Closed Bug 1240538 Opened 8 years ago Closed 8 years ago

Assertion failure: !global->lookup(cx, id), at js/src/vm/GlobalObject.cpp:227 with evalcx

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1239605
Tracking Flags:
Tracking Status
firefox46 --- fixed

People

(Reporter: decoder, Unassigned)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update,bisect]) 

The following testcase crashes on mozilla-central revision 8cb42e7a16b4 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe --thread-count=2 --ion-extra-checks):

g0 = evalcx('lazy');
v1 = g0.SharedArrayBuffer = SharedArrayBuffer;
v1 instanceof g0;

Backtrace:

Program received signal SIGSEGV, Segmentation fault.
0x0000000000a38ff8 in js::GlobalObject::initBuiltinConstructor (cx=cx@entry=0x7ffff6907800, global=global@entry=..., key=key@entry=JSProto_SharedArrayBuffer, ctor=..., ctor@entry=..., proto=..., proto@entry=...) at js/src/vm/GlobalObject.cpp:227
#0  0x0000000000a38ff8 in js::GlobalObject::initBuiltinConstructor (cx=cx@entry=0x7ffff6907800, global=global@entry=..., key=key@entry=JSProto_SharedArrayBuffer, ctor=..., ctor@entry=..., proto=..., proto@entry=...) at js/src/vm/GlobalObject.cpp:227
#1  0x0000000000b05b7f in js::InitSharedArrayBufferClass (cx=cx@entry=0x7ffff6907800, obj=..., obj@entry=...) at js/src/vm/SharedArrayObject.cpp:365
#2  0x0000000000a364e8 in js::GlobalObject::resolveConstructor (cx=cx@entry=0x7ffff6907800, global=..., key=key@entry=JSProto_SharedArrayBuffer) at js/src/vm/GlobalObject.cpp:131
#3  0x0000000000a365fc in js::GlobalObject::ensureConstructor (cx=cx@entry=0x7ffff6907800, global=..., global@entry=..., key=key@entry=JSProto_SharedArrayBuffer) at js/src/vm/GlobalObject.cpp:98
#4  0x0000000000a37b47 in js::GlobalObject::initStandardClasses (cx=cx@entry=0x7ffff6907800, global=global@entry=...) at js/src/vm/GlobalObject.cpp:350
#5  0x00000000008d1e34 in JS_EnumerateStandardClasses (cx=cx@entry=0x7ffff6907800, obj=...) at js/src/jsapi.cpp:1161
#6  0x00000000004884d7 in sandbox_enumerate (cx=0x7ffff6907800, obj=...) at js/src/shell/js.cpp:2597
#7  0x000000000091fc28 in Snapshot (cx=cx@entry=0x7ffff6907800, pobj_=..., flags=flags@entry=40, props=props@entry=0x7fffffffc580) at js/src/jsiter.cpp:394
#8  0x00000000009201fd in js::GetPropertyKeys (cx=cx@entry=0x7ffff6907800, obj=..., obj@entry=..., flags=flags@entry=40, props=props@entry=0x7fffffffc580) at js/src/jsiter.cpp:483
#9  0x0000000000832300 in js::ObjectToSource (cx=cx@entry=0x7ffff6907800, obj=obj@entry=...) at js/src/builtin/Object.cpp:192
#10 0x0000000000833474 in obj_toSource (cx=0x7ffff6907800, argc=<optimized out>, vp=<optimized out>) at js/src/builtin/Object.cpp:119
#11 0x0000000000a4ecc2 in js::CallJSNative (cx=0x7ffff6907800, native=0x8333c0 <obj_toSource(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235
#12 0x0000000000a4b8b7 in js::Invoke (cx=cx@entry=0x7ffff6907800, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:481
#13 0x0000000000a4d339 in js::Invoke (cx=cx@entry=0x7ffff6907800, thisv=..., fval=..., argc=argc@entry=0, argv=argv@entry=0x0, rval=..., rval@entry=...) at js/src/vm/Interpreter.cpp:533
#14 0x000000000099f05e in js::ValueToSource (cx=cx@entry=0x7ffff6907800, v=..., v@entry=...) at js/src/jsstr.cpp:4540
#15 0x0000000000979512 in js::DecompileValueGenerator (cx=cx@entry=0x7ffff6907800, spindex=spindex@entry=1, v=..., fallbackArg=..., skipStackHits=skipStackHits@entry=0) at js/src/jsopcode.cpp:1424
#16 0x00000000008d5ee0 in js::ReportValueErrorFlags (cx=cx@entry=0x7ffff6907800, flags=flags@entry=0, errorNumber=errorNumber@entry=69, spindex=spindex@entry=1, v=..., v@entry=..., fallback=..., fallback@entry=..., arg1=arg1@entry=0x0, arg2=arg2@entry=0x0) at js/src/jscntxt.cpp:900
#17 0x0000000000a2c7d8 in js::HasInstance (cx=cx@entry=0x7ffff6907800, obj=..., obj@entry=..., v=..., v@entry=..., bp=bp@entry=0x7fffffffcca0) at js/src/vm/Interpreter.cpp:733
#18 0x00000000009b9a5c in js::DirectProxyHandler::hasInstance (this=this@entry=0x1beac80 <js::CrossCompartmentWrapper::singleton>, cx=cx@entry=0x7ffff6907800, proxy=..., proxy@entry=..., v=v@entry=..., bp=bp@entry=0x7fffffffcca0) at js/src/proxy/DirectProxyHandler.cpp:117
#19 0x00000000009ad783 in js::CrossCompartmentWrapper::hasInstance (this=0x1beac80 <js::CrossCompartmentWrapper::singleton>, cx=0x7ffff6907800, wrapper=..., v=..., bp=0x7fffffffcca0) at js/src/proxy/CrossCompartmentWrapper.cpp:371
#20 0x00000000009bc11c in js::Proxy::hasInstance (cx=0x7ffff6907800, proxy=..., v=..., bp=bp@entry=0x7fffffffcca0) at js/src/proxy/Proxy.cpp:433
#21 0x00000000009bc185 in js::proxy_HasInstance (cx=<optimized out>, proxy=..., v=..., bp=0x7fffffffd1d0) at js/src/proxy/Proxy.cpp:671
#22 0x0000000000a2c768 in js::HasInstance (cx=cx@entry=0x7ffff6907800, obj=..., obj@entry=..., v=..., bp=bp@entry=0x7fffffffd1d0) at js/src/vm/Interpreter.cpp:729
#23 0x0000000000a405fd in Interpret (cx=cx@entry=0x7ffff6907800, state=...) at js/src/vm/Interpreter.cpp:3616
[...]
#33 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:6985
rax	0x0	0
rbx	0x7fffffffbdb0	140737488338352
rcx	0x7ffff6ca53cd	140737333842893
rdx	0x0	0
rsi	0x7ffff6f7a9d0	140737336814032
rdi	0x7ffff6f791c0	140737336807872
rbp	0x7fffffffbd70	140737488338288
rsp	0x7fffffffbcf0	140737488338160
r8	0x7ffff7fe0780	140737354008448
r9	0x6372732f736a2f6c	7165916604736876396
r10	0x7fffffffbab0	140737488337584
r11	0x7ffff6c27960	140737333328224
r12	0x25	37
r13	0x7fffffffbdf0	140737488338416
r14	0x7fffffffbdc0	140737488338368
r15	0x7ffff6907800	140737330051072
rip	0xa38ff8 <js::GlobalObject::initBuiltinConstructor(JSContext*, JS::Handle<js::GlobalObject*>, JSProtoKey, JS::Handle<JSObject*>, JS::Handle<JSObject*>)+472>
=> 0xa38ff8 <js::GlobalObject::initBuiltinConstructor(JSContext*, JS::Handle<js::GlobalObject*>, JSProtoKey, JS::Handle<JSObject*>, JS::Handle<JSObject*>)+472>:	movl   $0xe3,0x0
   0xa39003 <js::GlobalObject::initBuiltinConstructor(JSContext*, JS::Handle<js::GlobalObject*>, JSProtoKey, JS::Handle<JSObject*>, JS::Handle<JSObject*>)+483>:	callq  0x4a2e10 <abort()>
Whiteboard: [jsbugmon:update] → [jsbugmon:update,bisect]
Flags: needinfo?(lhansen)
Likely a dup of bug 1239605, which is ready to go but is blocked on bug 1240453, which is waiting for review.
Flags: needinfo?(lhansen)
Indeed the patches to bug 1239506 and bug 1240453 make this problem go away.

Note the test case only asserts if loaded as a script, not if it is entered line-by-line at the REPL.
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.