Closed Bug 1135718 Opened 9 years ago Closed 9 years ago

Crash [@ lookup] or Crash [@ js::jit::DoSetPropFallback] or Assertion failure: addendumKind() == Addendum_UnboxedLayout, at vm/ObjectGroup.h:293 with --unboxed-objects

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla39
Tracking Flags:
Tracking Status
firefox38 --- affected
firefox39 --- fixed

People

(Reporter: decoder, Assigned: bhackett1024)

Details

(4 keywords, Whiteboard: [jsbugmon:update,bisect])

Crash Data

Attachments

(1 file)

patch
1.43 KB, patch
jandem
: review+
Details | Diff | Splinter Review 
The following testcase crashes on mozilla-central revision 86d2bb8bb1c9 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-debug, run with --baseline-eager --unboxed-objects):

setJitCompilerOption("ion.warmup.trigger", 30);
function ArrayCallback(state)
  this.state = state;
ArrayCallback.prototype.isUpperCase = function(v, index, array) {
    return this.state ? true : (v == v.toUpperCase());
};
strings = ['hello', 'Array', 'WORLD'];
obj = new ArrayCallback(false);
strings.filter(obj.isUpperCase, obj)
obj = new ArrayCallback(true);
strings.filter(obj.isUpperCase, obj)
obj.__proto__ = {};



Backtrace:

Program received signal SIGSEGV, Segmentation fault.
lookup (id=..., this=0x0) at js/src/vm/UnboxedObject.h:115
115	            return lookup(JSID_TO_ATOM(id));
#0  lookup (id=..., this=0x0) at js/src/vm/UnboxedObject.h:115
#1  TryAttachUnboxedSetPropStub (attached=<synthetic pointer>, rhs=..., obj=..., id=..., stub=0x17c00f0, script=..., cx=0x16c33e0) at js/src/jit/BaselineIC.cpp:8167
#2  js::jit::DoSetPropFallback (cx=0x16c33e0, frame=<optimized out>, stub_=<optimized out>, lhs=..., rhs=..., res=...) at js/src/jit/BaselineIC.cpp:8330
#3  0x00007ffff4692a1a in ?? ()
[...]
#29 0x0000000000000000 in ?? ()
rax	0x0	0
rbx	0x16c33e0	23868384
rcx	0x7ffff471c6e8	140737294485224
rdx	0x0	0
rsi	0x17346f0	24332016
rdi	0x7ffff4757910	140737294727440
rbp	0x17c00f0	24903920
rsp	0x7fffffffcc50	140737488342096
r8	0x1e0	480
r9	0x1f	31
r10	0x17c00f0	24903920
r11	0x7fffffffbb30	140737488337712
r12	0x16c33f8	23868408
r13	0x7fffffffcd60	140737488342368
r14	0x7fffffffcd40	140737488342336
r15	0x7fffffffd158	140737488343384
rip	0x6b09f6 <js::jit::DoSetPropFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICSetProp_Fallback*, JS::HandleValue, JS::HandleValue, JS::MutableHandleValue)+4038>
=> 0x6b09f6 <js::jit::DoSetPropFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICSetProp_Fallback*, JS::HandleValue, JS::HandleValue, JS::MutableHandleValue)+4038>:	mov    0x20(%rax),%rdi
   0x6b09fa <js::jit::DoSetPropFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICSetProp_Fallback*, JS::HandleValue, JS::HandleValue, JS::MutableHandleValue)+4042>:	xor    %edx,%edx
Attached patch patchSplinter Review 
Mutable __proto__ strikes again.
Assignee: nobody → bhackett1024
Attachment #8568228 - Flags: review?(jdemooij)
Comment on attachment 8568228 [details] [diff] [review]
patch

Review of attachment 8568228 [details] [diff] [review]:
-----------------------------------------------------------------

Heh.
Attachment #8568228 - Flags: review?(jdemooij) → review+
https://hg.mozilla.org/mozilla-central/rev/bb29e84761a5
Status: NEW → RESOLVED
Closed: 9 years ago
status-firefox39: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla39
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: