Closed
Bug 1232159
Opened 9 years ago
Closed 9 years ago
Assertion failure: false, at js/src/vm/SelfHosting.cpp:265
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla46
People
(Reporter: gkw, Assigned: efaust)
References
Details
(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update])
Attachments
(1 file)
|
2.29 KB,
patch
|
till
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision cdcd33fd6e39 (build with --enable-debug --enable-more-deterministic, run with --fuzzing-safe --no-threads --no-ion --no-baseline):
// Adapted from randomly chosen test: js/src/jit-test/tests/basic/bug623863.js
Function.prototype.prototype = function() {}
// Adapted from randomly chosen test: js/src/tests/ecma_7/TypedObject/method_map.js
var type = TypedObject.uint8.array(4).array(4);
var x = new type([
[, , , 0],
[, , , 0],
[, , , 0],
[, , , 0]
]);
x.map(2, function(y) {
return 0;
});
Backtrace:
0 js-dbg-64-dm-darwin-cdcd33fd6e39 0x00000001007cac18 intrinsic_AssertionFailed(JSContext*, unsigned int, JS::Value*) + 280 (SelfHosting.cpp:265)
1 js-dbg-64-dm-darwin-cdcd33fd6e39 0x0000000100725a92 js::Invoke(JSContext*, JS::CallArgs const&, js::MaybeConstruct) + 786 (jscntxtinlines.h:236)
2 js-dbg-64-dm-darwin-cdcd33fd6e39 0x000000010071a970 Interpret(JSContext*, js::RunState&) + 48864 (Interpreter.cpp:2771)
3 js-dbg-64-dm-darwin-cdcd33fd6e39 0x000000010070ea0c js::RunScript(JSContext*, js::RunState&) + 412 (Interpreter.cpp:391)
4 js-dbg-64-dm-darwin-cdcd33fd6e39 0x0000000100725af9 js::Invoke(JSContext*, JS::CallArgs const&, js::MaybeConstruct) + 889 (Interpreter.cpp:462)
5 js-dbg-64-dm-darwin-cdcd33fd6e39 0x000000010071a970 Interpret(JSContext*, js::RunState&) + 48864 (Interpreter.cpp:2771)
6 js-dbg-64-dm-darwin-cdcd33fd6e39 0x000000010070ea0c js::RunScript(JSContext*, js::RunState&) + 412 (Interpreter.cpp:391)
7 js-dbg-64-dm-darwin-cdcd33fd6e39 0x0000000100725af9 js::Invoke(JSContext*, JS::CallArgs const&, js::MaybeConstruct) + 889 (Interpreter.cpp:462)
8 js-dbg-64-dm-darwin-cdcd33fd6e39 0x000000010071a970 Interpret(JSContext*, js::RunState&) + 48864 (Interpreter.cpp:2771)
9 js-dbg-64-dm-darwin-cdcd33fd6e39 0x000000010070ea0c js::RunScript(JSContext*, js::RunState&) + 412 (Interpreter.cpp:391)
10 js-dbg-64-dm-darwin-cdcd33fd6e39 0x0000000100725af9 js::Invoke(JSContext*, JS::CallArgs const&, js::MaybeConstruct) + 889 (Interpreter.cpp:462)
11 js-dbg-64-dm-darwin-cdcd33fd6e39 0x000000010071a970 Interpret(JSContext*, js::RunState&) + 48864 (Interpreter.cpp:2771)
12 js-dbg-64-dm-darwin-cdcd33fd6e39 0x000000010070ea0c js::RunScript(JSContext*, js::RunState&) + 412 (Interpreter.cpp:391)
13 js-dbg-64-dm-darwin-cdcd33fd6e39 0x0000000100725af9 js::Invoke(JSContext*, JS::CallArgs const&, js::MaybeConstruct) + 889 (Interpreter.cpp:462)
14 js-dbg-64-dm-darwin-cdcd33fd6e39 0x000000010071a970 Interpret(JSContext*, js::RunState&) + 48864 (Interpreter.cpp:2771)
15 js-dbg-64-dm-darwin-cdcd33fd6e39 0x000000010070ea0c js::RunScript(JSContext*, js::RunState&) + 412 (Interpreter.cpp:391)
16 js-dbg-64-dm-darwin-cdcd33fd6e39 0x0000000100726f87 js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::ExecuteType, js::AbstractFramePtr, JS::Value*) + 583 (Interpreter.cpp:650)
17 js-dbg-64-dm-darwin-cdcd33fd6e39 0x000000010072736f js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) + 495 (RootingAPI.h:719)
18 js-dbg-64-dm-darwin-cdcd33fd6e39 0x000000010050a191 ExecuteScript(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSScript*>, JS::Value*) + 417 (jsapi.cpp:4410)
19 js-dbg-64-dm-darwin-cdcd33fd6e39 0x000000010050a402 JS_ExecuteScript(JSContext*, JS::Handle<JSScript*>) + 82 (RootingAPI.h:719)
20 js-dbg-64-dm-darwin-cdcd33fd6e39 0x000000010001e7e9 Process(JSContext*, char const*, bool, FileKind) + 3273 (js.cpp:515)
21 js-dbg-64-dm-darwin-cdcd33fd6e39 0x0000000100004fd1 main + 11825 (js.cpp:6205)
22 js-dbg-64-dm-darwin-cdcd33fd6e39 0x0000000100001594 start + 52
|
||
Updated•9 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
|
|
||
Comment 1•9 years ago
|
||
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/1e0c29a6d058
user: Eric Faust
date: Fri Nov 13 18:22:22 2015 -0800
summary: Bug 1055472 - Part 14: Make the various TypedArray constructors properly subclassable. (r=Waldo, r=bhackett)
This iteration took 283.531 seconds to run.
|
Reporter | |
Comment 2•9 years ago
|
||
Eric, is bug 1055472 a likely regressor?
Blocks: 1055472
Flags: needinfo?(efaustbmo)
|
Assignee | |
Comment 3•9 years ago
|
||
Ohhhhh yeah. Working on it, now.
|
|
Assignee | |
Comment 4•9 years ago
|
||
This was pretty good!
So the bare Uint32Array constructor we projected into SelfHosted code wasn't complete enough to have a prototype property. With subclassing, we now checked for that. The Function.prototype.prototype set changed the __proto__ as if it were subclassed!
Instead, just remove it and replace it with a normal Array. Till reliably informs me that this code is not long for this world anyway.
Assignee: nobody → efaustbmo
Status: NEW → ASSIGNED
Flags: needinfo?(efaustbmo)
Attachment #8698048 -
Flags: review?(till)
|
||
Comment 5•9 years ago
|
||
Comment on attachment 8698048 [details] [diff] [review]
Fix
Review of attachment 8698048 [details] [diff] [review]:
-----------------------------------------------------------------
r=me, and again: my apologies for causing this mess :(
Attachment #8698048 -
Flags: review?(till) → review+
|
||
Comment 7•9 years ago
|
||
| bugherder | ||
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
status-firefox46:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla46
|
||
Comment 9•9 years ago
|
||
| bugherder | ||
You need to log in
before you can comment on or make changes to this bug.
Description
•