1155292 - Crash [@ CanAttachNativeSetProp] or Crash [@ js::Shape::setter] with TypedObject

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

The following testcase crashes on mozilla-central revision de27ac2ab94f (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-debug, run with --fuzzing-safe --no-threads):

new Function(`
var TO = TypedObject;
var PointType = new TO.StructType({x: TO.int32, y: TO.int32 });
function testPoint() {
    var p = new PointType();
    var sub = Object.create(p);
    sub.x = 5;
    anonymous('minEmptyChunkCount')   
}
testPoint();
`)();



Backtrace:

Program received signal SIGSEGV, Segmentation fault.
CanAttachNativeSetProp (checkTypeset=0x7ffffff99d20, shape=..., holder=..., needsTypeBarrier=<optimized out>, val=..., id=..., obj=..., cx=0x7ffff69770f0) at js/src/jit/IonCaches.cpp:3044
#0  CanAttachNativeSetProp (checkTypeset=0x7ffffff99d20, shape=..., holder=..., needsTypeBarrier=<optimized out>, val=..., id=..., obj=..., cx=0x7ffff69770f0) at js/src/jit/IonCaches.cpp:3044
#1  js::jit::SetPropertyIC::update (cx=0x7ffff69770f0, outerScript=..., cacheIndex=<optimized out>, obj=..., value=...) at js/src/jit/IonCaches.cpp:3239
#2  0x00007ffff7fe9ba2 in ?? ()
[...]
#10 0x0000000000000000 in ?? ()
rax	0x7ffff54331c0	140737308209600
rbx	0x7ffff69770f0	140737330508016
rcx	0x4b4308	4932360
rdx	0x1	1
rsi	0x7ffff7e00b68	140737352043368
rdi	0x7ffff5433110	140737308209424
rbp	0x7ffffff99ea0	140737487937184
rsp	0x7ffffff99ba0	140737487936416
r8	0x2	2
r9	0x7ffffff99dc0	140737487936960
r10	0x7ffffff99de0	140737487936992
r11	0x7ffff54331c0	140737308209600
r12	0x7ffff6957000	140737330376704
r13	0x7ffffff99e90	140737487937168
r14	0x7ffff6977110	140737330508048
r15	0x7ffff69570b8	140737330376888
rip	0x784958 <js::jit::SetPropertyIC::update(JSContext*, JS::Handle<JSScript*>, unsigned long, JS::Handle<JSObject*>, JS::Handle<JS::Value>)+1224>
=> 0x784958 <js::jit::SetPropertyIC::update(JSContext*, JS::Handle<JSScript*>, unsigned long, JS::Handle<JSObject*>, JS::Handle<JS::Value>)+1224>:	testb  $0x8,0x15(%rdx)
   0x78495c <js::jit::SetPropertyIC::update(JSContext*, JS::Handle<JSScript*>, unsigned long, JS::Handle<JSObject*>, JS::Handle<JS::Value>)+1228>:	jne    0x784bb8 <js::jit::SetPropertyIC::update(JSContext*, JS::Handle<JSScript*>, unsigned long, JS::Handle<JSObject*>, JS::Handle<JS::Value>)+1832>


I wasn't able to produce a test that doesn't inline the source code as text, even with the many tricks that usually work. No idea why it doesn't work here and needs this particular Function() setup.

Comment 1

[Christian Holler (:decoder)]

JSBugMon: Bisection requested, result:
=== Treeherder Build Bisection Results by autoBisect ===

The "good" changeset has the timestamp "20150328152420" and the hash "02f2f4c75007".
The "bad" changeset has the timestamp "20150328170419" and the hash "e19def475b91".

Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=02f2f4c75007&tochange=e19def475b91

Comment 2

[Christian Holler (:decoder)]

Needinfo from bhackett based on comment 1.

Comment 3

[Brian Hackett [Laid off!]]

Attachment: patch

Hmm, I still need to write that patch to clean up this implicit-property-returned-by-lookup thing.

Comment 4

[Pulsebot]

https://hg.mozilla.org/integration/mozilla-inbound/rev/9e3d626c89d8

Comment 5

[Ryan VanderMeulen [:RyanVM]]

Backed out for SM(cgc) orange.
https://hg.mozilla.org/integration/mozilla-inbound/rev/68d42a9bf66d

https://treeherder.mozilla.org/logviewer.html#?job_id=9366729&repo=mozilla-inbound

Comment 6

[Brian Hackett [Laid off!]]

CGC was timing out on the new test, so I pushed without it.

Comment 7

[Pulsebot]

https://hg.mozilla.org/integration/mozilla-inbound/rev/96b8df76a5d6

Comment 8

[Wes Kocher (:KWierso) (Not reading bugmail; email directly if needed)]

https://hg.mozilla.org/mozilla-central/rev/96b8df76a5d6