Assertion failure: this->is<T>(), at js/src/jsobj.h:562

RESOLVED FIXED in Firefox 51

Status

()

Product:
Core
Component:
JavaScript Engine
Importance:
--
critical
Status:
RESOLVED FIXED
Reported:
3 years ago
Modified:
3 years ago

People

(Reporter: gkw, Unassigned)

Tracking

(Blocks: 2 bugs, {assertion, jsbugmon, testcase})

Version:
Trunk
Target:
mozilla51
Platform:
x86_64
macOS
Keywords:
assertion, jsbugmon, testcase
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite ?

Firefox Tracking Flags

(firefox51 fixed)

Details

(Whiteboard: [jsbugmon:update])

Attachments

(2 attachments)

Detailed Crash Information
100.89 KB, text/plain
Details
Fix hasInitialEnv computation for RematFrames.
5.42 KB, patch
jandem
: review+
Details | Diff | Splinter Review
(Reporter)

Description

3 years ago 
The following testcase crashes on mozilla-central revision 4f72b1d05267 (build with --enable-debug --enable-more-deterministic, run with --fuzzing-safe --no-threads --ion-eager):

// jsfunfuzz-generated
options('strict_mode');
// Adapted from randomly chosen test: js/src/jit-test/tests/debug/RematerializedFrame-retval.js
var m = parseModule("\
    var g = newGlobal();\
    var dbg = new Debugger;\
    setInterruptCallback(function() {\
        dbg.addDebuggee(g);\
        dbg.getNewestFrame();\
        return true;\
    });\
    g.eval(\"(\" + function f() {\
        invokeInterruptCallback(function() {\
            f();\
        });\
    } + \")();\");\
");
m.declarationInstantiation();
m.evaluation();


Backtrace:

0   js-dbg-64-dm-clang-darwin-4f72b1d05267	0x0000000104c862fc js::EnvironmentIter::settle() + 2204 (jsobj.h:562)
1   js-dbg-64-dm-clang-darwin-4f72b1d05267	0x0000000104d23205 js::UnwindAllEnvironmentsInFrame(JSContext*, js::EnvironmentIter&) + 37 (Interpreter.cpp:1060)
2   js-dbg-64-dm-clang-darwin-4f72b1d05267	0x00000001049d462a js::jit::DebugEpilogue(JSContext*, js::jit::BaselineFrame*, unsigned char*, bool) + 186 (BaselineFrame.h:139)
3   js-dbg-64-dm-clang-darwin-4f72b1d05267	0x000000010481aa40 js::jit::HandleException(js::jit::ResumeFromException*) + 4944 (JitFrames.cpp:463)
/snip

For detailed crash information, see attachment.
(Reporter)

Comment 1

3 years ago 
Created attachment 8786016 [details]
Detailed Crash Information
(Reporter)

Comment 2

3 years ago 
Due to skipped revisions, the first bad revision could be any of:

changeset:   https://hg.mozilla.org/mozilla-central/rev/cb6fc6d38f8d
user:        Shu-yu Guo
date:        Thu Aug 25 01:28:47 2016 -0700
summary:     Bug 1263355 - Rewrite the frontend: bindings. (r=jorendorff,Waldo)

changeset:   https://hg.mozilla.org/mozilla-central/rev/18bec78f348e
user:        Shu-yu Guo
date:        Thu Aug 25 01:28:47 2016 -0700
summary:     Bug 1263355 - Report memory metrics for Scopes. (r=njn)

Shu-yu, is bug 1263355 a likely regressor?
Blocks: 1263355
Flags: needinfo?(shu)

Comment 3

3 years ago 
Created attachment 8786112 [details] [diff] [review]
Fix hasInitialEnv computation for RematFrames.
Attachment #8786112 - Flags: review?(jdemooij)

Comment 4

3 years ago 
Not committing test case because it's too slow.
Flags: needinfo?(shu)
Attachment #8786112 - Flags: review?(jdemooij) → review+

Comment 5

3 years ago 
Pushed by shu@rfrn.org:
https://hg.mozilla.org/integration/mozilla-inbound/rev/4585f2f66645
Fix hasInitialEnv computation for RematFrames. (r=jandem)

Comment 6

3 years ago
bugherder 
https://hg.mozilla.org/mozilla-central/rev/4585f2f66645
Status: NEW → RESOLVED
Last Resolved: 3 years ago
status-firefox51: affected → fixed
Flags: in-testsuite?
Resolution: --- → FIXED
Target Milestone: --- → mozilla51
You need to log in before you can comment on or make changes to this bug.