Closed Bug 1172483 Opened 8 years ago Closed 8 years ago

Assertion failure: this->is<T>(), at js/src/jsobj.h:526

Categories

(Core :: JavaScript Engine, defect)

x86_64
Linux
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla41
Tracking Status
firefox41 --- fixed

People

(Reporter: decoder, Assigned: efaust)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update])

Attachments

(1 file)

The following testcase crashes on mozilla-central revision 7d4ab4a9febd (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe):

var o13 = Array;
function f5(o) {
  ox1 = new Proxy(o, {});
}
f5(o13);
new ox1(1, 2);



Backtrace:

Program received signal SIGSEGV, Segmentation fault.
0x00000000004291bc in JSObject::as<JSFunction> (this=<optimized out>) at js/src/jsobj.h:526
#0  0x00000000004291bc in JSObject::as<JSFunction> (this=<optimized out>) at js/src/jsobj.h:526
#1  0x00000000004fad76 in as<JSFunction> (this=<optimized out>) at ../../dist/include/js/RootingAPI.h:741
#2  js::ArrayConstructor (cx=0x7ffff691b4e0, argc=<optimized out>, vp=<optimized out>) at js/src/jsarray.cpp:3291
#3  0x000000000068e782 in js::CallJSNative (cx=0x7ffff691b4e0, native=0x4fa9f0 <js::ArrayConstructor(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235
#4  0x0000000000692170 in js::CallJSNativeConstructor (cx=0x7ffff691b4e0, native=0x4fa9f0 <js::ArrayConstructor(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:268
#5  0x0000000000685336 in js::InvokeConstructor (cx=cx@entry=0x7ffff691b4e0, args=...) at js/src/vm/Interpreter.cpp:788
#6  0x00000000006856ab in js::InvokeConstructor (cx=cx@entry=0x7ffff691b4e0, fval=..., argc=<optimized out>, argv=0x7ffff4cf40b8, newTargetInArgv=newTargetInArgv@entry=true, rval=...) at js/src/vm/Interpreter.cpp:820
#7  0x0000000000ba5892 in js::ScriptedDirectProxyHandler::construct (this=<optimized out>, cx=0x7ffff691b4e0, proxy=..., args=...) at js/src/proxy/ScriptedDirectProxyHandler.cpp:1041
#8  0x0000000000ba3d95 in js::Proxy::construct (cx=cx@entry=0x7ffff691b4e0, proxy=proxy@entry=..., args=...) at js/src/proxy/Proxy.cpp:410
#9  0x0000000000ba3e4e in js::proxy_Construct (cx=0x7ffff691b4e0, argc=<optimized out>, vp=<optimized out>) at js/src/proxy/Proxy.cpp:706
#10 0x000000000068e782 in js::CallJSNative (cx=0x7ffff691b4e0, native=0xba3db0 <js::proxy_Construct(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235
#11 0x0000000000692170 in js::CallJSNativeConstructor (cx=0x7ffff691b4e0, native=0xba3db0 <js::proxy_Construct(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:268
#12 0x0000000000685233 in js::InvokeConstructor (cx=cx@entry=0x7ffff691b4e0, args=...) at js/src/vm/Interpreter.cpp:801
#13 0x000000000066d336 in Interpret (cx=cx@entry=0x7ffff691b4e0, state=...) at js/src/vm/Interpreter.cpp:2951
#14 0x000000000067b283 in js::RunScript (cx=cx@entry=0x7ffff691b4e0, state=...) at js/src/vm/Interpreter.cpp:652
#15 0x00000000006862ee in js::ExecuteKernel (cx=cx@entry=0x7ffff691b4e0, script=..., script@entry=..., scopeChainArg=..., thisv=..., newTargetValue=..., type=type@entry=js::EXECUTE_GLOBAL, evalInFrame=evalInFrame@entry=..., result=result@entry=0x0) at js/src/vm/Interpreter.cpp:887
#16 0x0000000000688531 in js::Execute (cx=cx@entry=0x7ffff691b4e0, script=script@entry=..., scopeChainArg=..., rval=rval@entry=0x0) at js/src/vm/Interpreter.cpp:927
#17 0x0000000000a86c15 in ExecuteScript (cx=cx@entry=0x7ffff691b4e0, obj=..., scriptArg=..., rval=rval@entry=0x0) at js/src/jsapi.cpp:4188
#18 0x0000000000a86ddb in JS_ExecuteScript (cx=cx@entry=0x7ffff691b4e0, scriptArg=..., scriptArg@entry=...) at js/src/jsapi.cpp:4210
#19 0x0000000000426ac1 in RunFile (compileOnly=false, file=0x7ffff69ac800, filename=0x7fffffffdfdc "min.js", cx=0x7ffff691b4e0) at js/src/shell/js.cpp:443
#20 Process (cx=cx@entry=0x7ffff691b4e0, filename=0x7fffffffdfdc "min.js", forceTTY=forceTTY@entry=false) at js/src/shell/js.cpp:561
#21 0x00000000004724b1 in ProcessArgs (op=0x7fffffffda60, cx=0x7ffff691b4e0) at js/src/shell/js.cpp:5749
#22 Shell (envp=<optimized out>, op=0x7fffffffda60, cx=0x7ffff691b4e0) at js/src/shell/js.cpp:6018
#23 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:6354
rax	0x0	0
rbx	0x7ffff691b4e0	140737330132192
rcx	0x7ffff6ca53cd	140737333842893
rdx	0x0	0
rsi	0x7ffff6f7a9d0	140737336814032
rdi	0x7ffff6f791c0	140737336807872
rbp	0x7fffffffc660	140737488340576
rsp	0x7fffffffc660	140737488340576
r8	0x7ffff7fe0780	140737354008448
r9	0x6372732f736a2f6c	7165916604736876396
r10	0x7fffffffc420	140737488340000
r11	0x7ffff6c27960	140737333328224
r12	0x7fffffffc850	140737488341072
r13	0x0	0
r14	0x7fffffffc730	140737488340784
r15	0x4fa9f0	5220848
rip	0x4291bc <JSObject::as<JSFunction>()+28>
=> 0x4291bc <JSObject::as<JSFunction>()+28>:	movl   $0x20e,0x0
   0x4291c7 <JSObject::as<JSFunction>()+39>:	callq  0x4933b0 <abort()>
The assertion triggering has been introduced in bug 1141865, and bisection confirms it ran well before Part 2 of this bug landed.
Flags: needinfo?(efaustbmo)
Attached patch FixSplinter Review
Fix. Another bogus assert. Unlike the last one, which was well-intentioned, but too strict, this one was never meant to land. I was using it to test the plumbing of new.target values to JSNatives from various call sites. In this case, though, the new.target is (quite rightly) the proxy that wraps the array constructor.
Assignee: nobody → efaustbmo
Status: NEW → ASSIGNED
Flags: needinfo?(efaustbmo)
Attachment #8616807 - Flags: review?(jwalden+bmo)
Comment on attachment 8616807 [details] [diff] [review]
Fix

Review of attachment 8616807 [details] [diff] [review]:
-----------------------------------------------------------------

::: js/src/tests/ecma_6/Class/newTargetProxyNative.js
@@ +1,1 @@
> +new (new Proxy(Array, {}));

var ProxyToArray = new Proxy(Array, {});
new ProxyToArray();

for a little more readability than parentheses-nesting stuff.
Attachment #8616807 - Flags: review?(jwalden+bmo) → review+
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result:
=== Treeherder Build Bisection Results by autoBisect ===

The "good" changeset has the timestamp "20150604061136" and the hash "81fe755dfd47".
The "bad" changeset has the timestamp "20150604062845" and the hash "dbc89e025b5f".

Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=81fe755dfd47&tochange=dbc89e025b5f
also found by bughunter on live websites
https://hg.mozilla.org/mozilla-central/rev/cf1683220e01
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla41
You need to log in before you can comment on or make changes to this bug.