Closed
Bug 1106164
Opened 11 years ago
Closed 11 years ago
Assertion failure: isObject(), at js/Value.h:1243
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla37
People
(Reporter: decoder, Assigned: shu)
References
Details
(4 keywords, Whiteboard: [fuzzblocker] [jsbugmon:update])
Attachments
(1 file)
|
1.49 KB,
patch
|
jandem
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision 7bcc6573d204 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --enable-debug, run with --fuzzing-safe --thread-count=2 --ion-eager --ion-offthread-compile=off):
var g = newGlobal();
g.parent = this;
g.eval("new Debugger(parent).onExceptionUnwind = function () { hits++; };");
evaluate("\
var tokenCodes = {};\
tokenCodes.continue = 0;\
var arr = [\
(0.E87 ), \
];\
for(var reportCompare in tokenCodes) {\
for(var p1 in arr) {\
if(arr[j . arr ++ ] === p) {\
}\
}\
}\
", { noScriptRval : true, compileAndGo : true });
Backtrace:
Program received signal SIGSEGV, Segmentation fault.
0x00000000004058d4 in JS::Value::toObject (this=<optimized out>) at ../../../dist/include/js/Value.h:1243
1243 MOZ_ASSERT(isObject());
#0 0x00000000004058d4 in JS::Value::toObject (this=<optimized out>) at ../../../dist/include/js/Value.h:1243
#1 0x00000000004675cb in JS::Value::toObject (this=<optimized out>) at ../../../dist/include/js/Value.h:807
#2 0x00000000006f2e68 in HandleExceptionBaseline (calledDebugEpilogue=0x7fffffffc390, unwoundScopeToPc=<synthetic pointer>, rfe=0x7fffffffca78, frame=..., cx=0x19a92d0) at js/src/jit/IonFrames.cpp:666
#3 js::jit::HandleException (rfe=0x7fffffffca78) at js/src/jit/IonFrames.cpp:774
#4 0x00007ffff7fe821f in ?? ()
[...]
#18 0x0000000000000000 in ?? ()
rax 0x0 0
rbx 0x1ab5f70 28008304
rcx 0x7ffff6ca53cd 140737333842893
rdx 0x0 0
rsi 0x7ffff6f7a9d0 140737336814032
rdi 0x7ffff6f791c0 140737336807872
rbp 0x7fffffffc2f0 140737488339696
rsp 0x7fffffffc2f0 140737488339696
r8 0x7ffff7fe0780 140737354008448
r9 0x736a2f6564756c63 8316511774416661603
r10 0x7ffff6f76be0 140737336798176
r11 0x0 0
r12 0x19a92d0 26907344
r13 0x1ab5f50 28008272
r14 0x65 101
r15 0x7fffffffca78 140737488341624
rip 0x4058d4 <JS::Value::toObject() const+28>
=> 0x4058d4 <JS::Value::toObject() const+28>: movl $0x7b,0x0
0x4058df <JS::Value::toObject() const+39>: callq 0x404b20 <abort@plt>
This also causes random crashes that are hard to keep track of. Marking as fuzzblocker.
|
Assignee | |
Comment 2•11 years ago
|
||
While the code to *detect* if there was a live iterator to be read out of the
snapshot for the in-place bailout was correct, I forgot to skip the other
allocations that didn't need to be read out.
Attachment #8530471 -
Flags: review?(jdemooij)
|
||
Comment 3•11 years ago
|
||
Comment on attachment 8530471 [details] [diff] [review]
Fix incorrect use of SnapshotIterator in the in-place debug mode Ion exception bailout.
Review of attachment 8530471 [details] [diff] [review]:
-----------------------------------------------------------------
Can you add the testcase?
::: js/src/jit/BaselineBailouts.cpp
@@ +877,4 @@
> v = iter.read();
> + } else {
> + if (iter.moreAllocations())
> + iter.skip();
As you mentioned on IRC, we probably don't need the moreAllocations() here.
Attachment #8530471 -
Flags: review?(jdemooij) → review+
|
Reporter | |
Updated•11 years ago
|
Whiteboard: [jsbugmon:update,bisect][fuzzblocker] → [fuzzblocker] [jsbugmon:update]
|
|
Reporter | |
Comment 4•11 years ago
|
||
JSBugMon: Bisection requested, result:
Due to skipped revisions, the first bad revision could be any of:
changeset: https://hg.mozilla.org/mozilla-central/rev/b160657339f8
user: Shu-yu Guo
date: Thu Nov 13 14:39:39 2014 -0800
summary: Bug 1032869 - Part 2: Move debuggee-ness to frames and selectively deoptimize when Debugger needs to observe execution. (r=jimb)
changeset: https://hg.mozilla.org/mozilla-central/rev/bb2f13ba7b1c
user: Shu-yu Guo
date: Thu Nov 13 14:39:40 2014 -0800
summary: Bug 1062629 - Off-thread compartment debug mode should match main thread compartment debug mode. (r=jimb)
changeset: https://hg.mozilla.org/mozilla-central/rev/1176cc3c3b34
user: Shu-yu Guo
date: Thu Nov 13 14:39:40 2014 -0800
summary: Bug 1063328 - Fix on-stack live iterator handling when bailing out in-place due to debug mode OSR. (r=jandem)
changeset: https://hg.mozilla.org/mozilla-central/rev/f8e316fa65bb
user: Shu-yu Guo
date: Thu Nov 13 14:39:40 2014 -0800
summary: Bug 1063330 - Remove the JS shell's evalInFrame. (r=jimb)
changeset: https://hg.mozilla.org/mozilla-central/rev/96a2f59f6ce4
user: Shu-yu Guo
date: Thu Nov 13 14:39:40 2014 -0800
summary: Bug 1032869 - Part 3: Don't consider onExceptionUnwind an all-execution-observing hook. (r=jandem)
This iteration took 285.899 seconds to run.
|
||
Comment 5•11 years ago
|
||
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla37
|
|
Assignee | |
Updated•11 years ago
|
Flags: needinfo?(shu)
|
||
Comment 6•11 years ago
|
||
Fixed for Fx36 by the roll-up in bug 1114757.
You need to log in
before you can comment on or make changes to this bug.
Description
•