Closed
Bug 1128603
Opened 10 years ago
Closed 10 years ago
Assertion failure: isObject(), at ../../../dist/include/js/Value.h:1240 with findReferences
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla39
People
(Reporter: decoder, Assigned: jimb)
Details
(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update])
Attachments
(1 file)
40.12 KB,
patch
|
terrence
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision 940118b1adcd (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --enable-debug, run with --fuzzing-safe --thread-count=2):
var p = Proxy.create({
get : function(id) {
return 10;
}
});
Object.prototype.__proto__ = p;
var obj = {};
findReferences(obj);
Backtrace:
Program received signal SIGSEGV, Segmentation fault.
0x00000000004180e4 in JS::Value::toObject (this=<optimized out>) at ../../../dist/include/js/Value.h:1240
1240 MOZ_ASSERT(isObject());
#0 0x00000000004180e4 in JS::Value::toObject (this=<optimized out>) at ../../../dist/include/js/Value.h:1240
#1 0x0000000000419a9b in JSVAL_IS_OBJECT_IMPL (l=...) at ../../../dist/include/js/Value.h:804
#2 isObject (this=<optimized out>) at ../../../dist/include/js/Value.h:1145
#3 JS::Value::toObject (this=<optimized out>) at ../../../dist/include/js/Value.h:1240
#4 0x00000000004161ab in toObject (this=0x7fffffffc1a0) at ../../../dist/include/js/Value.h:1707
#5 ReferenceFinder::addReferrer (this=this@entry=0x7fffffffc3c0, referrerArg=..., path=path@entry=0x7fffffffc2d0) at js/src/shell/jsheaptools.cpp:522
#6 0x00000000004165f5 in ReferenceFinder::visit (this=this@entry=0x7fffffffc3c0, cell=0x0, path=path@entry=0x7fffffffc2d0) at js/src/shell/jsheaptools.cpp:428
#7 0x000000000041655c in ReferenceFinder::visit (this=this@entry=0x7fffffffc3c0, cell=0x7ffff5670cc0, path=path@entry=0x0) at js/src/shell/jsheaptools.cpp:454
#8 0x0000000000416665 in ReferenceFinder::findReferences (this=this@entry=0x7fffffffc3c0, target=target@entry=(JSObject * const) 0x7ffff5670cc0 [object Object]) at js/src/shell/jsheaptools.cpp:537
#9 0x00000000004168df in FindReferences (cx=cx@entry=0x1a1cb70, argc=<optimized out>, vp=0x1a90840) at js/src/shell/jsheaptools.cpp:569
#10 0x0000000000619b99 in js::CallJSNative (cx=0x1a1cb70, native=0x416690 <FindReferences(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:226
#11 0x00000000005fa670 in js::Invoke (cx=0x1a1cb70, args=..., construct=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:498
#12 0x00000000005f5c7c in Interpret (cx=0x1a1cb70, state=...) at js/src/vm/Interpreter.cpp:2558
#13 0x00000000005f9ce8 in js::RunScript (cx=cx@entry=0x1a1cb70, state=...) at js/src/vm/Interpreter.cpp:448
#14 0x00000000005f9e99 in js::ExecuteKernel (cx=cx@entry=0x1a1cb70, script=script@entry=0x7ffff565e160, scopeChainArg=(JSObject &) @0x7ffff565a060 [object global] delegate, thisv=..., type=type@entry=js::EXECUTE_GLOBAL, evalInFrame=evalInFrame@entry=..., result=result@entry=0x0) at js/src/vm/Interpreter.cpp:657
#15 0x00000000005fa3e6 in js::Execute (cx=0x1a1cb70, script=0x7ffff565e160, scopeChainArg=..., rval=0x0) at js/src/vm/Interpreter.cpp:694
#16 0x00000000009f540b in ExecuteScript (cx=0x1a1cb70, obj=(JSObject * const) 0x7ffff565a060 [object global] delegate, scriptArg=0x7ffff565e160, rval=0x0) at js/src/jsapi.cpp:4224
#17 0x000000000041977d in RunFile (compileOnly=false, file=0x1afbd80, filename=0x7fffffffe0ca "min.js", obj=..., cx=0x1a1cb70) at js/src/shell/js.cpp:453
#18 Process (cx=cx@entry=0x1a1cb70, obj_=<optimized out>, filename=0x7fffffffe0ca "min.js", forceTTY=forceTTY@entry=false) at js/src/shell/js.cpp:586
#19 0x0000000000425293 in ProcessArgs (op=0x7fffffffdb70, obj_=<optimized out>, cx=0x1a1cb70) at js/src/shell/js.cpp:5514
#20 Shell (op=0x7fffffffdb70, cx=0x1a1cb70, envp=<optimized out>) at js/src/shell/js.cpp:5755
#21 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:6102
rax 0x0 0
rbx 0x7fffffffc180 140737488339328
rcx 0x7ffff6cb2f4d 140737333899085
rdx 0x0 0
rsi 0x7ffff6f86a80 140737336863360
rdi 0x7ffff6f85180 140737336856960
rbp 0x7fffffffc120 140737488339232
rsp 0x7fffffffc120 140737488339232
r8 0x7ffff7fe8740 140737354041152
r9 0x736a2f6564756c63 8316511774416661603
r10 0x7fffffffbeb0 140737488338608
r11 0x7ffff6c3a940 140737333406016
r12 0x1c44150 29638992
r13 0x7fffffffc3c0 140737488339904
r14 0x7fffffffc1c0 140737488339392
r15 0xfff9000000000000 -1970324836974592
rip 0x4180e4 <JS::Value::toObject() const+28>
=> 0x4180e4 <JS::Value::toObject() const+28>: movl $0x4d8,0x0
0x4180ef <JS::Value::toObject() const+39>: callq 0x404ac0 <abort@plt>
Reporter | ||
Updated•10 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
Reporter | ||
Comment 1•10 years ago
|
||
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/615f118f2787
user: Jason Orendorff
date: Tue Dec 16 18:06:43 2014 -0600
summary: Bug 914314, part 3 - Reimplement GetPropertyInline to match ES6 9.1.8. r=efaust.
This iteration took 366.687 seconds to run.
Reporter | ||
Comment 3•10 years ago
|
||
Probably the same underlying issue but a different assertion:
var p = Proxy.create({
get: function(id)
function w(value)
uint8("0x1ff")
});
Object.prototype.__proto__ = p;
var k = {};
findReferences(k);
Assertion failure: JS_IsArrayObject(context, array), at shell/jsheaptools.cpp:523
Comment 4•10 years ago
|
||
This appears to be a bug in how HeapReverser handles some new edges in ES6. Jim, is it finally time to remove jsheaptools?
Flags: needinfo?(jimb)
Assignee | ||
Comment 5•10 years ago
|
||
Out it goes.
Assignee: nobody → jimb
Status: NEW → ASSIGNED
Flags: needinfo?(jimb)
Attachment #8576911 -
Flags: review?(terrence)
Comment 6•10 years ago
|
||
Comment on attachment 8576911 [details] [diff] [review]
Remove findReferences and the tests that use it.
Review of attachment 8576911 [details] [diff] [review]:
-----------------------------------------------------------------
\o/
Do you have a bug open against debugger to provide a similar interface against ubi::Node?
Attachment #8576911 -
Flags: review?(terrence) → review+
Assignee | ||
Comment 7•10 years ago
|
||
(In reply to Terrence Cole [:terrence] from comment #6)
> Do you have a bug open against debugger to provide a similar interface
> against ubi::Node?
Not yet. We don't have a specific tool we want to build around it yet.
Assignee | ||
Comment 8•10 years ago
|
||
Flags: in-testsuite-
Target Milestone: --- → mozilla39
Comment 9•10 years ago
|
||
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
status-firefox39:
--- → fixed
Resolution: --- → FIXED
Updated•10 years ago
|
Flags: needinfo?(jorendorff)
You need to log in
before you can comment on or make changes to this bug.
Description
•