Closed
Bug 1204165
Opened 10 years ago
Closed 10 years ago
Assertion failure: this->is<T>(), at jsobj.h
Categories
(Core :: JavaScript Engine: JIT, defect)
Tracking
()
RESOLVED
FIXED
mozilla44
People
(Reporter: gkw, Assigned: bhackett1024)
References
Details
(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:])
Attachments
(2 files)
|
2.29 KB,
text/plain
|
Details | |
|
1.55 KB,
patch
|
jandem
:
review+
|
Details | Diff | Splinter Review |
var x;
function f() {
x = [];
for (var i = 0; i < 1; ++i) {
x.push("");
}
[0].concat(x);
}
f();
f();
asserts js debug shell on m-c changeset 7671701d15ca with --fuzzing-safe --no-threads --ion-eager --unboxed-arrays at Assertion failure: this->is<T>(), at jsobj.h
Configure options:
CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests
python -u ~/funfuzz/js/compileShell.py -b "--enable-debug --enable-more-deterministic --enable-nspr-build" -r 7671701d15ca
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/e671afb66591
user: Brian Hackett
date: Fri Aug 21 11:49:50 2015 -0600
summary: Bug 1176451 - Optimize Array.concat when used on different types of boxed vs. unboxed arrays, r=jandem.
Brian, is bug 1176451 a likely regressor?
Thanks Jesse for helping me reduce this.
Flags: needinfo?(bhackett1024)
|
Reporter | |
Comment 1•10 years ago
|
||
(lldb) bt 5
* thread #1: tid = 0x46ce50, 0x0000000100096b38 js-dbg-64-dm-nsprBuild-darwin-7671701d15ca`js::DenseElementResult ArrayConcatDenseKernel<(JSValueType)4, (JSValueType)5>(JSContext*, JSObject*, JSObject*, JSObject*) + 52 at jsobj.h:547, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
* frame #0: 0x0000000100096b38 js-dbg-64-dm-nsprBuild-darwin-7671701d15ca`js::DenseElementResult ArrayConcatDenseKernel<(JSValueType)4, (JSValueType)5>(JSContext*, JSObject*, JSObject*, JSObject*) + 52 at jsobj.h:547
frame #1: 0x0000000100096b04 js-dbg-64-dm-nsprBuild-darwin-7671701d15ca`js::DenseElementResult ArrayConcatDenseKernel<(JSValueType)4, (JSValueType)5>(JSContext*, JSObject*, JSObject*, JSObject*) at UnboxedObject-inl.h:375
frame #2: 0x0000000100096b04 js-dbg-64-dm-nsprBuild-darwin-7671701d15ca`js::DenseElementResult ArrayConcatDenseKernel<(JSValueType)4, (JSValueType)5>(cx=0x000000010075cae1, obj1=<unavailable>, obj2=<unavailable>, result=<unavailable>) + 708 at jsarray.cpp:2540
frame #3: 0x000000010007efad js-dbg-64-dm-nsprBuild-darwin-7671701d15ca`js::array_concat_dense(cx=<unavailable>, obj1=<unavailable>, obj2=<unavailable>, result=<unavailable>) + 77 at jsarray.cpp:2570
frame #4: 0x0000000100758ce4 js-dbg-64-dm-nsprBuild-darwin-7671701d15ca`js::jit::ArrayConcatDense(cx=0x000000010284c400, obj1=<unavailable>, obj2=<unavailable>, objRes=<unavailable>) + 52 at VMFunctions.cpp:357
(lldb)
|
||
Updated•10 years ago
|
Whiteboard: [jsbugmon:update] → [jsbugmon:]
|
|
||
Comment 2•10 years ago
|
||
JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.
|
Assignee | |
Comment 3•10 years ago
|
||
:(
Assignee: nobody → bhackett1024
Flags: needinfo?(bhackett1024)
Attachment #8663331 -
Flags: review?(jdemooij)
|
||
Updated•10 years ago
|
Attachment #8663331 -
Flags: review?(jdemooij) → review+
Status: NEW → RESOLVED
Closed: 10 years ago
status-firefox44:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla44
You need to log in
before you can comment on or make changes to this bug.
Description
•