Closed Bug 1148916 Opened 10 years ago Closed 10 years ago

Assertion failure: newKind == GenericObject || newKind == TenuredObject, at vm/UnboxedObject.cpp involving --unboxed-objects

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla40
Tracking Flags:
Tracking Status
firefox39 --- affected
firefox40 --- fixed

People

(Reporter: gkw, Assigned: bhackett1024)

References

Details

(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update,ignore])

Attachments

(2 files)

stack
4.93 KB, text/plain
Details
rm MaybeSingletonObject
11.91 KB, patch
terrence
: review+
Details | Diff | Splinter Review
// Randomly chosen test: js/src/jit-test/tests/xdr/trivial.js function f(x, y) { x = cacheEntry(x) y.compileAndGo = true evaluate(x, Object.create(y, { saveBytecode: { value: true } })) evaluate(x, Object.create(y, {})) } f("\ z = {\ b: {\ c: 3\ }\ };\ z.b.c++;\ z;\ ", {}) asserts js debug shell on m-c changeset 385840329d91 with --fuzzing-safe --no-threads --ion-eager --unboxed-objects at Assertion failure: newKind == GenericObject || newKind == TenuredObject, at vm/UnboxedObject.cpp. Configure options: CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests python -u ~/fuzzing/js/compileShell.py -b "--enable-debug --enable-more-deterministic --enable-nspr-build" -r 385840329d91 === Treeherder Build Bisection Results by autoBisect === The "good" changeset has the timestamp "20150312093755" and the hash "d8d51e983a8b". The "bad" changeset has the timestamp "20150312095953" and the hash "94f1fc3d9ec8". Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=d8d51e983a8b&tochange=94f1fc3d9ec8 Brian, is bug 1135897 a likely regressor?
Flags: needinfo?(bhackett1024)
Attached file stack
(lldb) bt 5 * thread #1: tid = 0xbfbe3, 0x0000000100365ae6 js-dbg-64-dm-nsprBuild-darwin-385840329d91`js::UnboxedPlainObject::createWithProperties(cx=<unavailable>, newKind=<unavailable>, properties=<unavailable>, group=<unavailable>) + 454 at UnboxedObject.cpp:619, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0) * frame #0: 0x0000000100365ae6 js-dbg-64-dm-nsprBuild-darwin-385840329d91`js::UnboxedPlainObject::createWithProperties(cx=<unavailable>, newKind=<unavailable>, properties=<unavailable>, group=<unavailable>) + 454 at UnboxedObject.cpp:619 frame #1: 0x000000010029d7b8 js-dbg-64-dm-nsprBuild-darwin-385840329d91`js::ObjectGroup::newPlainObject(cx=0x00000001028a5180, properties=0x00007fff5fbfbb68, nproperties=<unavailable>, newKind=<unavailable>) + 488 at ObjectGroup.cpp:1032 frame #2: 0x00000001008016e0 js-dbg-64-dm-nsprBuild-darwin-385840329d91`js::DeepCloneObjectLiteral(cx=0x00000001028a5180, newKind=SingletonObject, obj=<unavailable>) + 384 at jsobj.cpp:1869 frame #3: 0x0000000100802406 js-dbg-64-dm-nsprBuild-darwin-385840329d91`DeepCloneValue(cx=0x00000001028a5180, vp=0x00007fff5fbfbd00, newKind=MaybeSingletonObject) + 118 at jsobj.cpp:1807 frame #4: 0x000000010080169a js-dbg-64-dm-nsprBuild-darwin-385840329d91`js::DeepCloneObjectLiteral(cx=0x00000001028a5180, newKind=MaybeSingletonObject, obj=<unavailable>) + 314 at jsobj.cpp:1862 (lldb)
Summary: Assertion failure: newKind == GenericObject || newKind == TenuredObject, at vm/UnboxedObject.cpp → Assertion failure: newKind == GenericObject || newKind == TenuredObject, at vm/UnboxedObject.cpp involving --unboxed-objects
I can reproduce this on the original revision but not tip. I don't know if this specific assert can still be triggered, but the root problem is that we have this confusing distinction in NewObjectKind between TenuredObject and MaybeSingletonObject, which will be treated in the same way by the object allocation paths. This patch removes MaybeSingletonObject and replaces its uses with TenuredObject.
Assignee: nobody → bhackett1024
Flags: needinfo?(bhackett1024)
Attachment #8588657 - Flags: review?(terrence)
Comment on attachment 8588657 [details] [diff] [review] rm MaybeSingletonObject Review of attachment 8588657 [details] [diff] [review]: ----------------------------------------------------------------- Thanks! Nice to see that that ugly special case is gone now.
Attachment #8588657 - Flags: review?(terrence) → review+
Whiteboard: [jsbugmon:update]
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
JSBugMon: The testcase found in this bug no longer reproduces (tried revision a530b5c3b713).
https://hg.mozilla.org/mozilla-central/rev/4cfeaa849a96
Status: NEW → RESOLVED
Closed: 10 years ago
status-firefox40: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla40
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: