Assertion failure: resultPairObj->getDenseInitializedLength() == 2, at builtin/MapObject.cpp

RESOLVED FIXED in Firefox 42

Status

()

defect
--
critical
RESOLVED FIXED
4 years ago
4 years ago

People

(Reporter: gkw, Assigned: till)

Tracking

(Blocks 2 bugs, {assertion, regression, testcase})

Trunk
mozilla42
x86_64
macOS
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox42 fixed)

Details

(Whiteboard: [jsbugmon:update])

Attachments

(2 attachments)

// Randomly chosen test: js/src/jit-test/tests/jaeger/testSetElem-NewProto.js
var x = {};
Object.defineProperty(x, "1", {
    set: function (){}
});
Array.prototype.__proto__ = x;
// jsfunfuzz-generated
for (var v of (new Map)) {}

asserts js debug shell on m-c changeset 5b54831761b1 with --fuzzing-safe --no-threads --no-baseline --no-ion at Assertion failure: resultPairObj->getDenseInitializedLength() == 2, at builtin/MapObject.cpp

Configure options:

CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests

python -u ~/funfuzz/js/compileShell.py -b "--enable-debug --enable-more-deterministic --enable-nspr-build" -r 5b54831761b1

=== Treeherder Build Bisection Results by autoBisect ===

The "good" changeset has the timestamp "20150731141139" and the hash "91cb27a1be1e".
The "bad" changeset has the timestamp "20150731151438" and the hash "51d2109c72dc".

Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=91cb27a1be1e&tochange=51d2109c72dc

Till, is bug 1129313 a likely regressor?
Flags: needinfo?(till)
Posted file stack
(lldb) bt 5
* thread #1: tid = 0x2a0649, 0x00000001000d48b9 js-dbg-64-dm-nsprBuild-darwin-5b54831761b1`js::MapIteratorObject::next(cx=<unavailable>, mapIterator=<unavailable>, resultPairObj=<unavailable>) + 601 at MapObject.cpp:194, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
  * frame #0: 0x00000001000d48b9 js-dbg-64-dm-nsprBuild-darwin-5b54831761b1`js::MapIteratorObject::next(cx=<unavailable>, mapIterator=<unavailable>, resultPairObj=<unavailable>) + 601 at MapObject.cpp:194
    frame #1: 0x00000001003189b2 js-dbg-64-dm-nsprBuild-darwin-5b54831761b1`intrinsic_GetNextMapEntryForIterator(cx=0x000000010324c400, argc=<unavailable>, vp=0x0000000103510178) + 274 at SelfHosting.cpp:505
    frame #2: 0x0000000100234f59 js-dbg-64-dm-nsprBuild-darwin-5b54831761b1`js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) [inlined] js::CallJSNative(cx=0x000000010324c400, native=0x00000001003188a0)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) + 209 at jscntxtinlines.h:235
    frame #3: 0x0000000100234e88 js-dbg-64-dm-nsprBuild-darwin-5b54831761b1`js::Invoke(cx=0x000000010324c400, args=CallArgs at 0x00007fff5fbfdfa0, construct=<unavailable>) + 632 at Interpreter.cpp:811
    frame #4: 0x00000001002503e4 js-dbg-64-dm-nsprBuild-darwin-5b54831761b1`Interpret(cx=<unavailable>, state=0x00007fff5fbfe730) + 47444 at Interpreter.cpp:3073
(lldb)
Wow, that's about as much a rookie mistake as it could possibly be :( It's almost as though I didn't know anything about our self-hosting infrastructure ...
Assignee: nobody → till
Status: NEW → ASSIGNED
Flags: needinfo?(till)
Attachment #8643011 - Flags: review?(jdemooij)
Attachment #8643011 - Flags: review?(jdemooij) → review+
url:        https://hg.mozilla.org/integration/mozilla-inbound/rev/c6ee8f383e9ee8816e13400591261c68b33cb3dd
changeset:  c6ee8f383e9ee8816e13400591261c68b33cb3dd
user:       Till Schneidereit <till@tillschneidereit.net>
date:       Tue Aug 04 14:58:27 2015 +0200
description:
Bug 1190727 - Make initialization of temporary results array resilient against Array.prototype setters in self-hosted Map#next implementation. r=jandem
The pushed patch is slightly different from the one attached here, as discussed on IRC.
https://hg.mozilla.org/mozilla-central/rev/c6ee8f383e9e
Status: ASSIGNED → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla42
Blocks: 1100132
You need to log in before you can comment on or make changes to this bug.