Closed
Bug 1287240
Opened 8 years ago
Closed 8 years ago
Assertion failure: global->as<GlobalObject>().getPrototype(Class::KEY).isUndefined(), at js/src/asmjs/WasmJS.cpp:786
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla50
| Tracking | Status | |
|---|---|---|
| firefox50 | --- | fixed |
People
(Reporter: gkw, Assigned: luke)
References
Details
(Keywords: assertion, testcase, Whiteboard: [jsbugmon:update])
Attachments
(3 files)
The following testcase crashes on mozilla-central revision 2f9e69c982f1 (build with --enable-debug --enable-more-deterministic, run with --fuzzing-safe --no-threads --ion-eager --no-baseline):
Object.getOwnPropertyNames(this);
s = newGlobal();
evalcx("\
/x/;\
oomTest(function() {\
this[\"\"];\
void 0;\
Object.freeze(this);\
l(undefined)();\
O;\
t;\
0;\
({e});\
i;\
0;\
({ z: p ? 0 : 0});\
s;\
});\
", s);
Backtrace:
0 js-dbg-64-dm-clang-darwin-2f9e69c982f1 0x000000010d17b6bc js::InitWebAssemblyClass(JSContext*, JS::Handle<JSObject*>) + 4652 (WasmJS.cpp:786)
1 js-dbg-64-dm-clang-darwin-2f9e69c982f1 0x000000010d4e789e js::GlobalObject::resolveConstructor(JSContext*, JS::Handle<js::GlobalObject*>, JSProtoKey) + 414 (GlobalObject.cpp:172)
2 js-dbg-64-dm-clang-darwin-2f9e69c982f1 0x000000010d4e941b js::GlobalObject::initStandardClasses(JSContext*, JS::Handle<js::GlobalObject*>) + 107 (GlobalObject.cpp:425)
3 js-dbg-64-dm-clang-darwin-2f9e69c982f1 0x000000010d2bcb89 JS_EnumerateStandardClasses(JSContext*, JS::Handle<JSObject*>) + 265 (RootingAPI.h:704)
4 js-dbg-64-dm-clang-darwin-2f9e69c982f1 0x000000010d338894 Snapshot(JSContext*, JS::Handle<JSObject*>, unsigned int, JS::AutoVectorRooter<jsid>*) + 452 (jsiter.cpp:387)
5 js-dbg-64-dm-clang-darwin-2f9e69c982f1 0x000000010d37a70f js::PreventExtensions(JSContext*, JS::Handle<JSObject*>, JS::ObjectOpResult&) + 351 (jsobj.cpp:2635)
6 js-dbg-64-dm-clang-darwin-2f9e69c982f1 0x000000010d370398 js::SetIntegrityLevel(JSContext*, JS::Handle<JSObject*>, js::IntegrityLevel) + 184 (jsobj.cpp:2656)
7 js-dbg-64-dm-clang-darwin-2f9e69c982f1 0x000000010d6e2e32 obj_freeze(JSContext*, unsigned int, JS::Value*) + 210 (RootingAPI.h:704)
/snip
For detailed crash information, see attachment.
|
Reporter | |
Comment 1•8 years ago
|
||
|
|
Reporter | |
Comment 2•8 years ago
|
||
autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/7f9ce3eb7b9b user: Luke Wagner date: Wed Jul 13 12:34:44 2016 -0500 summary: Bug 1284155 - Baldr: add Table.prototype.length getter (r=bbouvier) Luke, is bug 1284155 a likely regressor?
Blocks: 1284155
Flags: needinfo?(luke)
|
|
Reporter | |
Comment 3•8 years ago
|
||
|
|
Assignee | |
Comment 4•8 years ago
|
||
D'oh: if global initialization fails after we've initialized one of the JSProto_Wasm* but before the final JSProto_WebAssembly constructor has been written to the GlobalObject, then we can later restart initialization and then attempt to re-initialize the JSProto_Wasm*. Simple fix with that understanding.
Assignee: nobody → luke
Status: NEW → ASSIGNED
Flags: needinfo?(luke)
Attachment #8771684 -
Flags: review?(bbouvier)
|
||
Comment 5•8 years ago
|
||
Comment on attachment 8771684 [details] [diff] [review] fix-oom-init-bug Review of attachment 8771684 [details] [diff] [review]: ----------------------------------------------------------------- Looks good, thanks.
Attachment #8771684 -
Flags: review?(bbouvier) → review+
Pushed by lwagner@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/669fdfdba6eb Baldr: only do global initialization after everything else has succeeded (r=bbouvier)
|
||
Comment 8•8 years ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/669fdfdba6eb
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla50
You need to log in
before you can comment on or make changes to this bug.
Description
•