Closed
Bug 1111289
Opened 11 years ago
Closed 10 years ago
Assertion failure: obj->isTenured(), at js/src/jsobj.cpp:1989 or Crash [@ NewObject] with saveBytecode
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
| Tracking | Status | |
|---|---|---|
| firefox37 | --- | affected |
People
(Reporter: decoder, Unassigned)
Details
(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:])
Crash Data
The following testcase crashes on mozilla-central revision f14dcd1c8c0b (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --target=i686-pc-linux-gnu --disable-debug, run with --fuzzing-safe --no-threads):
function evalWithCache(code, ctx) {
code = code instanceof Object ? code : cacheEntry(code);
ctx.compileAndGo = true;
var res1 = evaluate(code, Object.create(ctx, {saveBytecode: { value: true } }));
var res2 = evaluate(code, Object.create(ctx, {loadBytecode: { value: true }, saveBytecode: { value: true } }));
}
var test = (function () {
return "(for (x of []) (function() arguments))";
})();
evalWithCache(test, {});
Backtrace:
Program received signal SIGSEGV, Segmentation fault.
NewObject (cx=0x9332950, type_=<optimized out>, parent=(JSObject *) 0xf6b45040 [object global] delegate, kind=33, newKind=js::MaybeSingletonObject) at js/src/jsobj.cpp:1302
1302 : GetGCKindSlots(kind, clasp);
#0 NewObject (cx=0x9332950, type_=<optimized out>, parent=(JSObject *) 0xf6b45040 [object global] delegate, kind=33, newKind=js::MaybeSingletonObject) at js/src/jsobj.cpp:1302
#1 0x084661af in js::NewObjectWithClassProtoCommon (cxArg=0x9332950, clasp=0x92e2ca0, protoArg=<optimized out>, parentArg=<optimized out>, allocKind=33, newKind=js::MaybeSingletonObject) at js/src/jsobj.cpp:1504
#2 0x0849f056 in NewObjectWithClassProto (newKind=js::MaybeSingletonObject, allocKind=<optimized out>, proto=0x0, clasp=<optimized out>, cx=0x9332950, parent=0x0) at js/src/jsobjinlines.h:676
#3 NewBuiltinClassInstance (clasp=<optimized out>, newKind=js::MaybeSingletonObject, allocKind=<optimized out>, cx=0x9332950) at js/src/jsobjinlines.h:713
#4 NewBuiltinClassInstance<js::PlainObject> (newKind=js::MaybeSingletonObject, allocKind=<optimized out>, cx=0x9332950) at js/src/jsobjinlines.h:735
#5 js::XDRObjectLiteral<(js::XDRMode)1> (xdr=0xffffd084, obj=0x0) at js/src/jsobj.cpp:1997
#6 0x084a05c3 in js::XDRScript<(js::XDRMode)1> (xdr=0xffffd084, enclosingScope=0x0, enclosingScript=0xf6b49430, fun=(JSFunction * const) 0xf6b53d80 [object Function <unnamed>], scriptp=0xf6b494c0) at js/src/jsscript.cpp:1026
#7 0x084a0ce8 in js::XDRInterpretedFunction<(js::XDRMode)1> (xdr=0xffffd084, enclosingScope=0x0, enclosingScript=0xf6b49430, objp=0x0) at js/src/jsfun.cpp:611
#8 0x084a06cc in js::XDRScript<(js::XDRMode)1> (xdr=0xffffd084, enclosingScope=0x0, enclosingScript=0x0, fun=0x0, scriptp=0xf6b49430) at js/src/jsscript.cpp:1017
#9 0x085aa55e in js::XDRState<(js::XDRMode)1>::codeScript (this=0xffffd084, scriptp=0xf6b49430) at js/src/vm/Xdr.cpp:130
#10 0x083c7806 in JS_DecodeScript (cx=0x9332950, data=0x93d4e30, length=853) at js/src/jsapi.cpp:6466
#11 0x080548a4 in Evaluate (cx=0x9332950, argc=2, vp=0x93c2c70) at js/src/shell/js.cpp:1280
[...]
eax 0x9308d40 154176832
ebx 0x930dff4 154198004
ecx 0x4000000 67108864
edx 0xf6b42160 -155967136
esi 0x9332950 154347856
edi 0x92e2ca0 154021024
ebp 0x21 33
esp 0xffffc790 4294952848
eip 0x8463f83 <NewObject(js::ExclusiveContext*, js::types::TypeObject*, JSObject*, js::gc::AllocKind, js::NewObjectKind)+131>
=> 0x8463f83 <NewObject(js::ExclusiveContext*, js::types::TypeObject*, JSObject*, js::gc::AllocKind, js::NewObjectKind)+131>: movl $0x7b,0x0
0x8463f8d <NewObject(js::ExclusiveContext*, js::types::TypeObject*, JSObject*, js::gc::AllocKind, js::NewObjectKind)+141>: call 0x804a900 <abort@plt>
|
Reporter | |
Updated•10 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update,bisect,ignore]
|
|
Reporter | |
Comment 1•10 years ago
|
||
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 43fb1f92e8d4).
|
|
Reporter | |
Updated•10 years ago
|
Whiteboard: [jsbugmon:update,bisect,ignore] → [jsbugmon:bisectfix]
|
|
Reporter | |
Updated•10 years ago
|
Whiteboard: [jsbugmon:bisectfix] → [jsbugmon:]
|
|
Reporter | |
Comment 2•10 years ago
|
||
JSBugMon: Fix Bisection requested, result:
autoBisect shows this is probably related to the following changeset:
The first good revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/43fb1f92e8d4
parent: 232261:dacbd4fbf0ee
parent: 232305:1e4b76918021
user: Ryan VanderMeulen
date: Fri Mar 06 16:18:04 2015 -0500
summary: Merge inbound to m-c. a=merge
This iteration took 234.180 seconds to run.
The bug was introduced by a merge (it was not present on either parent).
I don't know which patches from each side of the merge contributed to the bug. Sorry.
|
||
Comment 3•10 years ago
|
||
autoBisect probably got confused here, so someone should look at this. Setting needinfo? from Brian (bug 1061534) and Nicolas (bug 982162) who have fixed previous saveByteCode bugs in the past.
Flags: needinfo?(nicolas.b.pierron)
Flags: needinfo?(bhackett1024)
|
||
Comment 4•10 years ago
|
||
Sean, as you are taking over the cache implementation, would you be interested in fixing this issue?
Flags: needinfo?(sstangl)
|
|
||
Updated•10 years ago
|
Flags: needinfo?(nicolas.b.pierron)
|
||
Comment 5•10 years ago
|
||
Bug 1135897 probably fixed this, for the same reason as in bug 1140711.
Flags: needinfo?(bhackett1024)
|
|
Reporter | |
Comment 6•10 years ago
|
||
Marking as fixed based on comment 5.
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
|
||
Updated•10 years ago
|
Flags: needinfo?(sstangl)
You need to log in
before you can comment on or make changes to this bug.
Description
•