1100202 - Assertion failure: this->is<T>(), at jsobj.h

Status: RESOLVED FIXED

(Core :: JavaScript Engine: JIT, defect)

Description

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

// Random chosen test: js/src/jit-test/tests/TypedObject/atopneuteredbuffer.js
(function() {
    Object
})()
var {
    Object
} = TypedObject
// Random chosen test: js/src/jit-test/tests/basic/symbol-in-loop.js
function f() {
    Object(Symbol)
}
for (var i = 0; i < 1; i++) {
    f()
}

asserts js debug shell on m-c changeset a52bf59965a0 with --fuzzing-safe --ion-eager --no-threads at Assertion failure: this->is<T>(), at jsobj.h.

Debug configure options:

CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --enable-optimize --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests

This was found by combining random jit-tests together with jsfunfuzz, the specific files are:

http://hg.mozilla.org/mozilla-central/file/a52bf59965a0/js/src/jit-test/tests/TypedObject/atopneuteredbuffer.js
http://hg.mozilla.org/mozilla-central/file/a52bf59965a0/js/src/jit-test/tests/basic/symbol-in-loop.js

=== Tinderbox Build Bisection Results by autoBisect ===

The "good" changeset has the timestamp "20141104140142" and the hash "a9a7f16c817b".
The "bad" changeset has the timestamp "20141104142049" and the hash "ed6401282c18".

Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=a9a7f16c817b&tochange=ed6401282c18

Brian, is bug 1091015 a likely regressor?

Comment 1

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Attachment: stack

(lldb) bt 5
* thread #1: tid = 0x4a4bfa, 0x00000001002da32e js-dbg-opt-64-dm-nsprBuild-darwin-a52bf59965a0`js::jit::IonBuilder::inlineCalls(this=<unavailable>, callInfo=<unavailable>, targets=<unavailable>, originals=<unavailable>, choiceSet=<unavailable>, maybeCache=<unavailable>) + 3566 at IonBuilder.cpp:4889, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
  * frame #0: 0x00000001002da32e js-dbg-opt-64-dm-nsprBuild-darwin-a52bf59965a0`js::jit::IonBuilder::inlineCalls(this=<unavailable>, callInfo=<unavailable>, targets=<unavailable>, originals=<unavailable>, choiceSet=<unavailable>, maybeCache=<unavailable>) + 3566 at IonBuilder.cpp:4889
    frame #1: 0x00000001002d93e0 js-dbg-opt-64-dm-nsprBuild-darwin-a52bf59965a0`js::jit::IonBuilder::inlineCallsite(this=0x00007fff5fbfde38, targets=0x00007fff5fbfdaa0, originals=0x00007fff5fbfdaf8, lambda=<unavailable>, callInfo=0x00007fff5fbfda10) + 256 at IonBuilder.cpp:4753
    frame #2: 0x00000001002cd889 js-dbg-opt-64-dm-nsprBuild-darwin-a52bf59965a0`js::jit::IonBuilder::jsop_call(this=0x00007fff5fbfde38, argc=<unavailable>, constructing=<unavailable>) + 1241 at IonBuilder.cpp:5540
    frame #3: 0x00000001002c51d6 js-dbg-opt-64-dm-nsprBuild-darwin-a52bf59965a0`js::jit::IonBuilder::inspectOpcode(this=0x00007fff5fbfde38, op=<unavailable>) + 1174 at IonBuilder.cpp:1646
    frame #4: 0x00000001002c2546 js-dbg-opt-64-dm-nsprBuild-darwin-a52bf59965a0`js::jit::IonBuilder::traverseBytecode(this=0x00007fff5fbfde38) + 662 at IonBuilder.cpp:1320
(lldb)

Comment 2

[Brian Hackett [Laid off!]]

Attachment: patch

Bleah, the inlining code is too complicated.  I spent a while making sure the function downcasts in place were OK and still messed this up.

Comment 3

[Brian Hackett [Laid off!]]

https://hg.mozilla.org/integration/mozilla-inbound/rev/9b395e34931c

Comment 4

[Wes Kocher (:KWierso) (Not reading bugmail; email directly if needed)]

https://hg.mozilla.org/mozilla-central/rev/9b395e34931c