Closed Bug 1226888 Opened 9 years ago Closed 9 years ago

Assertion failure: bufferVal.has(this, ValueEdge(vp)) || !ValueEdge(vp).maybeInRememberedSet(nursery_), at js/src/gc/StoreBuffer.h:426

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla45
Tracking Flags:
Tracking Status
firefox45 --- fixed

People

(Reporter: gkw, Assigned: terrence)

References

Details

(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update])

Attachments

(1 file)

bug_1226888-v0.diff
3.36 KB, patch
jandem
: review+
Details | Diff | Splinter Review 
The following testcase crashes on mozilla-central revision 3f5afaf4e6b7 (build with --enable-debug --enable-more-deterministic, run with --fuzzing-safe --no-threads --ion-eager):

setJitCompilerOption('ion.forceinlineCaches', 1);
// Adapted from randomly chosen test: js/src/jit-test/tests/TypedObject/jit-write-references.js
with({}) {}
v = new new TypedObject.StructType({
    f: TypedObject.Any
})
gc();
function g() {
    v.f = {
        Object
    };
    v.f;
}
for (var i = 0; i < 9; i++) {
    g();
}


Backtrace:

#0  0x0000000000a2c519 in js::CallJSNative (cx=cx@entry=0x7f6a4b218c00, native=0x59dea0 <js::IndirectEval(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:238
#1  0x0000000000a24663 in js::Invoke (cx=cx@entry=0x7f6a4b218c00, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:408
#2  0x0000000000a25666 in js::Invoke (cx=cx@entry=0x7f6a4b218c00, thisv=..., fval=..., argc=1, argv=0x7f6a49d6b150, rval=...) at js/src/vm/Interpreter.cpp:460
#3  0x0000000000985225 in js::DirectProxyHandler::call (this=<optimized out>, cx=0x7f6a4b218c00, proxy=..., args=...) at js/src/proxy/DirectProxyHandler.cpp:77
#4  0x000000000097bd53 in js::CrossCompartmentWrapper::call (this=0x1b7c810 <js::CrossCompartmentWrapper::singleton>, cx=0x7f6a4b218c00, wrapper=..., args=...) at js/src/proxy/CrossCompartmentWrapper.cpp:289
#5  0x0000000000988213 in js::Proxy::call (cx=cx@entry=0x7f6a4b218c00, proxy=proxy@entry=..., args=...) at js/src/proxy/Proxy.cpp:391
#6  0x0000000000988307 in js::proxy_Call (cx=cx@entry=0x7f6a4b218c00, argc=<optimized out>, vp=<optimized out>) at js/src/proxy/Proxy.cpp:683
#7  0x0000000000a2c4a1 in js::CallJSNative (cx=cx@entry=0x7f6a4b218c00, native=0x988280 <js::proxy_Call(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235
#8  0x0000000000a24801 in js::Invoke (cx=0x7f6a4b218c00, args=..., construct=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:396
#9  0x0000000000a1ddc9 in Interpret (cx=0x7f6a4b218c00, state=...) at js/src/vm/Interpreter.cpp:2700
#10 0x0000000000a243b2 in js::RunScript (cx=cx@entry=0x7f6a4b218c00, state=...) at js/src/vm/Interpreter.cpp:355
#11 0x0000000000a24706 in js::Invoke (cx=cx@entry=0x7f6a4b218c00, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:426
#12 0x0000000000a25666 in js::Invoke (cx=cx@entry=0x7f6a4b218c00, thisv=..., fval=..., argc=argc@entry=0, argv=argv@entry=0x0, rval=..., rval@entry=...) at js/src/vm/Interpreter.cpp:460
#13 0x000000000085caf3 in JS_CallFunction (cx=cx@entry=0x7f6a4b218c00, obj=..., fun=fun@entry=..., args=..., rval=..., rval@entry=...) at js/src/jsapi.cpp:2803
#14 0x00000000007f297f in OOMTest (cx=cx@entry=0x7f6a4b218c00, argc=<optimized out>, vp=0x7f6a49d6b0a8) at js/src/builtin/TestingFunctions.cpp:1163
#15 0x0000000000a2c4a1 in js::CallJSNative (cx=cx@entry=0x7f6a4b218c00, native=0x7f26f0 <OOMTest(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235
#16 0x0000000000a24663 in js::Invoke (cx=0x7f6a4b218c00, args=..., construct=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:408
#17 0x0000000000a1ddc9 in Interpret (cx=0x7f6a4b218c00, state=...) at js/src/vm/Interpreter.cpp:2700
#18 0x0000000000a243b2 in js::RunScript (cx=cx@entry=0x7f6a4b218c00, state=...) at js/src/vm/Interpreter.cpp:355
#19 0x0000000000a2651d in js::ExecuteKernel (cx=cx@entry=0x7f6a4b218c00, script=..., script@entry=..., scopeChainArg=..., thisv=..., newTargetValue=..., type=type@entry=js::EXECUTE_GLOBAL, evalInFrame=..., result=0x0) at js/src/vm/Interpreter.cpp:617
#20 0x0000000000a26d51 in js::Execute (cx=cx@entry=0x7f6a4b218c00, script=script@entry=..., scopeChainArg=..., rval=rval@entry=0x0) at js/src/vm/Interpreter.cpp:654
#21 0x0000000000866ae4 in ExecuteScript (cx=cx@entry=0x7f6a4b218c00, scope=scope@entry=..., script=script@entry=..., rval=rval@entry=0x0) at js/src/jsapi.cpp:4410
#22 0x0000000000866e82 in JS_ExecuteScript (cx=cx@entry=0x7f6a4b218c00, scriptArg=scriptArg@entry=...) at js/src/jsapi.cpp:4443
#23 0x000000000042823c in RunFile (compileOnly=false, file=0x7f6a4b29d400, filename=0x7ffe59a5d1b0 "3544.js", cx=0x7f6a4b218c00) at js/src/shell/js.cpp:515
#24 Process (cx=cx@entry=0x7f6a4b218c00, filename=0x7ffe59a5d1b0 "3544.js", forceTTY=forceTTY@entry=false, kind=kind@entry=FileScript) at js/src/shell/js.cpp:728
#25 0x000000000043d6aa in ProcessArgs (op=0x7ffe59a5c330, cx=0x7f6a4b218c00) at js/src/shell/js.cpp:6196
#26 Shell (envp=<optimized out>, op=0x7ffe59a5c330, cx=0x7f6a4b218c00) at js/src/shell/js.cpp:6508
#27 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:6869
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/3c61b61ea4a2
user:        Terrence Cole
date:        Thu Jun 18 10:23:49 2015 -0700
summary:     Bug 1175642 - Fix the interface that RelocatablePtr uses to interact with the StoreBuffer; r=jonco

Terrence, is bug 1175642 a likely regressor?
Blocks: 1175642
Flags: needinfo?(terrence)
OS: Linux → All
Setting s-s, there is a gc call in the testcase.
Group: javascript-core-security
This is the same as bug 1188290, but for value edges this time.
Assignee: nobody → terrence
Group: javascript-core-security
Severity: critical → normal
Status: NEW → ASSIGNED
Flags: needinfo?(terrence)
Hardware: x86_64 → All
Simply remove the assertion, since it is not correct.
Attachment #8690847 - Flags: review?(jdemooij)
Attachment #8690847 - Flags: review?(jdemooij) → review+
https://hg.mozilla.org/integration/mozilla-inbound/rev/548d85c0f2cbca612fc0039a844c0eb450aa9e24
Bug 1226888 - Remove an incorrect assertion about store buffer state; r=jandem
https://hg.mozilla.org/mozilla-central/rev/548d85c0f2cb
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
status-firefox45: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla45
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: