Closed Bug 1131035 Opened 5 years ago Closed 5 years ago

Crash [@ lookup] or Assertion failure: this->is<T>(), at js/src/jsobj.h:567 with --unboxed-objects


(Core :: JavaScript Engine, defect, critical)

Not set



Tracking Status
firefox38 --- fixed


(Reporter: decoder, Assigned: bhackett1024)


(Blocks 1 open bug)


(4 keywords, Whiteboard: [jsbugmon:update])

Crash Data


(1 file)

The following testcase crashes on mozilla-central revision 3436787a82d0 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-debug, run with --fuzzing-safe --thread-count=2 --ion-eager --unboxed-objects):

function TestCase()
  this.passed = 'x';
result = "pass";
new TestCase();
new TestCase(result);
function Gen2(value) {}
evaluate('Gen2.prototype = new TestCase();', { noScriptRval : true, compileAndGo : true });


Program received signal SIGSEGV, Segmentation fault.
lookup (id=$jsid("passed"), this=<optimized out>) at js/src/vm/UnboxedObject.h:107
107	            return lookup(JSID_TO_ATOM(id));
#0  lookup (id=$jsid("passed"), this=<optimized out>) at js/src/vm/UnboxedObject.h:107
#1  js::UnboxedPlainObject::obj_setProperty (cx=0x16bf2e0, obj=(JSObject * const) 0x7ffff56708c0 [object Object], id=$jsid("passed"), vp=..., strict=<optimized out>) at js/src/vm/UnboxedObject.cpp:301
#2  0x00000000006a45ea in js::jit::DoSetPropFallback (cx=0x16bf2e0, frame=<optimized out>, stub_=<optimized out>, lhs=$jsval((JSObject *) 0x7ffff56708c0 [object Object]), rhs=$jsval("x"), res=JSVAL_VOID) at js/src/jit/BaselineIC.cpp:8314
#3  0x00007ffff55b59ea in ?? ()
#4  0x00007fffffffbcc0 in ?? ()
#5  0x00007fffffffb2e0 in ?? ()
#6  0xfff9000000000000 in ?? ()
#7  0x0000000001692260 in js::jit::DoGetPropGenericInfo ()
#21 0x00000000006d8ae0 in js::jit::IonBuilder::IonBuilder (this=0xfffafffff5600b68, analysisContext=0x7fffffffbcc0, comp=<optimized out>, options=..., temp=0x7fffffffb378, graph=<optimized out>, constraints=0xfffc7ffff56708c0, inspector=0x16e8110, info=0x7fffffffb548, optimizationInfo=0x2, baselineFrame=0x21, inliningDepth=140737488355327, loopDepth=4116383344) at js/src/jit/IonBuilder.cpp:156
#22 0x0000000000000000 in ?? ()
rax	0x0	0
rbx	0x7fffffffaf10	140737488334608
rcx	0x20000	131072
rdx	0x0	0
rsi	0x1735410	24335376
rdi	0x7ffff56587f0	140737310459888
rbp	0x7fffffffaf90	140737488334736
rsp	0x7fffffffadb0	140737488334256
r8	0x0	0
r9	0x0	0
r10	0x36	54
r11	0x7ffff566e7d8	140737310549976
r12	0x0	0
r13	0x16bf2e0	23851744
r14	0x7fffffffaf30	140737488334640
r15	0x7ffff56587f0	140737310459888
rip	0x5d6751 <js::UnboxedPlainObject::obj_setProperty(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>, bool)+97>
=> 0x5d6751 <js::UnboxedPlainObject::obj_setProperty(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>, bool)+97>:	mov    0x20(%rdx),%rcx
   0x5d6755 <js::UnboxedPlainObject::obj_setProperty(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>, bool)+101>:	test   %rcx,%rcx
I'm not sure what's the status of --unboxed-objects, is it enabled by default in any build? NI from bhackett to figure this out and fix this bug :)
Flags: needinfo?(bhackett1024)
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
user:        Brian Hackett
date:        Mon Feb 02 09:27:59 2015 -0700
summary:     Bug 1127987 - Fix transposed parent/metadata arguments in EmptyShape::getInitialShape, r=jandem.

This iteration took 262.167 seconds to run.
Attached patch patchSplinter Review
When allocating singleton objects for a group with an unboxed layout, we would end up with singletons that had that unboxed layout, rather than a normal plain object like we should.
Assignee: nobody → bhackett1024
Flags: needinfo?(bhackett1024)
Attachment #8562301 - Flags: review?(jdemooij)
(In reply to Christian Holler (:decoder) from comment #1)
> I'm not sure what's the status of --unboxed-objects, is it enabled by
> default in any build? NI from bhackett to figure this out and fix this bug :)

Unboxed objects are not enabled by default anywhere, though they will be before too long.
Comment on attachment 8562301 [details] [diff] [review]

Review of attachment 8562301 [details] [diff] [review]:

::: js/src/jit-test/tests/basic/bug1131035.js
@@ +1,3 @@
> +
> +function TestCase()
> +  this.passed = 'x';

Nit: can you add {}? Expression closures are non-standard syntax.
Attachment #8562301 - Flags: review?(jdemooij) → review+
Closed: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla38
You need to log in before you can comment on or make changes to this bug.