1100480 - Assertion failure: JSVAL_IS_DOUBLE_IMPL(data), at dist/include/js/Value.h

Status: RESOLVED DUPLICATE of bug 949220

(Core :: JavaScript Engine: JIT, defect)

Description

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

The upcoming testcase asserts js debug shell on m-c changeset 7f0d92595432 with --fuzzing-safe --ion-eager --no-threads --arm-sim-icache-checks at Assertion failure: JSVAL_IS_DOUBLE_IMPL(data), at dist/include/js/Value.h

Debug configure options:

LD=ld CROSS_COMPILE=1 CC="clang -Qunused-arguments -msse2 -mfpmath=sse -arch i386" RANLIB=ranlib CXX="clang++ -Qunused-arguments -msse2 -mfpmath=sse -arch i386" AS=$CC AR=ar STRIP="strip -x -S" HOST_CC="clang -Qunused-arguments -msse2 -mfpmath=sse" AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 HOST_CXX="clang++ -Qunused-arguments -msse2 -mfpmath=sse" sh /Users/fuzz3/trees/mozilla-central/js/src/configure --target=i386-apple-darwin9.2.0 --enable-macos-target=10.5 --enable-arm-simulator --enable-debug --enable-optimize --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests

This was found by combining random jit-tests together with jsfunfuzz, the specific files are:

http://hg.mozilla.org/mozilla-central/file/7f0d92595432/js/src/jit-test/tests/collections/Map-constructor-5.js
http://hg.mozilla.org/mozilla-central/file/7f0d92595432/js/src/jit-test/tests/basic/bug720675.js

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/77ff6a4dd3f1
user:        Jeff Walden
date:        Tue Sep 23 13:03:40 2014 -0700
summary:     Bug 1052139 - Implement the ability to prevent modifying an extensible object's [[Prototype]].  r=efaust, r=bholley

Waldo, is bug 1052139 a likely regressor?

Comment 1

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Attachment: stack

(lldb) bt 5
* thread #1: tid = 0x8082957, 0x000e72ea js-dbg-opt-32-dm-nsprBuild-armSim-darwin-7f0d92595432`collator_finalize(js::FreeOp*, JSObject*) [inlined] js::NativeObject& JSObject::as<js::NativeObject>(this=<unavailable>, this=<unavailable>, index=<unavailable>) + 220 at jsobj.h:744, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=2, address=0x0)
  * frame #0: 0x000e72ea js-dbg-opt-32-dm-nsprBuild-armSim-darwin-7f0d92595432`collator_finalize(js::FreeOp*, JSObject*) [inlined] js::NativeObject& JSObject::as<js::NativeObject>(this=<unavailable>, this=<unavailable>, index=<unavailable>) + 220 at jsobj.h:744
    frame #1: 0x000e720e js-dbg-opt-32-dm-nsprBuild-armSim-darwin-7f0d92595432`collator_finalize(fop=<unavailable>, obj=<unavailable>) + 126 at Intl.cpp:672
    frame #2: 0x0059d36e js-dbg-opt-32-dm-nsprBuild-armSim-darwin-7f0d92595432`JSObject::finalize(this=0x01e500e0, fop=<unavailable>) + 142 at jsobjinlines.h:89
    frame #3: 0x0059ccb2 js-dbg-opt-32-dm-nsprBuild-armSim-darwin-7f0d92595432`unsigned long js::gc::Arena::finalize<JSObject>(this=<unavailable>, fop=<unavailable>, thingKind=<unavailable>, thingSize=<unavailable>) + 418 at jsgc.cpp:514
    frame #4: 0x00521fb6 js-dbg-opt-32-dm-nsprBuild-armSim-darwin-7f0d92595432`FinalizeArenas(js::FreeOp*, js::gc::ArenaHeader**, js::gc::SortedArenaList&, js::gc::AllocKind, js::SliceBudget&, js::gc::ArenaLists::KeepArenasEnum) [inlined] bool FinalizeTypedArenas<JSObject>(fop=0xbffff148, src=0xbfffef98, dest=<unavailable>) + 223 at jsgc.cpp:577
(lldb)

Comment 3

[Jeff Walden [:Waldo]]

Going purely from comment 1's stack (woo for it in comments for easy perusal!), this is a dup of that old bug about giving objects created with singleton type, the right type from birth.  The "_finalize" collator_finalize symbol is the giveaway.

Unfortunately this doesn't reproduce for me locally, and because it's doing random global exploration there's no way to easily eyeball this as being that issue.  I guess we'll have to wait til that bug has a patch in hand, then double-check that was also fixt at that point.