Assertion failure: isString(), at dist/include/js/Value.h

RESOLVED DUPLICATE of bug 1204722

Status

()

--
critical
RESOLVED DUPLICATE of bug 1204722
3 years ago
3 years ago

People

(Reporter: gkw, Unassigned)

Tracking

(Blocks: 2 bugs, {assertion, regression, testcase})

Trunk
x86_64
Mac OS X
assertion, regression, testcase
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox43 affected)

Details

(Whiteboard: [jsbugmon:])

Attachments

(1 attachment)

(Reporter)

Description

3 years ago
for (var y of [,,,,,,,,,,,,,,,,,,,,[]]) {
    // Adapted from randomly chosen test: js/src/jit-test/tests/ion/bug848733.js
    eval("var x = [0]; x[0] = '';");
}

asserts js debug shell on m-c changeset 7671701d15ca with --fuzzing-safe --no-threads --no-baseline --no-ion --unboxed-arrays at Assertion failure: isString(), at dist/include/js/Value.h

Configure options:

CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests

python -u ~/funfuzz/js/compileShell.py -b "--enable-debug --enable-more-deterministic --enable-nspr-build" -r 7671701d15ca
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/3a994e364343
user:        Brian Hackett
date:        Sat Jun 13 07:54:06 2015 -0700
summary:     Bug 1172943 - Use unboxed arrays for JSON and script literal arrays, r=jandem.

Brian, is bug 1172943 a likely regressor?
Flags: needinfo?(bhackett1024)
(Reporter)

Comment 1

3 years ago
Created attachment 8659636 [details]
stack

(lldb) bt 5
* thread #1: tid = 0x283d7b, 0x00000001003a5694 js-dbg-64-dm-nsprBuild-darwin-7671701d15ca`js::SetUnboxedValueNoTypeChange(JSObject*, unsigned char*, JSValueType, JS::Value const&, bool) + 52 at Value.h:1227, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
  * frame #0: 0x00000001003a5694 js-dbg-64-dm-nsprBuild-darwin-7671701d15ca`js::SetUnboxedValueNoTypeChange(JSObject*, unsigned char*, JSValueType, JS::Value const&, bool) + 52 at Value.h:1227
    frame #1: 0x00000001003a5660 js-dbg-64-dm-nsprBuild-darwin-7671701d15ca`js::SetUnboxedValueNoTypeChange(unboxedObject=<unavailable>, p=<unavailable>, type=<unavailable>, v=<unavailable>, preBarrier=<unavailable>) + 560 at UnboxedObject-inl.h:68
    frame #2: 0x00000001003d8a31 js-dbg-64-dm-nsprBuild-darwin-7671701d15ca`js::DenseElementResult SetOrExtendBoxedOrUnboxedDenseElementsFunctor::operator()<(JSValueType)5>() + 353 at UnboxedObject-inl.h:518
    frame #3: 0x00000001003d88d0 js-dbg-64-dm-nsprBuild-darwin-7671701d15ca`js::DenseElementResult SetOrExtendBoxedOrUnboxedDenseElementsFunctor::operator(this=<unavailable>)<(JSValueType)5>() + 112 at UnboxedObject.cpp:2086
    frame #4: 0x00000001003ca5cd js-dbg-64-dm-nsprBuild-darwin-7671701d15ca`js::DenseElementResult js::CallBoxedOrUnboxedSpecialization<SetOrExtendBoxedOrUnboxedDenseElementsFunctor>(f=SetOrExtendBoxedOrUnboxedDenseElementsFunctor at 0x00007fff5fbfbf90, obj=<unavailable>) + 173 at UnboxedObject-inl.h:650
(lldb)
(Reporter)

Updated

3 years ago
Blocks: 1100132

Updated

3 years ago
Whiteboard: [jsbugmon:update] → [jsbugmon:]

Comment 2

3 years ago
JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.
Status: NEW → RESOLVED
Last Resolved: 3 years ago
Flags: needinfo?(bhackett1024)
Resolution: --- → DUPLICATE
Duplicate of bug: 1204722
You need to log in before you can comment on or make changes to this bug.