Closed Bug 1060387 Opened 10 years ago Closed 9 years ago

Assertion failure: !obj->isIndexed(), at jit/VMFunctions.cpp:1116

Categories

(Core :: JavaScript Engine: JIT, defect)

defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla37
Tracking Status
firefox34 --- affected
firefox35 --- affected
firefox36 --- affected
firefox37 --- affected
firefox-esr31 --- affected

People

(Reporter: decoder, Assigned: jandem)

References

Details

(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update])

Attachments

(2 files)

The following testcase asserts on mozilla-central revision d697d649c765 (run with --no-threads --fuzzing-safe --ion-eager):


function foo() {
  var obj = new Object();
  var index = [ -0, 2147483648, 1073741825 ];
  for (var j in index) { 
    testProperty(index[j]); 
  }
  function testProperty(i) {
    obj[i] = '' + i;
  }
} foo();
Whiteboard: [jsbugmon:update,bisect]
This isn't bisecting because the earliest changeset autobisect picks also crashes. This is probably because it goes further back than the --no-threads flag (before non-threadsafe removal). It still reproduces though.
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/7cfba1345851
user:        Jan de Mooij
date:        Wed Apr 16 17:24:23 2014 +0200
summary:     Bug 997081 - Optimize StoreElementHole OOL VM call. r=bhackett

Jan, is bug 997081 a likely regressor?
Blocks: 997081
Flags: needinfo?(jdemooij)
Keywords: regression
OS: Linux → All
Hardware: x86 → All
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
Attached patch PatchSplinter Review
I think this is just a bogus assert. We call ensureDenseElements -> ensureDenseElementsNoPackedCheck -> extendDenseElements and there we check isIndexed() and if true return ED_SPARSE.
Assignee: nobody → jdemooij
Status: NEW → ASSIGNED
Flags: needinfo?(jdemooij)
Attachment #8542121 - Flags: review?(bhackett1024)
Attachment #8542121 - Flags: review?(bhackett1024) → review+
https://hg.mozilla.org/mozilla-central/rev/aac57ca292f4
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla37
You need to log in before you can comment on or make changes to this bug.