Closed
Bug 1193213
Opened 9 years ago
Closed 9 years ago
Assertion failure: this->is<T>(), at jsobj.h
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla43
| Tracking | Status | |
|---|---|---|
| firefox43 | --- | fixed |
People
(Reporter: gkw, Assigned: bhackett1024)
References
Details
(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update])
Attachments
(2 files)
|
5.37 KB,
text/plain
|
Details | |
|
1.09 KB,
patch
|
jorendorff
:
review+
|
Details | Diff | Splinter Review |
x = [''];
x = [''];
x = [''];
x = [''];
x = [''];
x = [''];
x = [''];
x = [''];
x = [''];
x = [''];
x = [''];
x = [''];
x = [''];
x = [''];
x = [''];
x = [''];
x = [''];
x = [''];
x = [''];
p``;
asserts js debug shell on m-c changeset 8cba870a352c with --fuzzing-safe --no-threads --ion-eager --unboxed-arrays at Assertion failure: this->is<T>(), at jsobj.h
Configure options:
CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests
python -u ~/funfuzz/js/compileShell.py -b "--enable-debug --enable-more-deterministic --enable-nspr-build" -r 8cba870a352c
autoBisect is running, but guessing that this is related to --unboxed-arrays so setting needinfo? from Brian.
Flags: needinfo?(bhackett1024)
|
Reporter | |
Comment 1•9 years ago
|
||
(lldb) bt 5
* thread #1: tid = 0xc2257, 0x00000001001bfde7 js-dbg-64-dm-nsprBuild-darwin-8cba870a352c`js::frontend::BytecodeEmitter::emitCallSiteObject(js::frontend::ParseNode*) + 52 at jsobj.h:547, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
* frame #0: 0x00000001001bfde7 js-dbg-64-dm-nsprBuild-darwin-8cba870a352c`js::frontend::BytecodeEmitter::emitCallSiteObject(js::frontend::ParseNode*) + 52 at jsobj.h:547
frame #1: 0x00000001001bfdb3 js-dbg-64-dm-nsprBuild-darwin-8cba870a352c`js::frontend::BytecodeEmitter::emitCallSiteObject(this=<unavailable>, pn=<unavailable>) + 467 at BytecodeEmitter.cpp:4731
frame #2: 0x00000001001aab81 js-dbg-64-dm-nsprBuild-darwin-8cba870a352c`js::frontend::BytecodeEmitter::emitTree(this=0x00007fff5fbfec78, pn=0x00000001028ae6d8) + 1633 at BytecodeEmitter.cpp:7900
frame #3: 0x00000001001c7484 js-dbg-64-dm-nsprBuild-darwin-8cba870a352c`js::frontend::BytecodeEmitter::emitCallOrNew(this=0x00007fff5fbfec78, pn=0x00000001028ae688) + 1236 at BytecodeEmitter.cpp:6737
frame #4: 0x00000001001aa7c5 js-dbg-64-dm-nsprBuild-darwin-8cba870a352c`js::frontend::BytecodeEmitter::emitTree(this=0x00007fff5fbfec78, pn=0x00000001028ae688) + 677 at BytecodeEmitter.cpp:7859
(lldb)
|
|
Reporter | |
Comment 2•9 years ago
|
||
Also happens with "--fuzzing-safe --no-threads --no-ion --unboxed-arrays".
|
|
Reporter | |
Comment 3•9 years ago
|
||
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/3a994e364343
user: Brian Hackett
date: Sat Jun 13 07:54:06 2015 -0700
summary: Bug 1172943 - Use unboxed arrays for JSON and script literal arrays, r=jandem.
Brian, is bug 1172943 a likely regressor?
Blocks: 1172943
|
||
Updated•9 years ago
|
Whiteboard: [jsbugmon:update] → [jsbugmon:]
|
|
||
Comment 4•9 years ago
|
||
JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.
|
|
Reporter | |
Updated•9 years ago
|
Whiteboard: [jsbugmon:] → [jsbugmon:update]
|
|
Reporter | |
Comment 5•9 years ago
|
||
$ ~/shell-cache/js-dbg-64-dm-nsprBuild-darwin-29b2df16e961/js-dbg-64-dm-nsprBuild-darwin-29b2df16e961 --fuzzing-safe --no-threads --ion-eager --unboxed-arrays 1193213.js
Assertion failure: this->is<T>(), at /Users/skywalker/trees/mozilla-central/js/src/jsobj.h:547
Segmentation fault: 11
Just reproduced on m-c rev 29b2df16e961.
Note that there are backticks in the testcase in comment 0.
|
Assignee | |
Comment 6•9 years ago
|
||
These NativeObject casts are unnecessary.
Assignee: nobody → bhackett1024
Flags: needinfo?(bhackett1024)
Attachment #8651093 -
Flags: review?(jorendorff)
|
||
Comment 7•9 years ago
|
||
Comment on attachment 8651093 [details] [diff] [review]
patch
Review of attachment 8651093 [details] [diff] [review]:
-----------------------------------------------------------------
r=me.
Attachment #8651093 -
Flags: review?(jorendorff) → review+
|
||
Comment 9•9 years ago
|
||
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla43
You need to log in
before you can comment on or make changes to this bug.
Description
•