Closed Bug 1190733 Opened 6 years ago Closed 6 years ago

Assertion failure: index < initializedLength(), at vm/UnboxedObject-inl.h

Categories

(Core :: JavaScript Engine: JIT, defect)

x86_64
macOS
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla43
Tracking Status
firefox42 --- affected
firefox43 --- fixed

People

(Reporter: gkw, Assigned: bhackett1024)

References

Details

(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update])

Attachments

(2 files)

x = [];
Array.prototype.push.call(x, Uint8ClampedArray);
(function() {
    x.length = 9;
})();
Array.prototype.reverse.call(x);

asserts js debug shell on m-c changeset 5b54831761b1 with --fuzzing-safe --no-threads --ion-eager --unboxed-arrays at Assertion failure: index < initializedLength(), at vm/UnboxedObject-inl.h

Configure options:

CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests

python -u ~/funfuzz/js/compileShell.py -b "--enable-debug --enable-more-deterministic --enable-nspr-build" -r 5b54831761b1

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/57bd26cc44b9
user:        Brian Hackett
date:        Fri May 29 14:29:50 2015 -0600
summary:     Bug 1166678 - Optimize Array.prototype.slice in Ion, r=jandem.

Brian, is bug 1166678 a likely regressor?
Flags: needinfo?(bhackett1024)
Attached file stack
(lldb) bt 5
* thread #1: tid = 0x2ab2e7, 0x00000001000951c4 js-dbg-64-dm-nsprBuild-darwin-5b54831761b1`js::DenseElementResult ArrayReverseDenseKernel<(JSValueType)8>(JSContext*, JS::Handle<JSObject*>, unsigned int) + 52 at UnboxedObject-inl.h:239, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
  * frame #0: 0x00000001000951c4 js-dbg-64-dm-nsprBuild-darwin-5b54831761b1`js::DenseElementResult ArrayReverseDenseKernel<(JSValueType)8>(JSContext*, JS::Handle<JSObject*>, unsigned int) + 52 at UnboxedObject-inl.h:239
    frame #1: 0x0000000100095190 js-dbg-64-dm-nsprBuild-darwin-5b54831761b1`js::DenseElementResult ArrayReverseDenseKernel<(JSValueType)8>(JSContext*, JS::Handle<JSObject*>, unsigned int) [inlined] JS::Value js::GetBoxedOrUnboxedDenseElement<(JSValueType)8>(obj=<unavailable>, index=<unavailable>) at UnboxedObject-inl.h:395
    frame #2: 0x0000000100095190 js-dbg-64-dm-nsprBuild-darwin-5b54831761b1`js::DenseElementResult ArrayReverseDenseKernel<(JSValueType)8>(cx=0x000000010284c400, obj=<unavailable>, length=<unavailable>) + 880 at jsarray.cpp:1295
    frame #3: 0x00000001000824df js-dbg-64-dm-nsprBuild-darwin-5b54831761b1`array_reverse(cx=0x000000010284c400, argc=<unavailable>, vp=0x00007fff5fbfe560) + 271 at jsarray.cpp:1331
    frame #4: 0x0000000100234f59 js-dbg-64-dm-nsprBuild-darwin-5b54831761b1`js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) [inlined] js::CallJSNative(cx=0x000000010284c400, native=0x00000001000823d0)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) + 209 at jscntxtinlines.h:235
(lldb)
Attached patch patchSplinter Review
Oops, ArrayReverseDenseKernel is calling length() instead of initializedLength() here.
Assignee: nobody → bhackett1024
Flags: needinfo?(bhackett1024)
Attachment #8651101 - Flags: review?(jdemooij)
Attachment #8651101 - Flags: review?(jdemooij) → review+
https://hg.mozilla.org/mozilla-central/rev/a68f7c9e1fd3
Status: NEW → RESOLVED
Closed: 6 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla43
You need to log in before you can comment on or make changes to this bug.