Closed Bug 1143106 Opened 5 years ago Closed 5 years ago

Crash [@ js::jit::ExecutableAllocator::poolForSize] or Assertion failure: this->is<T>(), at js/src/jsobj.h

Categories

(Core :: JavaScript Engine, defect, critical)

x86_64
macOS
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla39
Tracking Status
firefox39 --- fixed

People

(Reporter: gkw, Assigned: bhackett)

References

(Blocks 1 open bug)

Details

(4 keywords, Whiteboard: [fuzzblocker])

Crash Data

Attachments

(1 file)

({x:3}), ({x:3}), ({x:3}), ({x:3}), ({x:3}), ({x:3}),
({x:3}), ({x:3}), ({x:3}), ({x:3}), ({x:3}), ({x:3}),
({x:3}), ({x:3}), ({x:3}), ({x:3}), ({x:3}), ({x:3}),
({x:3}), ({x:3}), ({x:3})

asserts js debug shell on m-c changeset 2795a48dfebe with --fuzzing-safe --no-threads --no-baseline --no-ion --unboxed-objects at Assertion failure: this->is<T>(), at js/src/jsobj.h.

Configure options:

CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests

python -u ~/fuzzing/js/compileShell.py -b "--enable-debug --enable-more-deterministic --enable-nspr-build" -r 2795a48dfebe

=== Treeherder Build Bisection Results by autoBisect ===

The "good" changeset has the timestamp "20150312093755" and the hash "d8d51e983a8b".
The "bad" changeset has the timestamp "20150312095953" and the hash "94f1fc3d9ec8".

Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=d8d51e983a8b&tochange=94f1fc3d9ec8

Brian, is bug 1135897 a likely regressor? Setting [fuzzblocker] because this is happening a lot with --unboxed-objects.
Flags: needinfo?(bhackett1024)
This similar testcase:

[{x:3},{x:3},{x:3},{x:3},{x:3},{x:3},{x:3},
 {x:3},{x:3},{x:3},{x:3},{x:3},{x:3},{x:3},
 {x:3},{x:3},{x:3},{x:3},{x:3},{x:3},{x:3}]

crashes js debug shell on m-c changeset 2795a48dfebe with --fuzzing-safe --no-threads --no-baseline --no-ion --unboxed-objects at js::jit::ExecutableAllocator::poolForSize.
Crash Signature: [@ js::jit::ExecutableAllocator::poolForSize]
Keywords: crash
Summary: Assertion failure: this->is<T>(), at js/src/jsobj.h → Crash [@ js::jit::ExecutableAllocator::poolForSize] or Assertion failure: this->is<T>(), at js/src/jsobj.h
Attached patch patchSplinter Review
These testcases are two separate issues.  In the first one, we are marking preliminary objects of some group as singletons, which messes up some invariants.  In the second one, we don't ensure there is a JitRuntime/JitCompartment before allocating jitcode for unboxed object creation stubs.
Assignee: nobody → bhackett1024
Flags: needinfo?(bhackett1024)
Attachment #8577677 - Flags: review?(jdemooij)
Attachment #8577677 - Flags: review?(jdemooij) → review+
https://hg.mozilla.org/mozilla-central/rev/0f59eb845739
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla39
You need to log in before you can comment on or make changes to this bug.