Closed
Bug 1155807
Opened 7 years ago
Closed 7 years ago
Assertion failure: !unknownProperties(), at vm/TypeInference.cpp involving --unboxed-objects
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla40
| Tracking | Status | |
|---|---|---|
| firefox40 | --- | fixed |
People
(Reporter: gkw, Assigned: bhackett1024)
References
Details
(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update])
Attachments
(2 files)
|
3.75 KB,
text/plain
|
Details | |
|
1.70 KB,
patch
|
jandem
:
review+
|
Details | Diff | Splinter Review |
// jsfunfuzz-generated
for (var i = 0; i < 2; i++) {
// Randomly chosen test: js/src/jit-test/tests/basic/bug1135718.js
setJitCompilerOption("ion.warmup.trigger", 8)
function f(state) {
this.s = state
}
f.prototype.g = function(v, y) {
this.t
}
x = ['', '']
j = new f(false)
x.filter(j.g, j)
x.filter(j.g, new f(false))
j.__proto__ = {}
}
asserts js debug shell on m-c changeset 0df249a0e4d3 with --fuzzing-safe --no-threads --ion-eager --unboxed-objects at Assertion failure: !unknownProperties(), at vm/TypeInference.cpp.
Configure options:
CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests
python -u ~/fuzzing/js/compileShell.py -b "--enable-debug --enable-more-deterministic --enable-nspr-build" -r 0df249a0e4d3
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/c3714f520752
user: Brian Hackett
date: Mon Feb 02 09:27:59 2015 -0700
summary: Bug 1127987 - Fix transposed parent/metadata arguments in EmptyShape::getInitialShape, r=jandem.
Brian, is bug 1127987 a likely regressor?Flags: needinfo?(bhackett1024)
|
Reporter | |
Comment 1•7 years ago
|
||
(lldb) bt 5
* thread #1: tid = 0x4612e, 0x0000000100315119 js-dbg-64-dm-nsprBuild-darwin-0df249a0e4d3`js::TypeSet::ObjectKey::property(this=<unavailable>, id=<unavailable>) + 153 at TypeInference.cpp:1206, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
* frame #0: 0x0000000100315119 js-dbg-64-dm-nsprBuild-darwin-0df249a0e4d3`js::TypeSet::ObjectKey::property(this=<unavailable>, id=<unavailable>) + 153 at TypeInference.cpp:1206
frame #1: 0x00000001004f02fd js-dbg-64-dm-nsprBuild-darwin-0df249a0e4d3`js::jit::IonBuilder::getDefiniteSlot(this=0x0000000101ed5258, types=0x0000000101ed5b18, name=0x0000000103800b08, pnfixed=0x00007fff5fbfd354, convertUnboxedGroups=0x00007fff5fbfd358) + 829 at IonBuilder.cpp:9510
frame #2: 0x00000001004f30f5 js-dbg-64-dm-nsprBuild-darwin-0df249a0e4d3`js::jit::IonBuilder::getPropTryDefiniteSlot(this=0x0000000101ed5258, emitted=0x00007fff5fbfd3f7, obj=0x0000000101ed6228, name=<unavailable>, barrier=NoBarrier, types=0x0000000101ed5b08) + 117 at IonBuilder.cpp:10473
frame #3: 0x00000001004d92d8 js-dbg-64-dm-nsprBuild-darwin-0df249a0e4d3`js::jit::IonBuilder::jsop_getprop(this=0x0000000101ed5258, name=0x0000000103800b08) + 664 at IonBuilder.cpp:10034
frame #4: 0x00000001004cd48f js-dbg-64-dm-nsprBuild-darwin-0df249a0e4d3`js::jit::IonBuilder::inspectOpcode(this=0x0000000101ed5258, op=JSOP_GETPROP) + 703 at IonBuilder.cpp:1924
(lldb)
|
Assignee | |
Comment 2•7 years ago
|
||
Assignee: nobody → bhackett1024
Flags: needinfo?(bhackett1024)
Attachment #8597429 -
Flags: review?(jdemooij)
|
||
Updated•7 years ago
|
Attachment #8597429 -
Flags: review?(jdemooij) → review+
https://hg.mozilla.org/mozilla-central/rev/32ec77351da5
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla40
You need to log in
before you can comment on or make changes to this bug.
Description
•