Closed
Bug 1216151
Opened 9 years ago
Closed 9 years ago
Assertion failure: !hasLazyGroup(), at js/src/jsobj.h:135
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla44
| Tracking | Status | |
|---|---|---|
| firefox44 | --- | fixed |
People
(Reporter: decoder, Assigned: jandem)
Details
(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update])
Attachments
(1 file)
|
2.96 KB,
patch
|
efaust
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision d1a89632277f (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --ion-eager --ion-offthread-compile=off):
setJitCompilerOption("baseline.warmup.trigger", 10)
loadFile(`
var o = {}
for (var i = 0; i < 10; ++i)
o.x = ""
`);
function loadFile(lfVarx) eval("(function() { " + lfVarx + " })()")
Backtrace:
Program received signal SIGSEGV, Segmentation fault.
0x000000000044286c in JSObject::group (this=0x7ffff7e620a0) at js/src/jsobj.h:135
#0 0x000000000044286c in JSObject::group (this=0x7ffff7e620a0) at js/src/jsobj.h:135
#1 0x000000000064c0e4 in group (this=this@entry=0x7ffff7e620a0) at js/src/vm/ObjectGroup.h:118
#2 CanInlineSetPropTypeCheck (obj=obj@entry=0x7ffff7e620a0, id=..., val=..., checkTypeset=checkTypeset@entry=0x7fffffffa6d0) at js/src/jit/IonCaches.cpp:3064
#3 0x000000000067d336 in IsPropertySetInlineable (checkTypeset=0x7fffffffa6d0, needsTypeBarrier=<optimized out>, val=..., pshape=..., id=..., obj=0x7ffff7e620a0) at js/src/jit/IonCaches.cpp:3119
#4 CanAttachNativeSetProp (checkTypeset=0x7fffffffa6d0, shape=..., holder=..., needsTypeBarrier=<optimized out>, val=..., id=..., obj=..., cx=0x7ffff6907400) at js/src/jit/IonCaches.cpp:3200
#5 js::jit::SetPropertyIC::tryAttachNative (this=this@entry=0x7ffff69a94f0, cx=cx@entry=0x7ffff6907400, outerScript=..., outerScript@entry=..., ion=ion@entry=0x7ffff69a9400, obj=..., obj@entry=..., id=..., id@entry=..., emitted=emitted@entry=0x7fffffffa8e0, tryNativeAddSlot=tryNativeAddSlot@entry=0x7fffffffa8f0) at js/src/jit/IonCaches.cpp:3412
#6 0x000000000067f060 in js::jit::SetPropertyIC::tryAttachStub (this=this@entry=0x7ffff69a94f0, cx=cx@entry=0x7ffff6907400, outerScript=outerScript@entry=..., ion=ion@entry=0x7ffff69a9400, obj=obj@entry=..., id=..., id@entry=..., emitted=emitted@entry=0x7fffffffa8e0, tryNativeAddSlot=tryNativeAddSlot@entry=0x7fffffffa8f0) at js/src/jit/IonCaches.cpp:3474
#7 0x000000000067f28a in js::jit::SetPropertyIC::update (cx=0x7ffff6907400, outerScript=..., cacheIndex=<optimized out>, obj=..., value=...) at js/src/jit/IonCaches.cpp:3539
#8 0x00007ffff7fee03d in ?? ()
#9 0xff000000ff000000 in ?? ()
#10 0x00007fffffffaa68 in ?? ()
#11 0x0000000000000000 in ?? ()
rax 0x0 0
rbx 0x7ffff7e5d340 140737352422208
rcx 0x7ffff6ca53cd 140737333842893
rdx 0x0 0
rsi 0x7ffff6f7a9d0 140737336814032
rdi 0x7ffff6f791c0 140737336807872
rbp 0x7fffffffa600 140737488332288
rsp 0x7fffffffa600 140737488332288
r8 0x7ffff7fe0780 140737354008448
r9 0x6372732f736a2f6c 7165916604736876396
r10 0x7fffffffa3c0 140737488331712
r11 0x7ffff6c27960 140737333328224
r12 0x7ffff69a94f0 140737330713840
r13 0x7fffffffa700 140737488332544
r14 0x7ffff7e620a0 140737352442016
r15 0x7fffffffa6e0 140737488332512
rip 0x44286c <JSObject::group() const+28>
=> 0x44286c <JSObject::group() const+28>: movl $0x87,0x0
0x442877 <JSObject::group() const+39>: callq 0x4a56f0 <abort()>
|
||
Updated•9 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
|
|
||
Comment 1•9 years ago
|
||
JSBugMon: Bisection requested, result: === Treeherder Build Bisection Results by autoBisect === The "good" changeset has the timestamp "20151015065148" and the hash "e261ab579dfb744fa1a9cd72eb36054d364907c4". The "bad" changeset has the timestamp "20151015065349" and the hash "0ea76f0263ef67182b05fb12970ad24136365584". Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=e261ab579dfb744fa1a9cd72eb36054d364907c4&tochange=0ea76f0263ef67182b05fb12970ad24136365584
new function() {
var x = {};
p(function() {
x;
})
}
is another testcase that asserts identically with --fuzzing-safe --no-threads --ion-eager on m-c rev e8c7dfe727cd.autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/03f521f50792 user: Jan de Mooij date: Thu Oct 15 15:52:42 2015 +0200 summary: Bug 1214163 - Clean up SetPropertyIC::update. r=efaust Jan, is bug 1214163 a likely regressor?
Flags: needinfo?(jdemooij)
|
Assignee | |
Comment 4•9 years ago
|
||
Before the refactoring, SetPropertyIC::update happened to call obj->getGroup before trying to attach a stub. Some code there depended on this by expecting a non-lazy group. The simplest fix is to move the getGroup call before the tryAttachStub call. We could also pass a JSContext down to CanInlineSetPropTypeCheck or return false there if we have a lazy group, those options didn't seem great either.
Assignee: nobody → jdemooij
Status: NEW → ASSIGNED
Flags: needinfo?(jdemooij)
Attachment #8675799 -
Flags: review?(efaustbmo)
|
||
Comment 5•9 years ago
|
||
Comment on attachment 8675799 [details] [diff] [review] Patch Review of attachment 8675799 [details] [diff] [review]: ----------------------------------------------------------------- Yeah, this rushuffle looks fine. I agree that we don't particularly want to drill a JSContext all the way in. I was worried that we would be artifically delazifying too much, but it looks like we're actually using it beforehand, also.
Attachment #8675799 -
Flags: review?(efaustbmo) → review+
https://hg.mozilla.org/mozilla-central/rev/dae20f86bbaa
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla44
You need to log in
before you can comment on or make changes to this bug.
Description
•