Closed Bug 1156532 Opened 10 years ago Closed 10 years ago

Crash [@ js::NativeObject::setDenseElementWithType] involving --unboxed-objects

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1149498
Tracking Flags:
Tracking Status
firefox40 --- affected

People

(Reporter: gkw, Unassigned)

References

Details

(Keywords: crash, regression, testcase, Whiteboard: [jsbugmon:update])

Crash Data

Attachments

(1 file)

stack
7.41 KB, text/plain
Details
function a() function() {}; function b() function() {}; try {} catch (e) {} try {} catch (e) {} try {} catch (e) {} try {} catch (e) {} try {} catch (e) {} try {} catch (e) {} try {} catch (e) {} try {} catch (e) {} try {} catch (e) {} try {} catch (e) {} try {} catch (e) {} try {} catch (e) {} (function() { for (let d in []) { (function() {}) } }()); for (let w in [{}, {}, { x: 3 }, { x: 3 }, { x: 3 }, {}, { x: 3 }, {}, {}, { x: 3 }, { x: 3 }, {}, { x: 3 }, { x: 3 }, {}, { x: 3 }, {}, {}, { x: 3 }, { x: 3 }, { x: 3 }, { x: 3 }, { x: 3 }, { x: 3 }, { x: 3 }, {}, { x: 3 }, {}, { x: 3 }, { x: 3 }, {}, { x: 3 }, {}, { x: 3 }]) {} crashes js debug shell on m-c changeset 50b95032152c with --fuzzing-safe --no-threads --no-ion --unboxed-objects --gc-zeal=14 at js::NativeObject::setDenseElementWithType. Configure options: CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests python -u ~/fuzzing/js/compileShell.py -b "--enable-debug --enable-more-deterministic --enable-nspr-build" -r 50b95032152c autoBisect is currently running.
Flags: needinfo?(bhackett1024)
Summary: Crash [@ js::NativeObject::setDenseElementWithType] → Crash [@ js::NativeObject::setDenseElementWithType] involving --unboxed-objects
Attached file stack
(lldb) bt 5 * thread #1: tid = 0x166d88, 0x00000001002bb8ed js-dbg-64-dm-nsprBuild-darwin-50b95032152c`js::NativeObject::setDenseElementWithType(js::ExclusiveContext*, unsigned int, JS::Value const&) [inlined] JSObject::isSingleton(this=0x00000001039871c0) const at jsobj.h:154, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=2, address=0x1039871c0) * frame #0: 0x00000001002bb8ed js-dbg-64-dm-nsprBuild-darwin-50b95032152c`js::NativeObject::setDenseElementWithType(js::ExclusiveContext*, unsigned int, JS::Value const&) [inlined] JSObject::isSingleton(this=0x00000001039871c0) const at jsobj.h:154 frame #1: 0x00000001002bb8ed js-dbg-64-dm-nsprBuild-darwin-50b95032152c`js::NativeObject::setDenseElementWithType(js::ExclusiveContext*, unsigned int, JS::Value const&) at TypeInference-inl.h:145 frame #2: 0x00000001002bb8ed js-dbg-64-dm-nsprBuild-darwin-50b95032152c`js::NativeObject::setDenseElementWithType(js::ExclusiveContext*, unsigned int, JS::Value const&) + 40 at TypeInference-inl.h:170 frame #3: 0x00000001002bb8c5 js-dbg-64-dm-nsprBuild-darwin-50b95032152c`js::NativeObject::setDenseElementWithType(this=0x0000000103959040, cx=0x0000000101fa5180, index=33, val=0x00007fff5fbfd248) + 53 at NativeObject-inl.h:72 frame #4: 0x0000000100268a6b js-dbg-64-dm-nsprBuild-darwin-50b95032152c`js::NativeDefineProperty(js::ExclusiveContext*, JS::Handle<js::NativeObject*>, JS::Handle<jsid>, JS::Handle<JSPropertyDescriptor>, JS::ObjectOpResult&) + 116 at NativeObject.cpp:1214 (lldb)
autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/76326ec30cd6 user: Jeff Walden date: Wed Apr 15 10:55:39 2015 -0700 summary: Bug 1154532 - Add ThrowRangeError and ThrowTypeError intrinsics to make self-hosted code's behavior clearer -- and also have each assert that error number and requested error type are consistent. (It appears no self-hosted code throws SyntaxError, ReferenceError, or URIError yet, so no adding functions for those yet.) r=till Not sure if this is related to bug 1154532 or to --unboxed-objects, so keeping the needinfo? for Brian until it is clear that --unboxed-objects is not the issue.
Blocks: 1154532
I can't reproduce this but it's probably a dupe of bug 1149498.
Flags: needinfo?(bhackett1024)
Can no longer reproduce using m-c rev 22a157f7feb7, assuming dupe to bug 1149498.
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: