Closed Bug 1175622 Opened 9 years ago Closed 9 years ago

Assertion failure: !unknownProperties(), at js/src/vm/TypeInference.cpp:2898

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla42
Tracking Flags:
Tracking Status
firefox41 --- affected
firefox42 --- fixed

People

(Reporter: decoder, Assigned: bhackett1024)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update,ignore])

Attachments

(1 file)

patch
1.80 KB, patch
jandem
: review+
Details | Diff | Splinter Review 
The following testcase crashes on mozilla-central revision ce863f9d8864 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe --thread-count=2 --ion-eager):

function Thing(a, b) {
    this.a = a;
}
var array = [];
for (var i = 0; i < 10000; i++ )
    array.push(new Thing(i, i + 1)
);
var proto = new Thing();
var obj = Object.create(proto);



Backtrace:

Program received signal SIGSEGV, Segmentation fault.
0x0000000000780c2b in js::ObjectGroup::markUnknown (this=0x7ffff7e58730, cx=cx@entry=0x7ffff691b4e0) at js/src/vm/TypeInference.cpp:2898
#0  0x0000000000780c2b in js::ObjectGroup::markUnknown (this=0x7ffff7e58730, cx=cx@entry=0x7ffff691b4e0) at js/src/vm/TypeInference.cpp:2898
#1  0x0000000000780b09 in js::ObjectGroup::markUnknown (this=this@entry=0x7ffff7e58880, cx=cx@entry=0x7ffff691b4e0) at js/src/vm/TypeInference.cpp:2906
#2  0x0000000000780bb7 in MarkObjectGroupUnknownProperties (obj=0x7ffff7e58880, cx=0x7ffff691b4e0) at js/src/vm/TypeInference-inl.h:436
#3  js::ObjectGroup::markUnknown (this=0x7ffff7e58730, cx=cx@entry=0x7ffff691b4e0) at js/src/vm/TypeInference.cpp:2927
#4  0x0000000000780b09 in js::ObjectGroup::markUnknown (this=this@entry=0x7ffff7e58850, cx=cx@entry=0x7ffff691b4e0) at js/src/vm/TypeInference.cpp:2906
#5  0x0000000000ae9f0f in MarkObjectGroupUnknownProperties (obj=0x7ffff7e58850, cx=0x7ffff691b4e0) at js/src/vm/TypeInference-inl.h:436
#6  JSObject::changeToSingleton (cx=cx@entry=0x7ffff691b4e0, obj=obj@entry=...) at js/src/jsobj.cpp:2400
#7  0x00000000006f23f4 in js::ObjectGroup::defaultNewGroup (cx=cx@entry=0x7ffff691b4e0, clasp=clasp@entry=0x1a06660 <js::PlainObject::class_>, proto=..., associated=associated@entry=0x0) at js/src/vm/ObjectGroup.cpp:520
#8  0x0000000000afb4ce in js::NewObjectWithGivenTaggedProto (cxArg=cxArg@entry=0x7ffff691b4e0, clasp=clasp@entry=0x1a06660 <js::PlainObject::class_>, proto=..., allocKind=js::gc::OBJECT4_BACKGROUND, allocKind@entry=js::gc::OBJECT4, newKind=newKind@entry=js::TenuredObject) at js/src/jsobj.cpp:1160
#9  0x0000000000533d5b in NewObjectWithGivenProto<js::PlainObject> (newKind=js::TenuredObject, allocKind=js::gc::OBJECT4, proto=..., cx=0x7ffff691b4e0) at js/src/jsobjinlines.h:654
#10 js::ObjectCreateImpl (cx=cx@entry=0x7ffff691b4e0, proto=..., proto@entry=..., newKind=newKind@entry=js::TenuredObject, group=..., group@entry=...) at js/src/builtin/Object.cpp:647
#11 0x00000000008b365d in GetTemplateObjectForNative (res=..., args=<synthetic pointer>, native=<optimized out>, cx=0x7ffff691b4e0) at js/src/jit/BaselineIC.cpp:9358
#12 js::jit::TryAttachCallStub (cx=cx@entry=0x7ffff691b4e0, stub=0x7ffff69940c8, script=..., script@entry=..., pc=pc@entry=0x7ffff69ec682 ":", op=op@entry=JSOP_CALL, argc=<optimized out>, argc@entry=1, vp=vp@entry=0x7fffffffcd00, constructing=constructing@entry=false, isSpread=isSpread@entry=false, createSingleton=createSingleton@entry=false, handled=handled@entry=0x7fffffffc9f0) at js/src/jit/BaselineIC.cpp:9640
#13 0x00000000008b4079 in js::jit::DoCallFallback (cx=0x7ffff691b4e0, frame=0x7fffffffcd58, stub_=<optimized out>, argc=<optimized out>, vp=0x7fffffffcd00, res=...) at js/src/jit/BaselineIC.cpp:9767
#14 0x00007ffff7feebdf in ?? ()
[...]
#38 0x0000000000000000 in ?? ()
rax	0x0	0
rbx	0x7ffff7e58730	140737352402736
rcx	0x7ffff6ca53cd	140737333842893
rdx	0x0	0
rsi	0x7ffff6f7a9d0	140737336814032
rdi	0x7ffff6f791c0	140737336807872
rbp	0x7fffffffc200	140737488339456
rsp	0x7fffffffc160	140737488339296
r8	0x7ffff7fe0780	140737354008448
r9	0x6372732f736a2f6c	7165916604736876396
r10	0x7fffffffbf20	140737488338720
r11	0x7ffff6c27960	140737333328224
r12	0x7ffff7e58880	140737352403072
r13	0x7ffff69bd658	140737330796120
r14	0x7ffff691b4e0	140737330132192
r15	0x7ffff69bd650	140737330796112
rip	0x780c2b <js::ObjectGroup::markUnknown(js::ExclusiveContext*)+795>
=> 0x780c2b <js::ObjectGroup::markUnknown(js::ExclusiveContext*)+795>:	movl   $0xb52,0x0
   0x780c36 <js::ObjectGroup::markUnknown(js::ExclusiveContext*)+806>:	callq  0x494ad0 <abort()>
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result:
=== Treeherder Build Bisection Results by autoBisect ===

The "good" changeset has the timestamp "20150613075443" and the hash "3a994e364343".
The "bad" changeset has the timestamp "20150613081143" and the hash "fd36716d1f9d".

Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=3a994e364343&tochange=fd36716d1f9d
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
JSBugMon: The testcase found in this bug no longer reproduces (tried revision c319f262ce3e).
Brian, any idea what could have fixed that? (bug 1162986 on which you've worked seems like the culprit, according to the regression window)
Flags: needinfo?(bhackett1024)
Attached patch patchSplinter Review 
This still reproduces for me.
Assignee: nobody → bhackett1024
Flags: needinfo?(bhackett1024)
Attachment #8628380 - Flags: review?(jdemooij)
Attachment #8628380 - Flags: review?(jdemooij) → review+
https://hg.mozilla.org/mozilla-central/rev/6300fb53917c
Status: NEW → RESOLVED
Closed: 9 years ago
status-firefox42: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla42
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: