Crash [@ lookup] or Crash [@ js::jit::DoSetPropFallback] or Assertion failure: addendumKind() == Addendum_UnboxedLayout, at vm/ObjectGroup.h:293 with --unboxed-objects

RESOLVED FIXED in Firefox 39

Status

()

Core
JavaScript Engine
--
critical
RESOLVED FIXED
4 years ago
3 years ago

People

(Reporter: decoder, Assigned: bhackett)

Tracking

(Blocks: 1 bug, 4 keywords)

Trunk
mozilla39
x86_64
Linux
assertion, crash, regression, testcase
Points:
---

Firefox Tracking Flags

(firefox38 affected, firefox39 fixed)

Details

(Whiteboard: [jsbugmon:update,bisect], crash signature)

Attachments

(1 attachment)

(Reporter)

Description

4 years ago
The following testcase crashes on mozilla-central revision 86d2bb8bb1c9 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-debug, run with --baseline-eager --unboxed-objects):

setJitCompilerOption("ion.warmup.trigger", 30);
function ArrayCallback(state)
  this.state = state;
ArrayCallback.prototype.isUpperCase = function(v, index, array) {
    return this.state ? true : (v == v.toUpperCase());
};
strings = ['hello', 'Array', 'WORLD'];
obj = new ArrayCallback(false);
strings.filter(obj.isUpperCase, obj)
obj = new ArrayCallback(true);
strings.filter(obj.isUpperCase, obj)
obj.__proto__ = {};



Backtrace:

Program received signal SIGSEGV, Segmentation fault.
lookup (id=..., this=0x0) at js/src/vm/UnboxedObject.h:115
115	            return lookup(JSID_TO_ATOM(id));
#0  lookup (id=..., this=0x0) at js/src/vm/UnboxedObject.h:115
#1  TryAttachUnboxedSetPropStub (attached=<synthetic pointer>, rhs=..., obj=..., id=..., stub=0x17c00f0, script=..., cx=0x16c33e0) at js/src/jit/BaselineIC.cpp:8167
#2  js::jit::DoSetPropFallback (cx=0x16c33e0, frame=<optimized out>, stub_=<optimized out>, lhs=..., rhs=..., res=...) at js/src/jit/BaselineIC.cpp:8330
#3  0x00007ffff4692a1a in ?? ()
[...]
#29 0x0000000000000000 in ?? ()
rax	0x0	0
rbx	0x16c33e0	23868384
rcx	0x7ffff471c6e8	140737294485224
rdx	0x0	0
rsi	0x17346f0	24332016
rdi	0x7ffff4757910	140737294727440
rbp	0x17c00f0	24903920
rsp	0x7fffffffcc50	140737488342096
r8	0x1e0	480
r9	0x1f	31
r10	0x17c00f0	24903920
r11	0x7fffffffbb30	140737488337712
r12	0x16c33f8	23868408
r13	0x7fffffffcd60	140737488342368
r14	0x7fffffffcd40	140737488342336
r15	0x7fffffffd158	140737488343384
rip	0x6b09f6 <js::jit::DoSetPropFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICSetProp_Fallback*, JS::HandleValue, JS::HandleValue, JS::MutableHandleValue)+4038>
=> 0x6b09f6 <js::jit::DoSetPropFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICSetProp_Fallback*, JS::HandleValue, JS::HandleValue, JS::MutableHandleValue)+4038>:	mov    0x20(%rax),%rdi
   0x6b09fa <js::jit::DoSetPropFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICSetProp_Fallback*, JS::HandleValue, JS::HandleValue, JS::MutableHandleValue)+4042>:	xor    %edx,%edx
(Assignee)

Comment 1

4 years ago
Created attachment 8568228 [details] [diff] [review]
patch

Mutable __proto__ strikes again.
Assignee: nobody → bhackett1024
Attachment #8568228 - Flags: review?(jdemooij)
Comment on attachment 8568228 [details] [diff] [review]
patch

Review of attachment 8568228 [details] [diff] [review]:
-----------------------------------------------------------------

Heh.
Attachment #8568228 - Flags: review?(jdemooij) → review+
https://hg.mozilla.org/mozilla-central/rev/bb29e84761a5
Status: NEW → RESOLVED
Last Resolved: 3 years ago
status-firefox39: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla39
You need to log in before you can comment on or make changes to this bug.