1204722 - Assertion failure: isObjectOrNull(), at dist/include/js/Value.h

Status: RESOLVED FIXED

(Core :: JavaScript Engine: JIT, defect)

Description

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

x = [1e81];
x.map(function() {});
x.pop();
x.push([]);
[].map(function() {});
eval("[1/0]");

asserts js debug shell on m-c changeset fba4b0cd3823 with --fuzzing-safe --no-threads --ion-eager --unboxed-arrays --ion-osr=off at Assertion failure: isObjectOrNull(), at dist/include/js/Value.h

Configure options:

CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests

python -u ~/funfuzz/js/compileShell.py -b "--enable-debug --enable-more-deterministic --enable-nspr-build" -r fba4b0cd3823

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/3a994e364343
user:        Brian Hackett
date:        Sat Jun 13 07:54:06 2015 -0700
summary:     Bug 1172943 - Use unboxed arrays for JSON and script literal arrays, r=jandem.

Brian, is bug 1172943 a likely regressor?

Comment 1

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Attachment: stack

(lldb) bt 5
* thread #1: tid = 0x5de61e, 0x000000010001e066 js-dbg-64-dm-nsprBuild-darwin-fba4b0cd3823`JS::Value::toObjectOrNull(this=<unavailable>) const + 182 at Value.h:1242, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
  * frame #0: 0x000000010001e066 js-dbg-64-dm-nsprBuild-darwin-fba4b0cd3823`JS::Value::toObjectOrNull(this=<unavailable>) const + 182 at Value.h:1242
    frame #1: 0x00000001003ada28 js-dbg-64-dm-nsprBuild-darwin-fba4b0cd3823`js::SetUnboxedValueNoTypeChange(unboxedObject=0x000000010435f080, p=0x000000010435f098, type=<unavailable>, v=0x00007fff5fbfc060, preBarrier=false) + 296 at UnboxedObject-inl.h:82
    frame #2: 0x00000001003e3161 js-dbg-64-dm-nsprBuild-darwin-fba4b0cd3823`js::DenseElementResult SetOrExtendBoxedOrUnboxedDenseElementsFunctor::operator()<(JSValueType)8>() + 353 at UnboxedObject-inl.h:518
    frame #3: 0x00000001003e3000 js-dbg-64-dm-nsprBuild-darwin-fba4b0cd3823`js::DenseElementResult SetOrExtendBoxedOrUnboxedDenseElementsFunctor::operator(this=<unavailable>)<(JSValueType)8>() + 112 at UnboxedObject.cpp:2086
    frame #4: 0x00000001003d4927 js-dbg-64-dm-nsprBuild-darwin-fba4b0cd3823`js::DenseElementResult js::CallBoxedOrUnboxedSpecialization<SetOrExtendBoxedOrUnboxedDenseElementsFunctor>(f=SetOrExtendBoxedOrUnboxedDenseElementsFunctor at 0x00007fff5fbfbd30, obj=<unavailable>) + 183 at UnboxedObject-inl.h:652
(lldb)

Comment 2

[Fuzzing Team]

JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.

Comment 3

[Brian Hackett [Laid off!]]

Attachment: patch

When creating new literal arrays we know the type of the element is already reflected in type information, but need to perform additional checks to make sure we can fill in a new unboxed array without testing the values being set.

Comment 5

[Jan de Mooij [:jandem]]

Comment on attachment 8663328 [details] [diff] [review]
patch

Review of attachment 8663328 [details] [diff] [review]:
-----------------------------------------------------------------

::: js/src/vm/ObjectGroup.cpp
@@ +891,5 @@
> +            if (elementType != TypeSet::StringType())
> +                updateTypes = ShouldUpdateTypes::Update;
> +            break;
> +          case JSVAL_TYPE_OBJECT:
> +            if (!elementType.get().isObjectUnchecked())

Should we also check for NullType here?

Comment 6

[Pulsebot]

https://hg.mozilla.org/integration/mozilla-inbound/rev/23dddf3646d9

Comment 7

[Wes Kocher (:KWierso) (Not reading bugmail; email directly if needed)]

https://hg.mozilla.org/mozilla-central/rev/23dddf3646d9