Closed
Bug 1263886
Opened 8 years ago
Closed 8 years ago
Assertion failure: !unknownProperties(), at js/src/vm/TypeInference-inl.h:1043 with OOM
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla48
| Tracking | Status | |
|---|---|---|
| firefox48 | --- | fixed |
People
(Reporter: decoder, Assigned: jandem)
References
(Blocks 1 open bug)
Details
(Keywords: assertion, testcase, Whiteboard: [jsbugmon:update])
Attachments
(1 file)
|
904 bytes,
patch
|
bhackett1024
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision 29d5a4175c8b (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe --ion-eager --ion-offthread-compile=off):
lfLogBuffer = `
o = { w: { x: { } } }
`.split('\n'), {
value: {}
}
loadFile(lfLogBuffer.shift());
loadFile(lfLogBuffer.shift());
function loadFile(lfVarx) {
oomTest(function() {
eval(lfVarx)
})
}
Backtrace:
Program received signal SIGSEGV, Segmentation fault.
0x000000000062a710 in js::ObjectGroup::maybeGetProperty (this=0x7ffff7e6cc70, id=...) at js/src/vm/TypeInference-inl.h:1043
#0 0x000000000062a710 in js::ObjectGroup::maybeGetProperty (this=0x7ffff7e6cc70, id=...) at js/src/vm/TypeInference-inl.h:1043
#1 0x0000000000bb2a88 in js::UnboxedLayout::makeConstructorCode (cx=cx@entry=0x7ffff6908800, group=..., group@entry=...) at js/src/vm/UnboxedObject.cpp:185
#2 0x0000000000bb471c in js::UnboxedPlainObject::createWithProperties (cx=cx@entry=0x7ffff6908800, group=..., group@entry=..., newKind=newKind@entry=js::TenuredObject, properties=properties@entry=0x7ffff6905580) at js/src/vm/UnboxedObject.cpp:704
#3 0x0000000000ab53e5 in js::ObjectGroup::newPlainObject (cx=cx@entry=0x7ffff6908800, properties=0x7ffff6905580, nproperties=1, newKind=newKind@entry=js::TenuredObject) at js/src/vm/ObjectGroup.cpp:1276
#4 0x0000000000c109c2 in js::frontend::ParseNode::getConstantValue (this=<optimized out>, cx=cx@entry=0x7ffff6908800, allowObjects=allowObjects@entry=js::frontend::ParseNode::AllowObjects, vp=..., vp@entry=..., compare=compare@entry=0x0, ncompare=ncompare@entry=0, newKind=newKind@entry=js::TenuredObject) at js/src/frontend/BytecodeEmitter.cpp:4923
#5 0x0000000000c1060e in js::frontend::ParseNode::getConstantValue (this=<optimized out>, cx=0x7ffff6908800, allowObjects=allowObjects@entry=js::frontend::ParseNode::AllowObjects, vp=vp@entry=..., compare=compare@entry=0x0, ncompare=ncompare@entry=0, newKind=newKind@entry=js::SingletonObject) at js/src/frontend/BytecodeEmitter.cpp:4898
#6 0x0000000000c114e2 in js::frontend::BytecodeEmitter::emitSingletonInitialiser (this=this@entry=0x7fffffffa8a0, pn=pn@entry=0x7ffff698b3a8) at js/src/frontend/BytecodeEmitter.cpp:4945
#7 0x0000000000c2133b in js::frontend::BytecodeEmitter::emitObject (this=this@entry=0x7fffffffa8a0, pn=pn@entry=0x7ffff698b3a8) at js/src/frontend/BytecodeEmitter.cpp:8072
#8 0x0000000000c12f99 in js::frontend::BytecodeEmitter::emitTree (this=this@entry=0x7fffffffa8a0, pn=pn@entry=0x7ffff698b3a8, emitLineNote=emitLineNote@entry=js::frontend::BytecodeEmitter::EMIT_LINENOTE) at js/src/frontend/BytecodeEmitter.cpp:8937
#9 0x0000000000c1ccfe in js::frontend::BytecodeEmitter::emitAssignment (this=this@entry=0x7fffffffa8a0, lhs=0x7ffff698b338, op=JSOP_NOP, rhs=0x7ffff698b3a8) at js/src/frontend/BytecodeEmitter.cpp:4743
#10 0x0000000000c12f07 in js::frontend::BytecodeEmitter::emitTree (this=this@entry=0x7fffffffa8a0, pn=pn@entry=0x7ffff698b530, emitLineNote=emitLineNote@entry=js::frontend::BytecodeEmitter::EMIT_LINENOTE) at js/src/frontend/BytecodeEmitter.cpp:8740
#11 0x0000000000c1f577 in js::frontend::BytecodeEmitter::emitStatement (this=this@entry=0x7fffffffa8a0, pn=pn@entry=0x7ffff698b568) at js/src/frontend/BytecodeEmitter.cpp:7142
#12 0x0000000000c130b1 in js::frontend::BytecodeEmitter::emitTree (this=this@entry=0x7fffffffa8a0, pn=pn@entry=0x7ffff698b568, emitLineNote=emitLineNote@entry=js::frontend::BytecodeEmitter::EMIT_LINENOTE) at js/src/frontend/BytecodeEmitter.cpp:8713
#13 0x0000000000c1f44e in js::frontend::BytecodeEmitter::emitStatementList (this=this@entry=0x7fffffffa8a0, pn=pn@entry=0x7ffff698b300) at js/src/frontend/BytecodeEmitter.cpp:7086
#14 0x0000000000c12fd1 in js::frontend::BytecodeEmitter::emitTree (this=this@entry=0x7fffffffa8a0, pn=pn@entry=0x7ffff698b300, emitLineNote=emitLineNote@entry=js::frontend::BytecodeEmitter::EMIT_LINENOTE) at js/src/frontend/BytecodeEmitter.cpp:8708
#15 0x0000000000c18c1d in js::frontend::BytecodeEmitter::emitLexicalScope (this=this@entry=0x7fffffffa8a0, pn=pn@entry=0x7ffff698b2c8) at js/src/frontend/BytecodeEmitter.cpp:5451
#16 0x0000000000c1346b in js::frontend::BytecodeEmitter::emitTree (this=this@entry=0x7fffffffa8a0, pn=0x7ffff698b2c8, emitLineNote=emitLineNote@entry=js::frontend::BytecodeEmitter::EMIT_LINENOTE) at js/src/frontend/BytecodeEmitter.cpp:8863
#17 0x0000000000c1373b in BytecodeCompiler::prepareAndEmitTree (this=this@entry=0x7fffffff9c00, ppn=ppn@entry=0x7fffffff97f0) at js/src/frontend/BytecodeCompiler.cpp:356
#18 0x0000000000c13df9 in BytecodeCompiler::compileScript (this=this@entry=0x7fffffff9c00, scopeChain=..., scopeChain@entry=..., evalCaller=evalCaller@entry=...) at js/src/frontend/BytecodeCompiler.cpp:539
#19 0x0000000000c14133 in js::frontend::CompileScript (cx=cx@entry=0x7ffff6908800, alloc=<optimized out>, scopeChain=scopeChain@entry=..., enclosingStaticScope=..., enclosingStaticScope@entry=..., evalCaller=evalCaller@entry=..., options=..., srcBuf=..., source_=0x7ffff7e8b040, extraSct=extraSct@entry=0x0, sourceObjectOut=sourceObjectOut@entry=0x0) at js/src/frontend/BytecodeCompiler.cpp:742
#20 0x00000000008468bc in EvalKernel (cx=cx@entry=0x7ffff6908800, args=..., evalType=evalType@entry=DIRECT_EVAL, caller=..., scopeobj=scopeobj@entry=..., pc=<optimized out>) at js/src/builtin/Eval.cpp:319
#21 0x0000000000846d83 in js::DirectEval (cx=cx@entry=0x7ffff6908800, args=...) at js/src/builtin/Eval.cpp:439
#22 0x0000000000617535 in js::jit::DoCallFallback (cx=0x7ffff6908800, frame=0x7fffffffb848, stub_=<optimized out>, argc=<optimized out>, vp=0x7fffffffb7f8, res=...) at js/src/jit/BaselineIC.cpp:6100
#23 0x00007ffff7ff1a1f in ?? ()
[...]
rax 0x0 0
rbx 0x7ffff7e6cc70 140737352486000
rcx 0x7ffff6ca588d 140737333844109
rdx 0x0 0
rsi 0x7ffff6f7a9d0 140737336814032
rdi 0x7ffff6f791c0 140737336807872
rbp 0x7fffffff7eb0 140737488322224
rsp 0x7fffffff7e80 140737488322176
r8 0x7ffff7fdf7c0 140737354004416
r9 0x6372732f736a2f6c 7165916604736876396
r10 0x7fffffff7c40 140737488321600
r11 0x7ffff6c27ee0 140737333329632
r12 0x7ffff7e00b68 140737352043368
r13 0x27ff0000 671023104
r14 0x7ffff69055a0 140737330042272
r15 0x7fffffff8180 140737488322944
rip 0x62a710 <js::ObjectGroup::maybeGetProperty(jsid)+880>
=> 0x62a710 <js::ObjectGroup::maybeGetProperty(jsid)+880>: movl $0x413,0x0
0x62a71b <js::ObjectGroup::maybeGetProperty(jsid)+891>: callq 0x4ab6f0 <abort()>
Assert is similar to bug 1254172, but the stack differs.
|
Assignee | |
Comment 1•8 years ago
|
||
Brian, are groups with unknown properties (due to OOM I think) expected here?
Assignee: nobody → jdemooij
Status: NEW → ASSIGNED
Attachment #8740393 -
Flags: review?(bhackett1024)
|
||
Comment 2•8 years ago
|
||
Comment on attachment 8740393 [details] [diff] [review] Patch Review of attachment 8740393 [details] [diff] [review]: ----------------------------------------------------------------- Groups with unknown properties are allowed here. We don't make assumptions about the relationship between an object's type information and any unboxed representation it has.
Attachment #8740393 -
Flags: review?(bhackett1024) → review+
|
||
Comment 4•8 years ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/bd7b47bc9327
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla48
|
||
Updated•8 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
You need to log in
before you can comment on or make changes to this bug.
Description
•