Closed Bug 1180608 Opened 9 years ago Closed 9 years ago

Assertion failure: !types.empty(), at vm/UnboxedObject.cpp

Categories

(Core :: JavaScript Engine: JIT, defect)

x86_64
macOS
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla42
Tracking Status
firefox40 --- unaffected
firefox41 --- affected
firefox42 --- fixed

People

(Reporter: gkw, Assigned: bhackett1024)

References

Details

(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update])

Attachments

(2 files)

gczeal(14); function g(code) { return { a: code.indexOf("") == 1 } } function h(rv) { try { for (var i of rv) { (function() {}) } } catch (r) {} } function m(code) { g(code) f = new Function(code) h(f()) } m("\ for (let x = 0; x < 99; ++x) {\ const c = yield([]);\ };\ "); m("\ try {\ c();\ } catch(e) {};\ yield(print());\ var s = 0\ ") asserts js debug shell on m-c changeset 136c41fca853 with --fuzzing-safe --no-threads --baseline-eager at Assertion failure: !types.empty(), at vm/UnboxedObject.cpp. Configure options: CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests python -u ~/fuzzing/js/compileShell.py -b "--enable-debug --enable-more-deterministic --enable-nspr-build" -r 136c41fca853 autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/19d5d9619443 user: Brian Hackett date: Sun Jun 14 08:02:44 2015 -0700 summary: Bug 1162986 - Allow objects to be turned into singletons dynamically, r=jandem. Setting s-s first because this seems to involve types. Brian, is bug 1162986 a likely regressor?
Flags: needinfo?(bhackett1024)
Attached file stack
(lldb) bt 5 * thread #1: tid = 0x930ac, 0x0000000100372dd7 js-dbg-64-dm-nsprBuild-darwin-136c41fca853`PropagatePropertyTypes(cx=<unavailable>, id=<unavailable>, oldGroup=<unavailable>, newGroup=<unavailable>) + 231 at UnboxedObject.cpp:383, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0) * frame #0: 0x0000000100372dd7 js-dbg-64-dm-nsprBuild-darwin-136c41fca853`PropagatePropertyTypes(cx=<unavailable>, id=<unavailable>, oldGroup=<unavailable>, newGroup=<unavailable>) + 231 at UnboxedObject.cpp:383 frame #1: 0x0000000100372476 js-dbg-64-dm-nsprBuild-darwin-136c41fca853`js::UnboxedLayout::makeNativeGroup(cx=0x00000001029a3180, group=0x0000000103a598b0) + 2774 at UnboxedObject.cpp:522 frame #2: 0x0000000100360390 js-dbg-64-dm-nsprBuild-darwin-136c41fca853`js::UnboxedPlainObject::convertToNative(cx=0x00000001029a3180, obj=0x0000000103a9d020) + 176 at UnboxedObject.cpp:549 frame #3: 0x0000000100373e81 js-dbg-64-dm-nsprBuild-darwin-136c41fca853`js::UnboxedPlainObject::obj_setProperty(cx=0x00000001029a3180, obj=<unavailable>, id=<unavailable>, v=<unavailable>, receiver=<unavailable>, result=0x00007fff5fbfbf28) + 1025 at UnboxedObject.cpp:818 frame #4: 0x000000010080b254 js-dbg-64-dm-nsprBuild-darwin-136c41fca853`JSObject::nonNativeSetProperty(cx=0x00000001029a3180, obj=<unavailable>, id=<unavailable>, v=<unavailable>, receiver=<unavailable>, result=0x00007fff5fbfbf28) + 148 at jsobj.cpp:1058 (lldb)
Attached patch patchSplinter Review
This is a bogus assert: if there is only one unboxed object with a given group and it is converted to native while its properties are being initialized, the property type set might be empty if all objects it previously contained have been collected. I think this issue is what was causing bug 1167244.
Assignee: nobody → bhackett1024
Flags: needinfo?(bhackett1024)
Attachment #8630483 - Flags: review?(jdemooij)
Group: core-security
Attachment #8630483 - Flags: review?(jdemooij) → review+
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla42
Component: JavaScript Engine → JavaScript Engine: JIT
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: