Closed Bug 1100202 Opened 5 years ago Closed 5 years ago

Assertion failure: this->is<T>(), at jsobj.h

Categories

(Core :: JavaScript Engine: JIT, defect, critical)

x86_64
macOS
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla36
Tracking Status
firefox36 --- affected

People

(Reporter: gkw, Assigned: bhackett)

References

(Blocks 2 open bugs)

Details

(Keywords: assertion, regression, testcase)

Attachments

(2 files)

// Random chosen test: js/src/jit-test/tests/TypedObject/atopneuteredbuffer.js
(function() {
    Object
})()
var {
    Object
} = TypedObject
// Random chosen test: js/src/jit-test/tests/basic/symbol-in-loop.js
function f() {
    Object(Symbol)
}
for (var i = 0; i < 1; i++) {
    f()
}

asserts js debug shell on m-c changeset a52bf59965a0 with --fuzzing-safe --ion-eager --no-threads at Assertion failure: this->is<T>(), at jsobj.h.

Debug configure options:

CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --enable-optimize --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests

This was found by combining random jit-tests together with jsfunfuzz, the specific files are:

http://hg.mozilla.org/mozilla-central/file/a52bf59965a0/js/src/jit-test/tests/TypedObject/atopneuteredbuffer.js
http://hg.mozilla.org/mozilla-central/file/a52bf59965a0/js/src/jit-test/tests/basic/symbol-in-loop.js

=== Tinderbox Build Bisection Results by autoBisect ===

The "good" changeset has the timestamp "20141104140142" and the hash "a9a7f16c817b".
The "bad" changeset has the timestamp "20141104142049" and the hash "ed6401282c18".

Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=a9a7f16c817b&tochange=ed6401282c18

Brian, is bug 1091015 a likely regressor?
Flags: needinfo?(bhackett1024)
Blocks: 1100132
Attached file stack
(lldb) bt 5
* thread #1: tid = 0x4a4bfa, 0x00000001002da32e js-dbg-opt-64-dm-nsprBuild-darwin-a52bf59965a0`js::jit::IonBuilder::inlineCalls(this=<unavailable>, callInfo=<unavailable>, targets=<unavailable>, originals=<unavailable>, choiceSet=<unavailable>, maybeCache=<unavailable>) + 3566 at IonBuilder.cpp:4889, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
  * frame #0: 0x00000001002da32e js-dbg-opt-64-dm-nsprBuild-darwin-a52bf59965a0`js::jit::IonBuilder::inlineCalls(this=<unavailable>, callInfo=<unavailable>, targets=<unavailable>, originals=<unavailable>, choiceSet=<unavailable>, maybeCache=<unavailable>) + 3566 at IonBuilder.cpp:4889
    frame #1: 0x00000001002d93e0 js-dbg-opt-64-dm-nsprBuild-darwin-a52bf59965a0`js::jit::IonBuilder::inlineCallsite(this=0x00007fff5fbfde38, targets=0x00007fff5fbfdaa0, originals=0x00007fff5fbfdaf8, lambda=<unavailable>, callInfo=0x00007fff5fbfda10) + 256 at IonBuilder.cpp:4753
    frame #2: 0x00000001002cd889 js-dbg-opt-64-dm-nsprBuild-darwin-a52bf59965a0`js::jit::IonBuilder::jsop_call(this=0x00007fff5fbfde38, argc=<unavailable>, constructing=<unavailable>) + 1241 at IonBuilder.cpp:5540
    frame #3: 0x00000001002c51d6 js-dbg-opt-64-dm-nsprBuild-darwin-a52bf59965a0`js::jit::IonBuilder::inspectOpcode(this=0x00007fff5fbfde38, op=<unavailable>) + 1174 at IonBuilder.cpp:1646
    frame #4: 0x00000001002c2546 js-dbg-opt-64-dm-nsprBuild-darwin-a52bf59965a0`js::jit::IonBuilder::traverseBytecode(this=0x00007fff5fbfde38) + 662 at IonBuilder.cpp:1320
(lldb)
Attached patch patchSplinter Review
Bleah, the inlining code is too complicated.  I spent a while making sure the function downcasts in place were OK and still messed this up.
Assignee: nobody → bhackett1024
Flags: needinfo?(bhackett1024)
Attachment #8524078 - Flags: review?(jdemooij)
Attachment #8524078 - Flags: review?(jdemooij) → review+
https://hg.mozilla.org/mozilla-central/rev/9b395e34931c
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla36
You need to log in before you can comment on or make changes to this bug.