Closed Bug 1238658 Opened 8 years ago Closed 8 years ago

Assertion failure: self->is<U>(), at js/src/jsobj.h:580 with TypedObject

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla47
Tracking Flags:
Tracking Status
firefox46 --- wontfix
firefox47 --- fixed

People

(Reporter: decoder, Assigned: jschulte)

References

Details

(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update])

Attachments

(1 file, 2 obsolete files)

v3.patch
2.51 KB, patch
jschulte
: review+
Details | Diff | Splinter Review 
The following testcase crashes on mozilla-central revision 6020a4cb41a7 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe --no-threads):

var { StructType, uint32 } = TypedObject;
Uints = new StructType({ uint32, g: uint32 });
uints = new Uints({});
Mixed = new StructType({ g: Uints });
new Mixed({ g: { __proto__: uints } });



Backtrace:

Program received signal SIGSEGV, Segmentation fault.
0x00000000004368a2 in js::RootedBase<JSObject*>::as<js::NativeObject> (this=0x7fffffffad20) at js/src/jsobj.h:580
#0  0x00000000004368a2 in js::RootedBase<JSObject*>::as<js::NativeObject> (this=0x7fffffffad20) at js/src/jsobj.h:580
#1  0x0000000000603d2b in as<js::NativeObject> (this=0x7fffffffad20) at js/src/jit/BaselineIC.cpp:1478
#2  TryAttachNativeGetAccessorElemStub<js::PropertyName*> (isTemporarilyUnoptimizable=<optimized out>, attached=<optimized out>, keyVal=..., obj=..., stub=<optimized out>, pc=<optimized out>, script=..., cx=<optimized out>) at js/src/jit/BaselineIC.cpp:1481
#3  js::jit::DoGetElemFallback (cx=0x7ffff6907800, frame=0x7fffffffaf08, stub_=<optimized out>, lhs=..., rhs=..., res=...) at js/src/jit/BaselineIC.cpp:1785
#4  0x00007ffff7ff200f in ?? ()
[...]
#28 0x0000000000000000 in ?? ()
rax	0x0	0
rbx	0x7ffff6907800	140737330051072
rcx	0x7ffff6ca53b0	140737333842864
rdx	0x0	0
rsi	0x7ffff6f7a9d0	140737336814032
rdi	0x7ffff6f791c0	140737336807872
rbp	0x7fffffffab30	140737488333616
rsp	0x7fffffffab30	140737488333616
r8	0x7ffff7fe0780	140737354008448
r9	0x6372732f736a2f6c	7165916604736876396
r10	0x7fffffffa8f0	140737488333040
r11	0x7ffff6c27960	140737333328224
r12	0x7fffffffaf08	140737488334600
r13	0xf69a6b00	4137315072
r14	0x7fffffffaea0	140737488334496
r15	0x0	0
rip	0x4368a2 <js::RootedBase<JSObject*>::as<js::NativeObject>() const+28>
=> 0x4368a2 <js::RootedBase<JSObject*>::as<js::NativeObject>() const+28>:	movl   $0x244,0x0
   0x4368ad <js::RootedBase<JSObject*>::as<js::NativeObject>() const+39>:	callq  0x4a2c00 <abort()>
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/97b21e438a35
user:        Johannes Schulte
date:        Mon Dec 01 18:50:20 2014 +0100
summary:     Bug 1094491 - Generate baseline getElem ICs for accessor properties before calling the getter. r=efaust

This iteration took 204.217 seconds to run.
Eric, is bug 1094491 a likely regressor?
Blocks: 1094491
Flags: needinfo?(efaustbmo)
Attached patch v1.patch (obsolete) — Splinter Review 
Well... :)
Attachment #8711335 - Flags: review?(efaustbmo)
Comment on attachment 8711335 [details] [diff] [review]
v1.patch

Review of attachment 8711335 [details] [diff] [review]:
-----------------------------------------------------------------

OOPS! This probably has nice performance implications as well, given that it was just bogusly disabling stub generation...
Attachment #8711335 - Flags: review?(efaustbmo) → review+
Attached patch v2.patch (obsolete) — Splinter Review 
Turns out, actually testing the patch reveals another bug, we couldn't hit till now. So here we go again.
Assignee: nobody → j_schulte
Attachment #8711335 - Attachment is obsolete: true
Status: NEW → ASSIGNED
Attachment #8717645 - Flags: review?(efaustbmo)
Comment on attachment 8717645 [details] [diff] [review]
v2.patch

Review of attachment 8717645 [details] [diff] [review]:
-----------------------------------------------------------------

r=me with static_assert added. Thanks for looking into this :)

::: js/src/jit/BaselineIC.h
@@ +521,5 @@
>      static const unsigned NEEDS_ATOMIZE_SHIFT = 0;
>      static const uint16_t NEEDS_ATOMIZE_MASK = 0x1;
>  
>      static const unsigned ACCESSTYPE_SHIFT = 1;
> +    static const uint16_t ACCESSTYPE_MASK = 0x7;

please add

NumAccessTypes to the end of the AccessType enum

and

static_assert(ACCESSTYPE_MASK >= NumAccessTypes, "ACCESSTYPE_MASK must cover all possible AccessType values");

so that this doesn't bite someone else :)
Attachment #8717645 - Flags: review?(efaustbmo) → review+
Keywords: checkin-needed
https://hg.mozilla.org/mozilla-central/rev/7aca5eb02c50
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
status-firefox47: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla47
This is long fixed. Clearing ni?
Flags: needinfo?(efaustbmo)
Too late for assertion fixes in 46.
status-firefox46: affectedwontfix
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: