Closed Bug 1102329 Opened 7 years ago Closed 7 years ago

Assertion failure: this->is<T>(), at jsobj.h

Categories

(Core :: JavaScript Engine: JIT, defect)

x86_64
macOS
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla36
Tracking Status
firefox36 --- affected

People

(Reporter: gkw, Assigned: bhackett1024)

References

Details

(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update])

Attachments

(2 files)

// Random chosen test: js/src/jit-test/tests/basic/function-bind.js
A = Array.bind()
// Random chosen test: js/src/jit-test/tests/TypedObject/neutertypedobjunsizedarray.js
var {
    StructType
} = TypedObject
var A = new StructType({});
(function() {
    new A
    for (var i = 0; i < 9; i++) {}
})()

asserts js debug shell on m-c changeset 7d17b594834f with --fuzzing-safe --ion-eager --no-threads at Assertion failure: this->is<T>(), at jsobj.h.

Debug configure options:

CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --enable-optimize --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests

This was found by combining random jit-tests together with jsfunfuzz, the specific file(s) is/are:

http://hg.mozilla.org/mozilla-central/file/7d17b594834f/js/src/jit-test/tests/basic/function-bind.js
http://hg.mozilla.org/mozilla-central/file/7d17b594834f/js/src/jit-test/tests/TypedObject/neutertypedobjunsizedarray.js

=== Tinderbox Build Bisection Results by autoBisect ===

The "good" changeset has the timestamp "20141104140142" and the hash "a9a7f16c817b".
The "bad" changeset has the timestamp "20141104142049" and the hash "ed6401282c18".

Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=a9a7f16c817b&tochange=ed6401282c18

Brian, is bug 1091015 a likely regressor?
Flags: needinfo?(bhackett1024)
Attached file stack
(lldb) bt 5
* thread #1: tid = 0x1f61bb, 0x00000001002d7787 js-dbg-opt-64-dm-nsprBuild-darwin-7d17b594834f`js::jit::IonBuilder::inlineCalls(this=<unavailable>, callInfo=<unavailable>, targets=<unavailable>, originals=<unavailable>, choiceSet=<unavailable>, maybeCache=<unavailable>) + 3639 at IonBuilder.cpp:4908, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
  * frame #0: 0x00000001002d7787 js-dbg-opt-64-dm-nsprBuild-darwin-7d17b594834f`js::jit::IonBuilder::inlineCalls(this=<unavailable>, callInfo=<unavailable>, targets=<unavailable>, originals=<unavailable>, choiceSet=<unavailable>, maybeCache=<unavailable>) + 3639 at IonBuilder.cpp:4908
    frame #1: 0x00000001002d67f0 js-dbg-opt-64-dm-nsprBuild-darwin-7d17b594834f`js::jit::IonBuilder::inlineCallsite(this=0x0000000103047a58, targets=0x00007fff5fbfd960, originals=0x00007fff5fbfd9b8, lambda=<unavailable>, callInfo=0x00007fff5fbfd8d0) + 256 at IonBuilder.cpp:4772
    frame #2: 0x00000001002cac69 js-dbg-opt-64-dm-nsprBuild-darwin-7d17b594834f`js::jit::IonBuilder::jsop_call(this=0x0000000103047a58, argc=<unavailable>, constructing=<unavailable>) + 1241 at IonBuilder.cpp:5559
    frame #3: 0x00000001002c2446 js-dbg-opt-64-dm-nsprBuild-darwin-7d17b594834f`js::jit::IonBuilder::inspectOpcode(this=0x0000000103047a58, op=<unavailable>) + 1174 at IonBuilder.cpp:1662
    frame #4: 0x00000001002bf776 js-dbg-opt-64-dm-nsprBuild-darwin-7d17b594834f`js::jit::IonBuilder::traverseBytecode(this=0x0000000103047a58) + 662 at IonBuilder.cpp:1336
(lldb)
Attached patch patchSplinter Review
Bleah, again.  I went through IonBuilder.cpp and related files and this is the only JSFunction downcast that wasn't checked (either explicitly or via choiceSet.)  It would be nice if we were using JSObject instead of JSFunction throughout the inlining code but it would be a fair amount of work and wouldn't I think open up new optimization possibilities that are worth considering.]
Flags: needinfo?(bhackett1024)
Attachment #8526777 - Flags: review?(jdemooij)
Attachment #8526777 - Flags: review?(jdemooij) → review+
https://hg.mozilla.org/mozilla-central/rev/05b7e79b688e
Assignee: nobody → bhackett1024
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla36
You need to log in before you can comment on or make changes to this bug.