Closed Bug 1113744 Opened 10 years ago Closed 10 years ago

Assertion failure: isInt32(), at dist/include/js/Value.h

Categories

(Core :: JavaScript Engine: JIT, defect)

Product:
Core
Component:
JavaScript Engine: JIT
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla37
Tracking Flags:
Tracking Status
firefox36 --- unaffected
firefox37 --- verified
firefox-esr31 --- unaffected

People

(Reporter: gkw, Assigned: bhackett1024)

References

Details

(4 keywords, Whiteboard: [jsbugmon:update,testComment=2,origRev=b17e7747d3fb])

Attachments

(2 files)

stack
2.82 KB, text/plain
Details
patch
3.23 KB, patch
nmatsakis
: review+
Details | Diff | Splinter Review
// Randomly chosen test: js/src/jit-test/tests/TypedObject/bug953111.js A = TypedObject.uint8.array(0); a = new A TypedObject.uint8.array(0) // Randomly chosen test: js/src/jit-test/tests/debug/Memory-drainAllocationsLog-13.js const root = newGlobal() root.eval("this.dbg=Debugger()").addDebuggee(this) root.dbg.memory.trackingAllocationSites = true // Randomly chosen test: js/src/jit-test/tests/auto-regress/bug759719.js gczeal(2); S = "var A = new Array(true,false)" eval(S); T = new Date // Randomly chosen test: js/src/jit-test/tests/auto-regress/bug672104.js load("a.js") and a.js is: a.__proto__; asserts js debug shell on m-c changeset 1427b365cd39 with --fuzzing-safe --ion-offthread-compile=off --ion-eager at Assertion failure: isInt32(), at dist/include/js/Value.h. Debug configure options: CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --enable-optimize --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests This was found by combining random js tests together with jsfunfuzz, the specific file(s) is/are: http://hg.mozilla.org/mozilla-central/file/1427b365cd39/js/src/jit-test/tests/TypedObject/bug953111.js http://hg.mozilla.org/mozilla-central/file/1427b365cd39/js/src/jit-test/tests/debug/Memory-drainAllocationsLog-13.js http://hg.mozilla.org/mozilla-central/file/1427b365cd39/js/src/jit-test/tests/auto-regress/bug759719.js http://hg.mozilla.org/mozilla-central/file/1427b365cd39/js/src/jit-test/tests/auto-regress/bug672104.js autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/46ae5134ab00 user: Brian Hackett date: Fri Dec 12 13:36:56 2014 -0700 summary: Bug 1107226 - Share prototype objects for typed object arrays with the same element type, r=nmatsakis. Setting s-s because this involves gczeal(2). Brian, is bug 1107226 a likely regressor?
Flags: needinfo?(bhackett1024)
Attached file stack
(lldb) bt 5 * thread #1: tid = 0x50470, 0x0000000100108897 js-dbg-opt-64-dm-nsprBuild-darwin-1427b365cd39`js::TypeDescr::kind() const [inlined] js::NativeObject::getReservedSlot(this=<unavailable>, index=<unavailable>) const + 145 at NativeObject.h:842, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0) * frame #0: 0x0000000100108897 js-dbg-opt-64-dm-nsprBuild-darwin-1427b365cd39`js::TypeDescr::kind() const [inlined] js::NativeObject::getReservedSlot(this=<unavailable>, index=<unavailable>) const + 145 at NativeObject.h:842 frame #1: 0x0000000100108806 js-dbg-opt-64-dm-nsprBuild-darwin-1427b365cd39`js::TypeDescr::kind(this=<unavailable>) const + 86 at TypedObject.h:157 frame #2: 0x00000001000c4ee7 js-dbg-opt-64-dm-nsprBuild-darwin-1427b365cd39`js::TypedObject::obj_getGeneric(cx=0x0000000101d01e40, obj=<unavailable>, receiver=<unavailable>, id=<unavailable>, vp=<unavailable>) + 263 at TypedObject.cpp:1813 frame #3: 0x000000010028d4c6 js-dbg-opt-64-dm-nsprBuild-darwin-1427b365cd39`js::jit::ComputeGetPropResult(JSContext*, js::jit::BaselineFrame*, JSOp, JS::Handle<js::PropertyName*>, JS::MutableHandle<JS::Value>, JS::MutableHandle<JS::Value>) [inlined] JSObject::getGeneric(cx=0x0000000101d01e40, root=0x0000000101d01e58, root=0x0000000101d01e58, root=0x0000000101d01ea0, dummy=<unavailable>, dummy=<unavailable>) + 30 at NativeObject.h:1404 frame #4: 0x000000010028d4a8 js-dbg-opt-64-dm-nsprBuild-darwin-1427b365cd39`js::jit::ComputeGetPropResult(cx=0x0000000101d01e40, frame=<unavailable>, op=JSOP_GETPROP, name=<unavailable>, val=<unavailable>, res=<unavailable>) + 696 at BaselineIC.cpp:6901 (lldb)
// Randomly chosen test: js/src/jit-test/tests/TypedObject/bug953111.js A = TypedObject.uint8.array(0); a = new A TypedObject.uint8.array(0) // Randomly chosen test: js/src/jit-test/tests/debug/Memory-drainAllocationsLog-13.js const root = newGlobal() root.eval("this.dbg=Debugger()").addDebuggee(this) root.dbg.memory.trackingAllocationSites = true // Randomly chosen test: js/src/jit-test/tests/auto-regress/bug759719.js gczeal(2); S = "var A = new Array(true,false)" eval(S); T = new Date // Randomly chosen test: js/src/jit-test/tests/auto-regress/bug672104.js eval("a.__proto__;") asserts js debug shell on m-c changeset b17e7747d3fb with --fuzzing-safe --ion-offthread-compile=off --ion-eager at Assertion failure: isInt32(), at dist/include/js/Value.h. Turns out the load function is not required.
Whiteboard: [jsbugmon:update,testComment=2,origRev=b17e7747d3fb]
Attached patch patchSplinter Review
Type descriptors attached to type objects weren't being traced (oops).
Assignee: nobody → bhackett1024
Flags: needinfo?(bhackett1024)
Attachment #8541754 - Flags: review?(nmatsakis)
Attachment #8541754 - Flags: review?(nmatsakis) → review+
Followup to fix using zone() off thread during compacting GCs. https://hg.mozilla.org/integration/mozilla-inbound/rev/0962698c14a0
Status: RESOLVED → VERIFIED
status-firefox37: fixedverified
JSBugMon: This bug has been automatically verified fixed.
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: