1269074 - Assertion failure: !entry->shape(), at js/src/vm/Shape.cpp:591

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

The following testcase crashes on mozilla-central revision 2b7c421063ad (build with --enable-debug --enable-more-deterministic, run with --fuzzing-safe --no-threads --no-baseline --no-ion):

// Adapted from randomly chosen test: js/src/jit-test/tests/auto-regress/bug1263558.js
evalcx('oomTest(function() { Array(...""); })', newGlobal());

Backtrace:

0   js-dbg-64-dm-clang-darwin-2b7c421063ad	0x0000000100879e0b js::NativeObject::addPropertyInternal(js::ExclusiveContext*, JS::Handle<js::NativeObject*>, JS::Handle<jsid>, bool (*)(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>), bool (*)(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>, JS::ObjectOpResult&), unsigned int, unsigned int, unsigned int, js::ShapeTable::Entry*, bool) + 571 (Shape.cpp:591)
1   js-dbg-64-dm-clang-darwin-2b7c421063ad	0x000000010089346a js::NativeObject::addProperty(js::ExclusiveContext*, JS::Handle<js::NativeObject*>, JS::Handle<jsid>, bool (*)(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>), bool (*)(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>, JS::ObjectOpResult&), unsigned int, unsigned int, unsigned int, bool) + 378 (Shape.cpp:535)
2   js-dbg-64-dm-clang-darwin-2b7c421063ad	0x0000000100834b3e js::NativeObject::addDataProperty(js::ExclusiveContext*, jsid, unsigned int, unsigned int) + 158 (RootingAPI.h:673)
3   js-dbg-64-dm-clang-darwin-2b7c421063ad	0x000000010077f9c9 js::GlobalObject::resolveConstructor(JSContext*, JS::Handle<js::GlobalObject*>, JSProtoKey) + 1161 (GlobalObject.cpp:220)
4   js-dbg-64-dm-clang-darwin-2b7c421063ad	0x000000010064206a js::GetBuiltinPrototype(js::ExclusiveContext*, JSProtoKey, JS::MutableHandle<JSObject*>) + 138 (jsobj.cpp:2033)
5   js-dbg-64-dm-clang-darwin-2b7c421063ad	0x0000000100844cc9 js::ObjectGroup::allocationSiteGroup(JSContext*, JSScript*, unsigned char*, JSProtoKey, JS::Handle<JSObject*>) + 553 (ObjectGroup.cpp:1424)
6   js-dbg-64-dm-clang-darwin-2b7c421063ad	0x0000000100803109 js::NewArrayOperation(JSContext*, JS::Handle<JSScript*>, unsigned char*, unsigned int, js::NewObjectKind) + 153 (Interpreter.cpp:4778)
7   js-dbg-64-dm-clang-darwin-2b7c421063ad	0x00000001007f42c8 Interpret(JSContext*, js::RunState&) + 72088 (Interpreter.cpp:3451)
8   js-dbg-64-dm-clang-darwin-2b7c421063ad	0x00000001007e2867 js::RunScript(JSContext*, js::RunState&) + 519 (Interpreter.cpp:426)
9   js-dbg-64-dm-clang-darwin-2b7c421063ad	0x00000001007f98ed js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) + 605 (Interpreter.cpp:498)
10  js-dbg-64-dm-clang-darwin-2b7c421063ad	0x00000001007f9f5e js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) + 46 (Interpreter.cpp:544)
11  js-dbg-64-dm-clang-darwin-2b7c421063ad	0x000000010059db17 JS_CallFunction(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSFunction*>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) + 759 (jsapi.cpp:2883)
12  js-dbg-64-dm-clang-darwin-2b7c421063ad	0x00000001009d0bca OOMTest(JSContext*, unsigned int, JS::Value*) + 1194 (TestingFunctions.cpp:1309)
/snip

For detailed crash information, see attachment.

Comment 1

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Attachment: Detailed Crash Information

Comment 2

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/d31171af48e4
user:        Tooru Fujisawa
date:        Fri Apr 29 18:24:20 2016 +0900
summary:     Bug 1268034 - Part 1: Reset constructor slot of GlobalObject to undefined when it fails to initialize constructor. r=till

Arai-san, is bug 1268034 a likely regressor?

Comment 3

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Attachment: OOM_VERBOSE=1 stack from m-c rev 2b7c421063ad

Comment 4

[Fuzzing Team]

JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.

Comment 5

[Tooru Fujisawa [:arai]]

thanks.
yes, will work on bug 1268034.

Comment 6

[Takashi]

When I run funfuzz, I found the same Assertion failure. 

I hava a question... 

What are FCM and FRC? Funfuzz displayed these messages... I couldn't understand what it is... 

--------------------------------------

Forking 2 children...
=== Waiting for child #0 (9352) to finish... ===
/*FCM*/ try { "use strict"; p2 + h1; } catch(e) { }
Running in sandbox threw ReferenceError: p2 is not defined

/*FRC*/count=198; tryItOut("this.e1.valueOf = (function() { try { this.a1 = new Array; } catch(e0) { } this.o2.t0[(\u3056 &= c)]; return this.o0; });");
/*FCM*/ try { (function(){this.e1.valueOf = (function() { try { this.a1 = new Array; } catch(e0) { } this.o2.t0[(ざ &= c)]; return this.o0; });})() } catch(e) { }
Running in sandbox threw TypeError: undefined has no properties

------------------------------------------

I am so sorry for asking questions on this. It is really hard to understand funfuzz...

Comment 7

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

(clearing needinfo - following up on IRC)

Comment 8

[Tooru Fujisawa [:arai]]

fixed as a part of bug 1268034.