Closed Bug 1203789 Opened 9 years ago Closed 9 years ago

Assertion failure: isString(), at dist/include/js/Value.h

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1204722
Tracking Flags:
Tracking Status
firefox43 --- affected

People

(Reporter: gkw, Unassigned)

References

Details

(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:])

Attachments

(1 file)

stack
8.10 KB, text/plain
Details 
for (var y of [,,,,,,,,,,,,,,,,,,,,[]]) {
    // Adapted from randomly chosen test: js/src/jit-test/tests/ion/bug848733.js
    eval("var x = [0]; x[0] = '';");
}

asserts js debug shell on m-c changeset 7671701d15ca with --fuzzing-safe --no-threads --no-baseline --no-ion --unboxed-arrays at Assertion failure: isString(), at dist/include/js/Value.h

Configure options:

CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests

python -u ~/funfuzz/js/compileShell.py -b "--enable-debug --enable-more-deterministic --enable-nspr-build" -r 7671701d15ca
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/3a994e364343
user:        Brian Hackett
date:        Sat Jun 13 07:54:06 2015 -0700
summary:     Bug 1172943 - Use unboxed arrays for JSON and script literal arrays, r=jandem.

Brian, is bug 1172943 a likely regressor?
Flags: needinfo?(bhackett1024)
Attached file stack 
(lldb) bt 5
* thread #1: tid = 0x283d7b, 0x00000001003a5694 js-dbg-64-dm-nsprBuild-darwin-7671701d15ca`js::SetUnboxedValueNoTypeChange(JSObject*, unsigned char*, JSValueType, JS::Value const&, bool) + 52 at Value.h:1227, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
  * frame #0: 0x00000001003a5694 js-dbg-64-dm-nsprBuild-darwin-7671701d15ca`js::SetUnboxedValueNoTypeChange(JSObject*, unsigned char*, JSValueType, JS::Value const&, bool) + 52 at Value.h:1227
    frame #1: 0x00000001003a5660 js-dbg-64-dm-nsprBuild-darwin-7671701d15ca`js::SetUnboxedValueNoTypeChange(unboxedObject=<unavailable>, p=<unavailable>, type=<unavailable>, v=<unavailable>, preBarrier=<unavailable>) + 560 at UnboxedObject-inl.h:68
    frame #2: 0x00000001003d8a31 js-dbg-64-dm-nsprBuild-darwin-7671701d15ca`js::DenseElementResult SetOrExtendBoxedOrUnboxedDenseElementsFunctor::operator()<(JSValueType)5>() + 353 at UnboxedObject-inl.h:518
    frame #3: 0x00000001003d88d0 js-dbg-64-dm-nsprBuild-darwin-7671701d15ca`js::DenseElementResult SetOrExtendBoxedOrUnboxedDenseElementsFunctor::operator(this=<unavailable>)<(JSValueType)5>() + 112 at UnboxedObject.cpp:2086
    frame #4: 0x00000001003ca5cd js-dbg-64-dm-nsprBuild-darwin-7671701d15ca`js::DenseElementResult js::CallBoxedOrUnboxedSpecialization<SetOrExtendBoxedOrUnboxedDenseElementsFunctor>(f=SetOrExtendBoxedOrUnboxedDenseElementsFunctor at 0x00007fff5fbfbf90, obj=<unavailable>) + 173 at UnboxedObject-inl.h:650
(lldb)
Whiteboard: [jsbugmon:update] → [jsbugmon:]
JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.
Status: NEW → RESOLVED
Closed: 9 years ago
Flags: needinfo?(bhackett1024)
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: