRev=6c899a1064f3]
Whiteboard: [jsbugmon:update,origRev=6c899a1064f3] → [jsbugmon:origRev=6c899a1064f3]
JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.
Keywords: sec-high
Bug 785905 has been backed out and I can't reproduce this.
Flags: needinfo?(bhackett1024)
Yes, this is likely fixed by the backout, which has also landed in Aurora.

autoBisect shows this is probably related to the following changeset:

The first good revision is:
changeset:   http://hg.mozilla.org/mozilla-central/rev/8c521a802625
parent:      168757:9e7cf0b1d80c
user:        Jan de Mooij
date:        Fri Feb 14 13:17:53 2014 +0100
summary:     Backout bug 785905, off-thread IonBuilder. r=jorendorff
Status: NEW → RESOLVED
Closed: 10 years ago
status-firefox29: affectedfixed
status-firefox30: affectedfixed
Resolution: --- → FIXED
Status: RESOLVED → VERIFIED
JSBugMon: This bug has been automatically verified fixed.
Assignee: nobody → bhackett1024
status-firefox28: --- → unaffected
Target Milestone: --- → mozilla30
Group: core-security
You need to log in before you can comment on or make changes to this bug.