Closed
Bug 1196590
Opened 9 years ago
Closed 9 years ago
Assertion failure: this->is<T>(), at js/src/jsobj.h:547 with --unboxed-arrays
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla43
| Tracking | Status | |
|---|---|---|
| firefox43 | --- | fixed |
People
(Reporter: decoder, Assigned: bhackett1024)
Details
(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update,bisect])
Attachments
(1 file)
|
2.10 KB,
patch
|
jandem
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision f384789a29dc (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --target=i686-pc-linux-gnu --disable-tests --enable-simulator=arm --enable-debug, run with --unboxed-arrays --ion-eager --arm-sim-icache-checks):
function bar(x, i) {
if (i == 50)
x.length = 0;
}
function foo(x, j, n) {
for (var i = 0; i < n; i++) {
bar(x, i);
}
}
var a = foo([1,2,3,4], 3, 100);
Backtrace:
Program received signal SIGSEGV, Segmentation fault.
0x080a84dc in JSObject::as<js::UnboxedPlainObject> (this=<optimized out>) at js/src/jsobj.h:547
#0 0x080a84dc in JSObject::as<js::UnboxedPlainObject> (this=<optimized out>) at js/src/jsobj.h:547
#1 0x085a9c0d in as<js::UnboxedPlainObject> (this=<optimized out>) at js/src/jit/IonCaches.cpp:3249
#2 CanAttachSetUnboxedExpando (pshape=<optimized out>, checkTypeset=<optimized out>, needsTypeBarrier=<optimized out>, val=..., id=..., obj=..., cx=<optimized out>) at js/src/jit/IonCaches.cpp:3178
#3 js::jit::SetPropertyIC::update (cx=cx@entry=0xf7a03240, outerScript=outerScript@entry=..., cacheIndex=cacheIndex@entry=0, obj=obj@entry=..., value=value@entry=...) at js/src/jit/IonCaches.cpp:3303
#4 0x0874fd9b in js::jit::Simulator::softwareInterrupt (this=0xf7a82000, instr=0xf7a027a4) at js/src/jit/arm/Simulator-arm.cpp:2174
#5 0x087504c6 in js::jit::Simulator::decodeType7 (this=0xf7a82000, instr=0xf7a027a4) at js/src/jit/arm/Simulator-arm.cpp:3280
#6 0x0874e5e5 in js::jit::Simulator::instructionDecode (this=this@entry=0xf7a82000, instr=instr@entry=0xf7a027a4) at js/src/jit/arm/Simulator-arm.cpp:4199
#7 0x0875203c in execute<false> (this=0xf7a82000) at js/src/jit/arm/Simulator-arm.cpp:4254
#8 js::jit::Simulator::callInternal (this=this@entry=0xf7a82000, entry=entry@entry=0xf7c88a68 "\360O-\351\004\320M\342\020\212-\355\r\200\240\341h\220\235\345\r\260\240\341t\240\235", <incomplete sequence \345>) at js/src/jit/arm/Simulator-arm.cpp:4342
#9 0x087524c1 in js::jit::Simulator::call (this=<optimized out>, entry=entry@entry=0xf7c88a68 "\360O-\351\004\320M\342\020\212-\355\r\200\240\341h\220\235\345\r\260\240\341t\240\235", <incomplete sequence \345>, argument_count=<optimized out>, argument_count@entry=8) at js/src/jit/arm/Simulator-arm.cpp:4425
#10 0x08478169 in EnterBaseline (cx=cx@entry=0xf7a03240, data=...) at js/src/jit/BaselineJIT.cpp:125
#11 0x084ab4bd in js::jit::EnterBaselineMethod (cx=cx@entry=0xf7a03240, state=...) at js/src/jit/BaselineJIT.cpp:157
#12 0x082f9cc0 in js::RunScript (cx=cx@entry=0xf7a03240, state=...) at js/src/vm/Interpreter.cpp:704
#13 0x082fa1cc in js::Invoke (cx=cx@entry=0xf7a03240, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:791
#14 0x082fb263 in js::Invoke (cx=cx@entry=0xf7a03240, thisv=..., fval=..., argc=argc@entry=3, argv=argv@entry=0xf4fffea8, rval=rval@entry=...) at js/src/vm/Interpreter.cpp:828
#15 0x084ff71e in js::jit::DoCallFallback (cx=cx@entry=0xf7a03240, frame=frame@entry=0xf4ffff00, stub_=stub_@entry=0xf7a1d068, argc=argc@entry=3, vp=vp@entry=0xf4fffe98, res=res@entry=...) at js/src/jit/BaselineIC.cpp:10020
#16 0x087502ce in js::jit::Simulator::softwareInterrupt (this=0xf7a82000, instr=0xf7a02e44) at js/src/jit/arm/Simulator-arm.cpp:2181
#17 0x087504c6 in js::jit::Simulator::decodeType7 (this=0xf7a82000, instr=0xf7a02e44) at js/src/jit/arm/Simulator-arm.cpp:3280
#18 0x0874e5e5 in js::jit::Simulator::instructionDecode (this=this@entry=0xf7a82000, instr=instr@entry=0xf7a02e44) at js/src/jit/arm/Simulator-arm.cpp:4199
#19 0x0875203c in execute<false> (this=0xf7a82000) at js/src/jit/arm/Simulator-arm.cpp:4254
#20 js::jit::Simulator::callInternal (this=this@entry=0xf7a82000, entry=entry@entry=0xf7c88a68 "\360O-\351\004\320M\342\020\212-\355\r\200\240\341h\220\235\345\r\260\240\341t\240\235", <incomplete sequence \345>) at js/src/jit/arm/Simulator-arm.cpp:4342
#21 0x087524c1 in js::jit::Simulator::call (this=<optimized out>, entry=entry@entry=0xf7c88a68 "\360O-\351\004\320M\342\020\212-\355\r\200\240\341h\220\235\345\r\260\240\341t\240\235", <incomplete sequence \345>, argument_count=<optimized out>, argument_count@entry=8) at js/src/jit/arm/Simulator-arm.cpp:4425
#22 0x08478169 in EnterBaseline (cx=cx@entry=0xf7a03240, data=...) at js/src/jit/BaselineJIT.cpp:125
#23 0x084ab4bd in js::jit::EnterBaselineMethod (cx=cx@entry=0xf7a03240, state=...) at js/src/jit/BaselineJIT.cpp:157
#24 0x082f9cc0 in js::RunScript (cx=cx@entry=0xf7a03240, state=...) at js/src/vm/Interpreter.cpp:704
#25 0x083039f5 in js::ExecuteKernel (cx=cx@entry=0xf7a03240, script=..., script@entry=..., scopeChainArg=..., thisv=..., newTargetValue=..., type=type@entry=js::EXECUTE_GLOBAL, evalInFrame=evalInFrame@entry=..., result=result@entry=0x0) at js/src/vm/Interpreter.cpp:955
#26 0x08303e13 in js::Execute (cx=cx@entry=0xf7a03240, script=script@entry=..., scopeChainArg=..., rval=rval@entry=0x0) at js/src/vm/Interpreter.cpp:989
#27 0x0874b087 in ExecuteScript (cx=cx@entry=0xf7a03240, scope=..., script=script@entry=..., rval=rval@entry=0x0) at js/src/jsapi.cpp:4352
#28 0x0874b286 in JS_ExecuteScript (cx=cx@entry=0xf7a03240, scriptArg=scriptArg@entry=...) at js/src/jsapi.cpp:4383
#29 0x0806b5cd in RunFile (compileOnly=false, file=0xf7aee9e0, filename=0xffffdaa2 "min.js", cx=0xf7a03240) at js/src/shell/js.cpp:459
#30 Process (cx=cx@entry=0xf7a03240, filename=0xffffdaa2 "min.js", forceTTY=forceTTY@entry=false) at js/src/shell/js.cpp:577
#31 0x080cd4e0 in ProcessArgs (op=0xffffd790, cx=<optimized out>) at js/src/shell/js.cpp:5772
#32 Shell (envp=<optimized out>, op=0xffffd790, cx=<optimized out>) at js/src/shell/js.cpp:6050
#33 main (argc=5, argv=0xffffd8e4, envp=0xffffd8fc) at js/src/shell/js.cpp:6396
eax 0x0 0
ebx 0x9770d54 158797140
ecx 0xf7e4388c -136038260
edx 0x0 0
esi 0x0 0
edi 0x9785a60 158882400
ebp 0xffffbdd8 4294950360
esp 0xffffbdc0 4294950336
eip 0x80a84dc <JSObject::as<js::UnboxedPlainObject>()+42>
=> 0x80a84dc <JSObject::as<js::UnboxedPlainObject>()+42>: movl $0x223,0x0
0x80a84e6 <JSObject::as<js::UnboxedPlainObject>()+52>: call 0x80f15c0 <abort()>
|
Assignee | |
Comment 1•9 years ago
|
||
The SETPROP path in Ion caches assumed that an object with no shape was an unboxed plain object, when it could be an unboxed array object instead. This patch fixes that case, and adds a new assertion to the corresponding baseline path (which behaves correctly). I don't see any other places we assume this about maybeShape() in the tree.
Assignee: nobody → bhackett1024
Attachment #8651155 -
Flags: review?(jdemooij)
|
||
Updated•9 years ago
|
Attachment #8651155 -
Flags: review?(jdemooij) → review+
|
||
Comment 3•9 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/3f9990170a1a
Status: NEW → RESOLVED
Closed: 9 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla43
You need to log in
before you can comment on or make changes to this bug.
Description
•