Closed
Bug 1180608
Opened 9 years ago
Closed 9 years ago
Assertion failure: !types.empty(), at vm/UnboxedObject.cpp
Categories
(Core :: JavaScript Engine: JIT, defect)
Tracking
()
RESOLVED
FIXED
mozilla42
Tracking | Status | |
---|---|---|
firefox40 | --- | unaffected |
firefox41 | --- | affected |
firefox42 | --- | fixed |
People
(Reporter: gkw, Assigned: bhackett1024)
References
Details
(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update])
Attachments
(2 files)
2.38 KB,
text/plain
|
Details | |
771 bytes,
patch
|
jandem
:
review+
|
Details | Diff | Splinter Review |
gczeal(14);
function g(code) {
return {
a: code.indexOf("") == 1
}
}
function h(rv) {
try {
for (var i of rv) {
(function() {})
}
} catch (r) {}
}
function m(code) {
g(code)
f = new Function(code)
h(f())
}
m("\
for (let x = 0; x < 99; ++x) {\
const c = yield([]);\
};\
");
m("\
try {\
c();\
} catch(e) {};\
yield(print());\
var s = 0\
")
asserts js debug shell on m-c changeset 136c41fca853 with --fuzzing-safe --no-threads --baseline-eager at Assertion failure: !types.empty(), at vm/UnboxedObject.cpp.
Configure options:
CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests
python -u ~/fuzzing/js/compileShell.py -b "--enable-debug --enable-more-deterministic --enable-nspr-build" -r 136c41fca853
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/19d5d9619443
user: Brian Hackett
date: Sun Jun 14 08:02:44 2015 -0700
summary: Bug 1162986 - Allow objects to be turned into singletons dynamically, r=jandem.
Setting s-s first because this seems to involve types.
Brian, is bug 1162986 a likely regressor?
Flags: needinfo?(bhackett1024)
Reporter | ||
Updated•9 years ago
|
status-firefox40:
--- → unaffected
status-firefox41:
--- → affected
Reporter | ||
Comment 1•9 years ago
|
||
(lldb) bt 5
* thread #1: tid = 0x930ac, 0x0000000100372dd7 js-dbg-64-dm-nsprBuild-darwin-136c41fca853`PropagatePropertyTypes(cx=<unavailable>, id=<unavailable>, oldGroup=<unavailable>, newGroup=<unavailable>) + 231 at UnboxedObject.cpp:383, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
* frame #0: 0x0000000100372dd7 js-dbg-64-dm-nsprBuild-darwin-136c41fca853`PropagatePropertyTypes(cx=<unavailable>, id=<unavailable>, oldGroup=<unavailable>, newGroup=<unavailable>) + 231 at UnboxedObject.cpp:383
frame #1: 0x0000000100372476 js-dbg-64-dm-nsprBuild-darwin-136c41fca853`js::UnboxedLayout::makeNativeGroup(cx=0x00000001029a3180, group=0x0000000103a598b0) + 2774 at UnboxedObject.cpp:522
frame #2: 0x0000000100360390 js-dbg-64-dm-nsprBuild-darwin-136c41fca853`js::UnboxedPlainObject::convertToNative(cx=0x00000001029a3180, obj=0x0000000103a9d020) + 176 at UnboxedObject.cpp:549
frame #3: 0x0000000100373e81 js-dbg-64-dm-nsprBuild-darwin-136c41fca853`js::UnboxedPlainObject::obj_setProperty(cx=0x00000001029a3180, obj=<unavailable>, id=<unavailable>, v=<unavailable>, receiver=<unavailable>, result=0x00007fff5fbfbf28) + 1025 at UnboxedObject.cpp:818
frame #4: 0x000000010080b254 js-dbg-64-dm-nsprBuild-darwin-136c41fca853`JSObject::nonNativeSetProperty(cx=0x00000001029a3180, obj=<unavailable>, id=<unavailable>, v=<unavailable>, receiver=<unavailable>, result=0x00007fff5fbfbf28) + 148 at jsobj.cpp:1058
(lldb)
Assignee | ||
Comment 2•9 years ago
|
||
This is a bogus assert: if there is only one unboxed object with a given group and it is converted to native while its properties are being initialized, the property type set might be empty if all objects it previously contained have been collected. I think this issue is what was causing bug 1167244.
Assignee: nobody → bhackett1024
Flags: needinfo?(bhackett1024)
Attachment #8630483 -
Flags: review?(jdemooij)
Assignee | ||
Updated•9 years ago
|
Group: core-security
Updated•9 years ago
|
Attachment #8630483 -
Flags: review?(jdemooij) → review+
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla42
Reporter | ||
Updated•9 years ago
|
Component: JavaScript Engine → JavaScript Engine: JIT
You need to log in
before you can comment on or make changes to this bug.
Description
•