Closed Bug 1113139 Opened 5 years ago Closed 5 years ago

Assertion failure: data.s.payload.why == why, at ../../dist/include/js/Value.h:1177

Categories

(Core :: JavaScript Engine, defect, critical)

x86
Linux
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla37
Tracking Status
firefox37 --- affected

People

(Reporter: decoder, Assigned: efaust)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update])

Attachments

(1 file)

The following testcase crashes on mozilla-central revision 0e441ff66c5e (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --target=i686-pc-linux-gnu --enable-debug, run with --fuzzing-safe --thread-count=2 --ion-eager --ion-offthread-compile=off):

var lfcode = new Array();
lfcode.push = function(x) { eval("(function() { " + x + " })();"); };
lfcode.push("\
function error(str) { try { eval(str); } catch (e) { return e; } }\
const YIELD_PAREN = error('(function*(){(for (y of (yield 1, 2)) y)})').message;\
const GENEXP_YIELD = error('(function*(){(for (x of yield 1) x)})').message;\
const GENERIC = error('(for)').message;\
const eval = [];\
");



Backtrace:

Program received signal SIGSEGV, Segmentation fault.
0x0830d99c in JS::Value::isMagic (why=<optimized out>, this=<optimized out>) at ../../dist/include/js/Value.h:1177
1177	        MOZ_ASSERT_IF(isMagic(), data.s.payload.why == why);
#0  0x0830d99c in JS::Value::isMagic (why=<optimized out>, this=<optimized out>) at ../../dist/include/js/Value.h:1177
#1  0x082ec11e in isMagic (why=JS_OPTIMIZED_OUT, this=0xffff9ec4) at ../../dist/include/js/Value.h:1177
#2  isMagic (why=JS_OPTIMIZED_OUT, this=<synthetic pointer>) at ../../dist/include/js/Value.h:1693
#3  js::jit::DoTypeMonitorFallback (cx=0x9676aa8, frame=0xffff9ecc, stub=0x9729760, value=$jsval(-nan(0xfff8400000010)), res=$jsval(-nan(0xfff8200000000))) at js/src/jit/BaselineIC.cpp:1303
#4  0xf7608610 in ?? ()
#5  0xf760291f in ?? ()
eax	0x0	0
ebx	0x9631ff4	157491188
ecx	0xf7e618ac	-135915348
edx	0x0	0
esi	0xffff9ec4	-24892
edi	0x9676aa8	157772456
ebp	0xffff9e28	4294942248
esp	0xffff9e10	4294942224
eip	0x830d99c <JS::Value::isMagic(JSWhyMagic) const+42>
=> 0x830d99c <JS::Value::isMagic(JSWhyMagic) const+42>:	movl   $0x7b,0x0
   0x830d9a6 <JS::Value::isMagic(JSWhyMagic) const+52>:	call   0x804a9d0 <abort@plt>
I had a similar stack with Bug 1112632.  Unfortunately, Bug 1112632's patch does not fix this issue.
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:bisect]
JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.
Whiteboard: [jsbugmon:bisect] → [jsbugmon:]
Debugging now why JSBugMon doesn't pick this up.
Whiteboard: [jsbugmon:] → [jsbugmon:update]
Whiteboard: [jsbugmon:update] → [jsbugmon:]
JSBugMon: Cannot process bug: Unknown exception (check manually)
Whiteboard: [jsbugmon:] → [jsbugmon:update,bisect]
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/a9a7f16c817b
user:        Eric Faust
date:        Thu Oct 30 17:27:03 2014 -0700
summary:     Bug 611388 - |const| should be block scoped and require an initializer. (r=shu)

This iteration took 648.921 seconds to run.
Needinfo from Eric, based on comment 5 :)
Flags: needinfo?(efaustbmo)
Attached patch FixSplinter Review
Props to shu for his quick eyes on this stuff. We can't generate NameIC stubs before we look, because we'll end up generating stubs that ignore TDZ requirements.
Assignee: nobody → efaustbmo
Status: NEW → ASSIGNED
Flags: needinfo?(efaustbmo)
Attachment #8543429 - Flags: review?(shu)
Comment on attachment 8543429 [details] [diff] [review]
Fix

Review of attachment 8543429 [details] [diff] [review]:
-----------------------------------------------------------------

Tests pass I suppose?

::: js/src/jit/IonCaches.cpp
@@ +4386,5 @@
>      RootedObject obj(cx);
>      RootedObject holder(cx);
>      RootedShape shape(cx);
> +    // Keep the silly Lookup/Fetch pairing, even though they don't need to be
> +    // split in order to keep the obj, holder, shape for stub attachment.

I don't think this comment is necessary, since it doesn't say why we should keep it. I don't think anything's needed here.
Attachment #8543429 - Flags: review?(shu) → review+
Comment on attachment 8543429 [details] [diff] [review]
Fix

Review of attachment 8543429 [details] [diff] [review]:
-----------------------------------------------------------------

Tests pass I suppose?

Oh, also please add the fuzz test.

::: js/src/jit/IonCaches.cpp
@@ +4386,5 @@
>      RootedObject obj(cx);
>      RootedObject holder(cx);
>      RootedShape shape(cx);
> +    // Keep the silly Lookup/Fetch pairing, even though they don't need to be
> +    // split in order to keep the obj, holder, shape for stub attachment.

I don't think this comment is necessary, since it doesn't say why we should keep it. I don't think anything's needed here.
https://hg.mozilla.org/mozilla-central/rev/73eadfc19bba
Status: ASSIGNED → RESOLVED
Closed: 5 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla37
You need to log in before you can comment on or make changes to this bug.