Closed Bug 1034383 Opened 11 years ago Closed 11 years ago

Assertion failure: hasScript(), at jsfun.h

Categories

(Core :: JavaScript Engine: JIT, defect)

Product:
Core
Component:
JavaScript Engine: JIT
Platform:
ARM
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla33
Tracking Flags:
Tracking Status
firefox30 --- unaffected
firefox31 --- fixed
firefox32 --- fixed
firefox33 --- fixed
firefox-esr24 --- unaffected
b2g-v1.3 --- unaffected
b2g-v1.4 --- unaffected

People

(Reporter: gkw, Unassigned)

References

Details

(4 keywords, Whiteboard: [adv-main31+] fixed by bug 1013056)

Attachments

(1 file)

stack
1.95 KB, text/plain
Details
Attached file stack
x = []; Object.defineProperty(x, 8, { get: (function(j) {}) }); Object.defineProperty(this, "y", { get: function() { return x.filterPar(function() {}); } }); for (var a = 0; a < 99; a++) { Array.prototype.shift.call(y); } asserts js debug shell on m-c changeset 613bc15ccf05 with --ion-eager --ion-offthread-compile=off at Assertion failure: hasScript(), at jsfun.h My configure flags are: CC="gcc-4.7 -mfloat-abi=softfp -B/usr/lib/gcc/arm-linux-gnueabi/4.7" CXX="g++-4.7 -mfloat-abi=softfp -B/usr/lib/gcc/arm-linux-gnueabi/4.7" AR=ar sh /home/fuzz5lin/trees/mozilla-central/js/src/configure --target=arm-linux-gnueabi --enable-debug --enable-optimize --enable-profiling --enable-gczeal --enable-debug-symbols --disable-tests --enable-more-deterministic --with-ccache --enable-threadsafe <other NSPR options> This is intermittent and mutates its signatures (sometimes unreliably crashes), so it would be nice to have this fixed. I'll see if I can get a bisection, but no promises here. Setting s-s and sec-high as a start. Shu-yu, would you be able to take a look?
Flags: needinfo?(shu)
Can't repro locally on emulator again. You know the drill. Could you trap it in gdb and get me access to a machine?
Flags: needinfo?(shu)
Also see if it's reproducible with thread count of 1
autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/7a1c696cade6 user: Shu-yu Guo date: Mon Apr 07 13:02:20 2014 -0700 summary: Bug 974201 - Remove filterPar chunking. (r=nmatsakis) Also, no, I don't think this is reproducible with --thread-count=1.
Blocks: 974201
autoBisect shows this is probably related to the following changeset: The first good revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/5c805d803e11 user: Douglas Crosher date: Tue Jul 08 09:42:00 2014 +1000 summary: Bug 1013056. r=shu Probably fixed by 1013056, which Shu-yu confirmed over IRC.
Status: NEW → RESOLVED
Closed: 11 years ago
status-firefox31: --- → fixed
status-firefox32: --- → fixed
status-firefox33: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla33
status-firefox-esr24: --- → unaffected
Whiteboard: [adv-main31+]
Group: javascript-core-security
I'm going to mark this as [qa-] due to not being able to reproduce the original issue. I've tried reproducing using the flags in comment #0 on the emulator with no luck :/ Looks like :shu was also having issues reproducing the original issue in comment #1. Also tried reproducing the issue using --thread-count=1 as suggested in comment #2.
Status: RESOLVED → VERIFIED
QA Whiteboard: [qa-]
Status: VERIFIED → RESOLVED
Closed: 11 years ago11 years ago
status-b2g-v1.3: --- → unaffected
status-b2g-v1.4: --- → unaffected
status-firefox30: --- → unaffected
Depends on: 1013056
Whiteboard: [adv-main31+] → [adv-main31+] fixed by bug 1013056
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: