Closed Bug 1254105 Opened 8 years ago Closed 8 years ago

Assertion failure: v.isUndefined(), at js/src/jsstr.cpp:4479 with shortestPaths shell-function

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla48
Tracking Flags:
Tracking Status
firefox47 --- wontfix
firefox48 --- fixed

People

(Reporter: decoder, Assigned: fitzgen)

References

Details

(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update])

Attachments

(1 file)

Avoid passing magic values to the error reporter machinery in the ShortestPaths testing function
1.87 KB, patch
jimb
: review+
Details | Diff | Splinter Review 
The following testcase crashes on mozilla-central revision 46210f3ae078 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --target=i686-pc-linux-gnu --disable-tests --enable-debug, run with --fuzzing-safe --thread-count=2 --baseline-eager --ion-offthread-compile=off --ion-pgo=on --ion-eager --ion-extra-checks):

shortestPaths(this, [, , , undefined], 5)


Backtrace:

Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x0861b247 in js::ToStringSlow<(js::AllowGC)1> (cx=0xf7273020, arg=arg@entry=...) at js/src/jsstr.cpp:4479
#1  0x085fea60 in ToString<(js::AllowGC)1> (v=..., cx=<optimized out>) at js/src/jsstr.h:161
#2  js::ValueToSource (cx=cx@entry=0xf7273020, v=v@entry=...) at js/src/jsstr.cpp:4541
#3  0x085db8a8 in js::DecompileValueGenerator (cx=cx@entry=0xf7273020, spindex=spindex@entry=1, v=v@entry=..., fallbackArg=fallbackArg@entry=..., skipStackHits=skipStackHits@entry=0) at js/src/jsopcode.cpp:1423
#4  0x0853e904 in js::ReportValueErrorFlags (cx=0xf7273020, flags=flags@entry=0, errorNumber=errorNumber@entry=40, spindex=spindex@entry=1, v=v@entry=..., fallback=fallback@entry=..., arg1=arg1@entry=0x8c2bf98 "not an object, string, or symbol", arg2=arg2@entry=0x0) at js/src/jscntxt.cpp:898
#5  0x086eb575 in ShortestPaths (cx=0xf7273020, argc=3, vp=0xffcaab20) at js/src/builtin/TestingFunctions.cpp:2633
#6  0x08742ada in js::CallJSNative (cx=0xf7273020, native=0x86eb2b0 <ShortestPaths(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235
#7  0x0873ff14 in js::Invoke (cx=0xf7273020, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:478
#8  0x0874094e in js::Invoke (cx=0xf7273020, thisv=..., fval=..., argc=argc@entry=3, argv=argv@entry=0xffcaae50, rval=rval@entry=...) at js/src/vm/Interpreter.cpp:530
#9  0x0827a51e in js::jit::DoCallFallback (cx=0xf7273020, frame=0xffcaaea8, stub_=0xf459a0f0, argc=3, vp=0xffcaae40, res=...) at js/src/jit/BaselineIC.cpp:6140
#10 0xf742de2e in ?? ()
#11 0xf459a0f0 in ?? ()
#12 0xf7427ae3 in ?? ()
eax	0x0	0
ebx	0x9894430	159990832
ecx	0xf75e288c	-144824180
edx	0x0	0
esi	0xf7273020	-148426720
edi	0x0	0
ebp	0xffcaa4e8	4291470568
esp	0xffcaa4b0	4291470512
eip	0x861b247 <js::ToStringSlow<(js::AllowGC)1>(js::ExclusiveContext*, js::MaybeRooted<JS::Value, (js::AllowGC)1>::HandleType)+487>
=> 0x861b247 <js::ToStringSlow<(js::AllowGC)1>(js::ExclusiveContext*, js::MaybeRooted<JS::Value, (js::AllowGC)1>::HandleType)+487>:	movl   $0x117f,0x0
   0x861b251 <js::ToStringSlow<(js::AllowGC)1>(js::ExclusiveContext*, js::MaybeRooted<JS::Value, (js::AllowGC)1>::HandleType)+497>:	call   0x8103120 <abort()>
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result:
=== Treeherder Build Bisection Results by autoBisect ===

The "good" changeset has the timestamp "20160216024750" and the hash "374422755fccfd9e8296195ad60b6f4b752238e6".
The "bad" changeset has the timestamp "20160216032050" and the hash "d73b4d5f5d259b9015d7af8f7bfaae81d33529ec".

Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=374422755fccfd9e8296195ad60b6f4b752238e6&tochange=d73b4d5f5d259b9015d7af8f7bfaae81d33529ec
Guessing this might be related to bug 961323. Nick, is bug 961323 a likely regressor?
Blocks: 961323
Flags: needinfo?(nfitzgerald)
Taking.
Assignee: nobody → nfitzgerald
Status: NEW → ASSIGNED
Flags: needinfo?(nfitzgerald)
The error reporting machinery will try and stringify any value you pass it, and
stringifying asserts that we don't pass magic values. Easiest solution is to
just hard code the error message, since this is a testing-only function.
Attachment #8728164 - Flags: review?(jimb)
Attachment #8728164 - Flags: review?(jimb) → review+
https://hg.mozilla.org/mozilla-central/rev/7955113c7e1b
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
status-firefox48: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla48
Not exposed to content. No need to uplift. WONTFIX 47.
status-firefox47: affectedwontfix
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: