Closed Bug 1228575 Opened 9 years ago Closed 9 years ago

Assertion failure: !entry->shape(), at js/src/vm/Shape.cpp:554

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1221378
Tracking Flags:
Tracking Status
firefox45 --- affected

People

(Reporter: gkw, Unassigned)

References

Details

(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:])

The following testcase crashes on mozilla-central revision 74c7941a9e22 (build with --enable-debug --enable-more-deterministic --enable-profiling, run with --fuzzing-safe --no-threads --ion-eager): // Adapted from randomly chosen test: js/src/jit-test/tests/ion/bug1054241.js s = newGlobal(); var x = ["", "a", "b"]; for (var i = 0; i < 4; ++i) { var y = x[i]; s[y] = y; } try { evalcx("z", s); } catch (e) {} try { evalcx("var [] = +{}", s); } catch (e) {} try { evalcx("enableShellObjectMetadataCallback(); new Array;", s); } catch (e) {} Backtrace: Core was generated by `/home/ubuntu/shell-cache/js-dbg-64-prof-linux-74c7941a9e22/js-dbg-64-prof-linux'. Program terminated with signal SIGSEGV, Segmentation fault. #0 0x0000000000ab100c in js::NativeObject::addPropertyInternal (cx=cx@entry=0x7f235cb21800, obj=obj@entry=..., id=..., id@entry=..., getter=0x0, setter=0x0, slot=slot@entry=124, attrs=0, flags=0, entry=0x7f2357138020, allowDictionary=true) at js/src/vm/Shape.cpp:554 warning: Source file is more recent than executable. 554 MOZ_ASSERT(!entry->shape()); [Current thread is 1 (Thread 0x7f235e260740 (LWP 14293))] #0 0x0000000000ab100c in js::NativeObject::addPropertyInternal (cx=cx@entry=0x7f235cb21800, obj=obj@entry=..., id=..., id@entry=..., getter=0x0, setter=0x0, slot=slot@entry=124, attrs=0, flags=0, entry=0x7f2357138020, allowDictionary=true) at js/src/vm/Shape.cpp:554 #1 0x0000000000ab1504 in js::NativeObject::addProperty (cx=cx@entry=0x7f235cb21800, obj=obj@entry=..., id=id@entry=..., getter=getter@entry=0x0, setter=setter@entry=0x0, slot=124, attrs=0, flags=0, allowDictionary=true) at js/src/vm/Shape.cpp:499 #2 0x0000000000a622b2 in js::NativeObject::addDataProperty (this=<optimized out>, cx=cx@entry=0x7f235cb21800, idArg=..., slot=<optimized out>, attrs=attrs@entry=0) at js/src/vm/NativeObject.cpp:953 #3 0x0000000000a1975a in js::GlobalObject::resolveConstructor (cx=cx@entry=0x7f235cb21800, global=..., key=key@entry=JSProto_Array) at js/src/vm/GlobalObject.cpp:172 #4 0x0000000000a19cab in js::GlobalObject::ensureConstructor (cx=cx@entry=0x7f235cb21800, global=..., global@entry=..., key=key@entry=JSProto_Array) at js/src/vm/GlobalObject.cpp:98 #5 0x000000000086d635 in JS_ResolveStandardClass (cx=0x7f235cb21800, obj=..., id=..., resolved=0x7ffdf40f78e0) at js/src/jsapi.cpp:1095 #6 0x00000000008daa0e in js::CallResolveOp (recursedp=<synthetic pointer>, propp=..., id=..., obj=..., cx=<optimized out>) at js/src/vm/NativeObject-inl.h:391 #7 js::LookupOwnPropertyInline<(js::AllowGC)1> (donep=<synthetic pointer>, propp=..., id=..., obj=..., cx=0x7f235cb21800) at js/src/vm/NativeObject-inl.h:480 #8 js::LookupPropertyInline<(js::AllowGC)1> (propp=..., objp=..., id=..., obj=..., cx=0x7f235cb21800) at js/src/vm/NativeObject-inl.h:554 #9 js::LookupProperty (cx=cx@entry=0x7f235cb21800, obj=..., id=id@entry=..., objp=..., objp@entry=..., propp=propp@entry=...) at js/src/jsobj.cpp:2131 #10 0x00000000008dc910 in js::LookupName (cx=0x7f235cb21800, name=..., scopeChain=..., objp=..., pobjp=..., propp=...) at js/src/jsobj.cpp:2141 #11 0x0000000000a1ec78 in GetNameOperation (vp=..., pc=<optimized out>, fp=<optimized out>, cx=<optimized out>) at js/src/vm/Interpreter.cpp:236 #12 Interpret (cx=0x7f235cb21800, state=...) at js/src/vm/Interpreter.cpp:2888 #13 0x0000000000a2c0f2 in js::RunScript (cx=cx@entry=0x7f235cb21800, state=...) at js/src/vm/Interpreter.cpp:391 #14 0x0000000000a2e029 in js::ExecuteKernel (cx=cx@entry=0x7f235cb21800, script=..., script@entry=..., scopeChainArg=..., newTargetValue=..., type=<optimized out>, evalInFrame=..., evalInFrame@entry=..., result=0x0) at js/src/vm/Interpreter.cpp:650 #15 0x0000000000a2e58d in js::Execute (cx=cx@entry=0x7f235cb21800, script=script@entry=..., scopeChainArg=..., rval=0x0) at js/src/vm/Interpreter.cpp:685 #16 0x0000000000874ab0 in Evaluate (cx=cx@entry=0x7f235cb21800, scope=..., staticScope=staticScope@entry=..., optionsArg=..., srcBuf=..., rval=..., rval@entry=...) at js/src/jsapi.cpp:4505 #17 0x00000000008753ed in JS::Evaluate (cx=cx@entry=0x7f235cb21800, options=..., bytes=<optimized out>, length=265, rval=rval@entry=...) at js/src/jsapi.cpp:4559 #18 0x0000000000879be5 in Evaluate (rval=..., filename=0x7f23570e7c90 "js/src/jit-test/tests/ion/bug1054241.js", optionsArg=..., cx=0x7f235cb21800) at js/src/jsapi.cpp:4576 #19 JS::Evaluate (cx=cx@entry=0x7f235cb21800, optionsArg=..., filename=<optimized out>, rval=..., rval@entry=...) at js/src/jsapi.cpp:4614 #20 0x0000000000457ae9 in LoadScript (cx=0x7f235cb21800, argc=1, vp=0x7f235719c2a8, scriptRelative=false) at js/src/shell/js.cpp:942 #21 0x0000000000a33891 in js::CallJSNative (cx=cx@entry=0x7f235cb21800, native=0x457cb0 <Load(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235 #22 0x0000000000a2c3a3 in js::Invoke (cx=0x7f235cb21800, args=..., construct=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:444 #23 0x0000000000a25929 in Interpret (cx=0x7f235cb21800, state=...) at js/src/vm/Interpreter.cpp:2763 #24 0x0000000000a2c0f2 in js::RunScript (cx=cx@entry=0x7f235cb21800, state=...) at js/src/vm/Interpreter.cpp:391 #25 0x0000000000a2e029 in js::ExecuteKernel (cx=cx@entry=0x7f235cb21800, script=..., script@entry=..., scopeChainArg=..., newTargetValue=..., type=<optimized out>, evalInFrame=..., evalInFrame@entry=..., result=0x7f235719c208) at js/src/vm/Interpreter.cpp:650 #26 0x0000000000a2e58d in js::Execute (cx=cx@entry=0x7f235cb21800, script=script@entry=..., scopeChainArg=..., rval=0x7f235719c208) at js/src/vm/Interpreter.cpp:685 #27 0x0000000000874ab0 in Evaluate (cx=cx@entry=0x7f235cb21800, scope=..., staticScope=staticScope@entry=..., optionsArg=..., srcBuf=..., rval=..., rval@entry=...) at js/src/jsapi.cpp:4505 #28 0x00000000008750ac in Evaluate (rval=..., length=140728698114592, chars=0x7ffdf40f9200 u"᠀岲缣", optionsArg=..., cx=0x7f235cb21800) at js/src/jsapi.cpp:4541 #29 JS::Evaluate (cx=cx@entry=0x7f235cb21800, optionsArg=..., chars=chars@entry=0x7f2357136c00 u"\"use strict\"; /* regression-test-load */ load(\"js/src/jit-test/tests/ion/bug1054241.js\");", length=length@entry=124, rval=...) at js/src/jsapi.cpp:4599 #30 0x000000000045a46f in EvalInContext (cx=cx@entry=0x7f235cb21800, argc=<optimized out>, vp=<optimized out>) at js/src/shell/js.cpp:2691 #31 0x0000000000a33891 in js::CallJSNative (cx=cx@entry=0x7f235cb21800, native=0x459fd0 <EvalInContext(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235 #32 0x0000000000a2c3a3 in js::Invoke (cx=0x7f235cb21800, args=..., construct=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:444 #33 0x0000000000a25929 in Interpret (cx=0x7f235cb21800, state=...) at js/src/vm/Interpreter.cpp:2763 #34 0x0000000000a2c0f2 in js::RunScript (cx=cx@entry=0x7f235cb21800, state=...) at js/src/vm/Interpreter.cpp:391 #35 0x0000000000a2e029 in js::ExecuteKernel (cx=cx@entry=0x7f235cb21800, script=..., script@entry=..., scopeChainArg=..., newTargetValue=..., type=<optimized out>, evalInFrame=..., evalInFrame@entry=..., result=0x0) at js/src/vm/Interpreter.cpp:650 #36 0x0000000000a2e58d in js::Execute (cx=cx@entry=0x7f235cb21800, script=script@entry=..., scopeChainArg=..., rval=rval@entry=0x0) at js/src/vm/Interpreter.cpp:685 #37 0x000000000086d0f4 in ExecuteScript (cx=cx@entry=0x7f235cb21800, scope=scope@entry=..., script=script@entry=..., rval=rval@entry=0x0) at js/src/jsapi.cpp:4410 #38 0x000000000086d492 in JS_ExecuteScript (cx=cx@entry=0x7f235cb21800, scriptArg=scriptArg@entry=...) at js/src/jsapi.cpp:4443 #39 0x000000000042a37c in RunFile (compileOnly=false, file=0x7f235702b400, filename=0x7ffdf40fae1e "/tmp/tmpahIa22loop13/w896-reduced.js", cx=0x7f235cb21800) at js/src/shell/js.cpp:515 #40 Process (cx=cx@entry=0x7f235cb21800, filename=0x7ffdf40fae1e "/tmp/tmpahIa22loop13/w896-reduced.js", forceTTY=forceTTY@entry=false, kind=<optimized out>) at js/src/shell/js.cpp:728 #41 0x00000000004402d9 in ProcessArgs (op=0x7ffdf40fa4c0, cx=0x7f235cb21800) at js/src/shell/js.cpp:6189 #42 Shell (envp=<optimized out>, op=0x7ffdf40fa4c0, cx=0x7f235cb21800) at js/src/shell/js.cpp:6513 #43 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:6874
autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/1ac68e528d12 user: Jon Coppeard date: Thu Oct 08 10:49:49 2015 +0100 summary: Bug 1209107 - Only expose module environment object through testing functions r=shu Jon, is bug 1209107 a likely regressor?
Flags: needinfo?(jcoppeard)
I don't think that's likely to be related. Maybe something to do with enableShellObjectMetadataCallback()?
Flags: needinfo?(jcoppeard)
> Maybe something to do with enableShellObjectMetadataCallback()? Jim, maybe you're able to help with enableShellObjectMetadataCallback? Or please feel free to forward this to anyone else deemed more appropriate.
Flags: needinfo?(jimb)
I'll bet this is a duplicate of bug 1221378. Can you try the patch on that bug, to see if it helps?
Flags: needinfo?(jimb)
Whiteboard: [jsbugmon:update] → [jsbugmon:]
JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.
(In reply to Jim Blandy :jimb from comment #4) > I'll bet this is a duplicate of bug 1221378. Can you try the patch on that > bug, to see if it helps? Yes, that does help, so marking as dupe.
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.