Closed Bug 1006065 Opened 5 years ago Closed 5 years ago

Assertion failure: obj->is<ArrayObject>() loading a washingtonpost.com blog

Categories

(Core :: JavaScript Engine: JIT, defect)

defect
Not set

Tracking

()

RESOLVED FIXED
mozilla32
Tracking Status
firefox29 --- unaffected
firefox30 --- affected
firefox31 --- fixed
firefox32 --- fixed

People

(Reporter: dbaron, Assigned: jandem)

References

(Blocks 1 open bug)

Details

(Keywords: assertion)

Attachments

(2 files)

I just crashed while loading
http://www.washingtonpost.com/blogs/the-fix/wp/2014/05/05/martin-omalley-did-a-reddit-ama-it-didnt-go-very-well/
in a debug build on 64-bit Linux.

Running a build with SourceStamp=d9e2937142c7, which actually means I was
running mozilla-central revision cfde3603b020 plus my patch queue as of
its revision 0ede7103166b pushed up to the patch named ae2b85aaa9f3.

It crashed with the following assertion failure:
Assertion failure: obj->is<ArrayObject>(), at /home/dbaron/builds/ssd/mozilla-central/mozilla/js/src/jit/VMFunctions.cpp:368
Component: JavaScript Engine → JavaScript Engine: JIT
Yeah, this assert is bogus. When Ion optimizes splice calls, it doesn't check that the object is an array at compile time (and it doesn't have to), so at runtime we can get non-array objects.

A bit surprising the fuzzers didn't find this too, here's a simple shell testcase:

function f() {
    var o = {splice: [].splice};
    for (var i=0; i<2000; i++) {
	o.splice(0, 1);
    }
}
f();
Flags: needinfo?(jdemooij)
Attached patch PatchSplinter Review
Removes the assert and adds a testcase, since apparently our tests don't cover this.
Assignee: nobody → jdemooij
Status: NEW → ASSIGNED
Attachment #8417984 - Flags: review?(hv1989)
Flags: needinfo?(jdemooij)
OS: Linux → All
Hardware: x86_64 → All
Comment on attachment 8417984 [details] [diff] [review]
Patch

Review of attachment 8417984 [details] [diff] [review]:
-----------------------------------------------------------------

Yeah indeed a bogus assert.
Attachment #8417984 - Flags: review?(hv1989) → review+
also different site is also http://docs.openstack.org/havana/install-guide/install/apt-debian/content/ - run with bughunter into it
Blocks: 532972
Comment on attachment 8417984 [details] [diff] [review]
Patch

[Approval Request Comment]
Bug caused by (feature/regressing bug #): Bug 939115.
User impact if declined: Bogus assert in debug builds.
Testing completed (on m-c, etc.): On m-i.
Risk to taking this patch (and alternatives if risky): None; just removes a (debug-only) assert so makes no difference for release builds.
String or IDL/UUID changes made by this patch: None.
Attachment #8417984 - Flags: approval-mozilla-aurora?
https://hg.mozilla.org/mozilla-central/rev/83d8155eba84
Status: ASSIGNED → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla32
Attachment #8417984 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
You need to log in before you can comment on or make changes to this bug.