Closed
Bug 1247926
Opened 8 years ago
Closed 8 years ago
Assertion failure: isString(), at js/src/debug64/dist/include/js/Value.h:1271 with JSON.parse and unboxed arrays
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla52
Tracking | Status | |
---|---|---|
firefox47 | --- | unaffected |
firefox48 | --- | unaffected |
firefox49 | --- | unaffected |
firefox-esr45 | --- | affected |
firefox50 | --- | unaffected |
firefox51 | --- | unaffected |
firefox52 | --- | fixed |
People
(Reporter: decoder, Assigned: bhackett1024)
Details
(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:])
Attachments
(1 file)
15.52 KB,
patch
|
jandem
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision 576a6dcde5b6 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe --unboxed-arrays --ion-offthread-compile=off): JSON.parse('[1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0]', function(k, v) { return ""; }); str = "["; for (i = 0; i < 2048; i++) str += "1," str += "1]"; JSON.parse(str); Backtrace: Program received signal SIGSEGV, Segmentation fault. 0x000000000051292c in JS::Value::toString (this=<optimized out>) at js/src/debug64/dist/include/js/Value.h:1271 #0 0x000000000051292c in JS::Value::toString (this=<optimized out>) at js/src/debug64/dist/include/js/Value.h:1271 #1 0x0000000000523435 in toString (this=<optimized out>) at js/src/debug64/dist/include/js/Value.h:1271 #2 js::SetUnboxedValueNoTypeChange (unboxedObject=<optimized out>, p=0x7ffff69a7000 '\344' <repeats 199 times>, <incomplete sequence \344>..., type=<optimized out>, v=..., preBarrier=<optimized out>) at js/src/vm/UnboxedObject-inl.h:68 #3 0x0000000000ba2f39 in SetOrExtendBoxedOrUnboxedDenseElements<(JSValueType)5> (updateTypes=js::Update, count=<optimized out>, vp=0x801, start=0, obj=0x7ffff3400320, cx=0x1) at js/src/vm/UnboxedObject-inl.h:538 #4 operator()<(JSValueType)5u> (this=<synthetic pointer>) at js/src/vm/UnboxedObject.cpp:2081 #5 CallBoxedOrUnboxedSpecialization<SetOrExtendBoxedOrUnboxedDenseElementsFunctor> (obj=0x7ffff3400320, f=...) at js/src/vm/UnboxedObject-inl.h:670 #6 js::SetOrExtendAnyBoxedOrUnboxedDenseElements (cx=cx@entry=0x7ffff6907800, obj=obj@entry=0x7ffff3400320, start=start@entry=0, vp=vp@entry=0x7ffff69b1000, count=count@entry=2049, updateTypes=<optimized out>, updateTypes@entry=js::DontUpdate) at js/src/vm/UnboxedObject.cpp:2091 #7 0x0000000000521d11 in js::NewCopiedArrayTryUseGroup (cx=cx@entry=0x7ffff6907800, group=group@entry=..., vp=vp@entry=0x7ffff69b1000, length=length@entry=2049, newKind=newKind@entry=js::GenericObject, updateTypes=js::DontUpdate) at js/src/jsarray.cpp:3648 #8 0x0000000000ac8c02 in js::ObjectGroup::newArrayObject (cx=0x7ffff6907800, vp=0x7ffff69b1000, length=2049, newKind=newKind@entry=js::GenericObject, arrayKind=arrayKind@entry=js::ObjectGroup::Normal) at js/src/vm/ObjectGroup.cpp:914 #9 0x0000000000ab2d78 in js::JSONParserBase::finishArray (this=0x7fffffffbbf8, vp=..., elements=...) at js/src/vm/JSONParser.cpp:609 #10 0x0000000000abd972 in js::JSONParser<unsigned char>::parse (this=this@entry=0x7fffffffbbf8, vp=..., vp@entry=...) at js/src/vm/JSONParser.cpp:688 #11 0x0000000000950ed5 in parse (vp=..., this=0x7fffffffbbe0) at js/src/vm/JSONParser.h:262 #12 js::ParseJSONWithReviver<unsigned char> (cx=cx@entry=0x7ffff6907800, chars=..., reviver=..., reviver@entry=..., vp=vp@entry=...) at js/src/json.cpp:887 #13 0x000000000093cb4d in json_parse (cx=0x7ffff6907800, argc=<optimized out>, vp=0x7fffffffc0c8) at js/src/json.cpp:940 #14 0x0000000000aadd82 in js::CallJSNative (cx=0x7ffff6907800, native=0x93c920 <json_parse(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235 #15 0x0000000000aa73f1 in js::Invoke (cx=cx@entry=0x7ffff6907800, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:475 #16 0x0000000000aa7f1c in js::Invoke (cx=cx@entry=0x7ffff6907800, thisv=..., fval=..., argc=argc@entry=1, argv=argv@entry=0x7fffffffc5c8, rval=..., rval@entry=...) at js/src/vm/Interpreter.cpp:527 #17 0x000000000060b056 in js::jit::DoCallFallback (cx=0x7ffff6907800, frame=0x7fffffffc608, stub_=<optimized out>, argc=<optimized out>, vp=0x7fffffffc5b8, res=...) at js/src/jit/BaselineIC.cpp:6136 #18 0x00007ffff7ff1abf in ?? () #19 0x0000000000000000 in ?? () rax 0x0 0 rbx 0x7ffff69a7000 140737330704384 rcx 0x7ffff6ca53cd 140737333842893 rdx 0x0 0 rsi 0x7ffff6f7a9d0 140737336814032 rdi 0x7ffff6f791c0 140737336807872 rbp 0x7fffffffb5e0 140737488336352 rsp 0x7fffffffb5e0 140737488336352 r8 0x7ffff7fe07c0 140737354008512 r9 0x6372732f736a2f6c 7165916604736876396 r10 0x7fffffffb3a0 140737488335776 r11 0x7ffff6c27960 140737333328224 r12 0x7ffff69b1008 140737330745352 r13 0x7ffff6907800 140737330051072 r14 0x0 0 r15 0x7ffff3400320 140737274446624 rip 0x51292c <JS::Value::toString() const+28> => 0x51292c <JS::Value::toString() const+28>: movl $0x4f7,0x0 0x512937 <JS::Value::toString() const+39>: callq 0x4a4f50 <abort()>
Updated•8 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:bisect]
Comment 1•8 years ago
|
||
JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.
Updated•8 years ago
|
Whiteboard: [jsbugmon:bisect] → [jsbugmon:]
Assignee | ||
Comment 3•8 years ago
|
||
When creating an array from JSON or a literal we have a check to make sure any unboxed representation for the object being created actually matches up with the elements in the new array. This check breaks down when creating the resulting array hits a path where the existing objects are eagerly analyzed, because the created array is large. This patch refactors things so that the check works correctly in this case, and makes some simplifications to the associated array creation functions.
Assignee: nobody → bhackett1024
Flags: needinfo?(bhackett1024)
Attachment #8724932 -
Flags: review?(jdemooij)
Updated•8 years ago
|
Attachment #8724932 -
Flags: review?(jdemooij) → review+
Comment 4•8 years ago
|
||
Brian, this is a nightly-only failure, correct? Can we wontfix this for 47?
Flags: needinfo?(bhackett1024)
Comment 5•8 years ago
|
||
Marking wontfix for 47, since this is a nightly-only crash.
Flags: needinfo?(bhackett1024)
Comment 6•8 years ago
|
||
Forgot to land this?
Crash Signature: bp-d826728d-eca6-4502-9046-061422160616
Flags: needinfo?(bhackett1024)
Updated•8 years ago
|
Crash Signature: bp-d826728d-eca6-4502-9046-061422160616 → [@ JSCompartment::wrap ]
Comment 7•8 years ago
|
||
Crash volume for signature 'JSCompartment::wrap': - nightly (version 50): 8 crashes from 2016-06-06. - aurora (version 49): 43 crashes from 2016-06-07. - beta (version 48): 272 crashes from 2016-06-06. - release (version 47): 602 crashes from 2016-05-31. - esr (version 45): 21 crashes from 2016-04-07. Crash volume on the last weeks: Week N-1 Week N-2 Week N-3 Week N-4 Week N-5 Week N-6 Week N-7 - nightly 0 1 1 0 2 4 0 - aurora 8 20 1 4 2 4 3 - beta 58 28 42 42 34 35 13 - release 83 93 90 74 101 90 33 - esr 3 2 2 0 8 1 3 Affected platforms: Windows, Mac OS X, Linux
status-firefox48:
--- → affected
status-firefox49:
--- → affected
status-firefox50:
--- → affected
status-firefox-esr45:
--- → affected
Comment 8•8 years ago
|
||
Jandem, naveed, can you help with this crash? It may only be in nightly - but the crash signature is showing up in beta and release.
Flags: needinfo?(nihsanullah)
Flags: needinfo?(jdemooij)
Updated•8 years ago
|
Comment 9•8 years ago
|
||
Unboxed arrays are disabled by default, so this bug is unrelated to the crashes in comment 7. Ekanan, why did you link that crash report + the [@JSCompartment::wrap] signature to this bug? It's confusing the Release Management bot. I'll take a look at the current crashes though.
Flags: needinfo?(nihsanullah)
Flags: needinfo?(jdemooij)
Flags: needinfo?(ananuti)
Updated•8 years ago
|
Crash Signature: [@ JSCompartment::wrap ]
Comment 10•8 years ago
|
||
(In reply to Jan de Mooij [:jandem] from comment #9) > Unboxed arrays are disabled by default, so this bug is unrelated to the > crashes in comment 7. > > Ekanan, why did you link that crash report + the [@JSCompartment::wrap] > signature to this bug? It's confusing the Release Management bot. I'll take > a look at the current crashes though. I enabled unboxed arrays and get crash w/ script in comment 0.
Updated•8 years ago
|
Flags: needinfo?(ananuti)
Comment 11•8 years ago
|
||
Pushed by bhackett@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/9125f0c5deba Fix analysis of preliminary array object groups when creating JSON or literal objects, r=jandem.
Updated•8 years ago
|
Flags: needinfo?(bhackett1024)
Comment 12•8 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/9125f0c5deba
Status: NEW → RESOLVED
Closed: 8 years ago
status-firefox52:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla52
You need to log in
before you can comment on or make changes to this bug.
Description
•