Closed
Bug 1234164
Opened 10 years ago
Closed 10 years ago
Assertion failure: stub->monitorsThis() || *GetNextPc(pc) == JSOP_CHECKTHIS || *GetNextPc(pc) == JSOP_CHECKRETURN, at js/src/jit/SharedIC.cpp:4737
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla46
| Tracking | Status | |
|---|---|---|
| firefox46 | --- | fixed |
People
(Reporter: gkw, Unassigned)
References
Details
(4 keywords, Whiteboard: [jsbugmon:])
Attachments
(1 file, 1 obsolete file)
|
6.27 KB,
patch
|
efaust
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision 388bdc46ba51 (build with --enable-debug --enable-more-deterministic, run with --fuzzing-safe --no-threads --ion-eager --ion-inlining=off):
// Adapted from randomly chosen test: js/src/jit-test/tests/baseline/bug1182866.js");
with(7) {
function f() {
if (i == 15) {
g();
}
const x = 42;
function g() {
return x;
}
return g;
}
}
for (var i = 0; i < 99; i++) {
f()();
}
Backtrace:
0 js-dbg-64-dm-darwin-388bdc46ba51 0x00000001003dbc1c js::jit::DoTypeMonitorFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICTypeMonitor_Fallback*, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) + 1980 (SharedIC.cpp:4735)
1 ??? 0x0000000101dbbea7 0 + 4326145703
|
Reporter | |
Comment 1•10 years ago
|
||
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/a9a7f16c817b
user: Eric Faust
date: Thu Oct 30 17:27:03 2014 -0700
summary: Bug 611388 - |const| should be block scoped and require an initializer. (r=shu)
Eric, is bug 611388 a likely regressor? Or did bug 1182866 not fix this issue?
Blocks: 611388
Flags: needinfo?(efaustbmo)
|
||
Comment 2•10 years ago
|
||
Shu, looks like this is JS_UNINITIALIZED_LEXICAL leaking to script from non-class related lexical nonsense. Mind taking a look?
Flags: needinfo?(efaustbmo) → needinfo?(shu)
|
||
Comment 3•10 years ago
|
||
This is the Ion analogue to bug 1182866.
Not committing the test case because it is the same as bug 1182866's, but I
guess didn't fail because it requires this --ion-inlining=off flag.
Attachment #8701228 -
Flags: review?(efaustbmo)
|
|
||
Comment 4•10 years ago
|
||
Oops, tightened the multipleFailureJumps condition a bit.
|
|
||
Updated•10 years ago
|
Attachment #8701228 -
Attachment is obsolete: true
Flags: needinfo?(shu)
Attachment #8701228 -
Flags: review?(efaustbmo)
|
|
||
Updated•10 years ago
|
Attachment #8701229 -
Flags: review?(efaustbmo)
|
||
Updated•10 years ago
|
Whiteboard: [jsbugmon:update] → [jsbugmon:]
|
|
||
Comment 5•10 years ago
|
||
JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.
(In reply to Fuzzing Team from comment #5)
> JSBugMon: Cannot process bug: Unable to automatically reproduce, please
> track manually.
(In reply to Shu-yu Guo [:shu] from comment #4)
> Created attachment 8701229 [details] [diff] [review]
> Fix Ion GETNAME stubs to check for uninitialized lexicals.
>
> Oops, tightened the multipleFailureJumps condition a bit.
|
|
||
Comment 7•10 years ago
|
||
Comment on attachment 8701229 [details] [diff] [review]
Fix Ion GETNAME stubs to check for uninitialized lexicals.
Review of attachment 8701229 [details] [diff] [review]:
-----------------------------------------------------------------
wfm.
Attachment #8701229 -
Flags: review?(efaustbmo) → review+
|
||
Comment 10•10 years ago
|
||
| bugherder | ||
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla46
You need to log in
before you can comment on or make changes to this bug.
Description
•