Closed Bug 1219044 Opened 9 years ago Closed 9 years ago

Assertion failure: JSVAL_IS_DOUBLE_IMPL(data), at dist/include/js/Value.h

Categories

(Core :: JavaScript Engine: JIT, defect)

Product:
Core
Component:
JavaScript Engine: JIT
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla45
Tracking Flags:
Tracking Status
firefox44 --- affected
firefox45 --- fixed
b2g-v2.5 --- fixed

People

(Reporter: gkw, Assigned: jonco)

References

Details

(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update])

Attachments

(2 files)

stack
3.35 KB, text/plain
Details
bug1219044-import-bindings-oom
3.38 KB, patch
terrence
: review+
Details | Diff | Splinter Review 
// Adapted from randomly chosen test: js/src/jit-test/tests/gc/bug-1209001.js
oomTest(() => parseModule('import v from "mod";'));
fullcompartmentchecks(true);

asserts js debug shell on m-c changeset 4e164269cf88 with --fuzzing-safe --no-threads --ion-eager --no-baseline at Assertion failure: JSVAL_IS_DOUBLE_IMPL(data), at dist/include/js/Value.h

Configure options:

CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --disable-threadsafe --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests

python -u ~/funfuzz/js/compileShell.py -b "--enable-debug --enable-more-deterministic" -r 4e164269cf88

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/9c365490d4ce
user:        Jon Coppeard
date:        Tue Oct 13 13:37:07 2015 +0100
summary:     Bug 1212469 - Make oomTest() into a shell function r=nbp

Jon, is bug 1212469 a likely regressor?
Flags: needinfo?(jcoppeard)
Attached file stack 
(lldb) bt 5
* thread #1: tid = 0x2230b7, 0x00000001000291fb js-dbg-64-dm-darwin-4e164269cf88`JS::Value::toPrivate(this=<unavailable>) const + 91 at Value.h:1331, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
  * frame #0: 0x00000001000291fb js-dbg-64-dm-darwin-4e164269cf88`JS::Value::toPrivate(this=<unavailable>) const + 91 at Value.h:1331
    frame #1: 0x00000001001567a3 js-dbg-64-dm-darwin-4e164269cf88`js::ModuleObject::importBindings(this=<unavailable>) + 99 at ModuleObject.cpp:598
    frame #2: 0x000000010015621e js-dbg-64-dm-darwin-4e164269cf88`js::ModuleObject::trace(trc=0x00007fff5fbfee40, obj=0x0000000103d5d100) + 142 at ModuleObject.cpp:722
    frame #3: 0x0000000100543c80 js-dbg-64-dm-darwin-4e164269cf88`JSObject::traceChildren(this=0x0000000103d5d100, trc=0x00007fff5fbfee40) + 64 at jsobj.cpp:3718
    frame #4: 0x00000001008e5cc8 js-dbg-64-dm-darwin-4e164269cf88`js::TraceChildren(trc=<unavailable>, thing=<unavailable>, kind=<unavailable>) + 40 at Tracer.cpp:204
(lldb)
We need to check whether the module import bindings slot has been initialised before trying to trace it.
Assignee: nobody → jcoppeard
Flags: needinfo?(jcoppeard)
Attachment #8679970 - Flags: review?(terrence)
This is related to modules and not the oomTest() function.
Blocks: 930414
No longer blocks: 1212469
Attachment #8679970 - Flags: review?(terrence) → review+
https://hg.mozilla.org/mozilla-central/rev/c95b744106dc
Status: NEW → RESOLVED
Closed: 9 years ago
status-firefox45: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla45
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: