Closed Bug 1298854 Opened 6 years ago Closed 6 years ago

Assertion failure: this->is<T>(), at js/src/jsobj.h:562

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla51
Tracking Flags:
Tracking Status
firefox51 --- fixed

People

(Reporter: gkw, Unassigned)

References

Details

(Keywords: assertion, bugmon, testcase, Whiteboard: [jsbugmon:update])

Attachments

(2 files)

Detailed Crash Information
100.89 KB, text/plain
Details
Fix hasInitialEnv computation for RematFrames.
5.42 KB, patch
jandem
: review+
Details | Diff | Splinter Review 
The following testcase crashes on mozilla-central revision 4f72b1d05267 (build with --enable-debug --enable-more-deterministic, run with --fuzzing-safe --no-threads --ion-eager):

// jsfunfuzz-generated
options('strict_mode');
// Adapted from randomly chosen test: js/src/jit-test/tests/debug/RematerializedFrame-retval.js
var m = parseModule("\
    var g = newGlobal();\
    var dbg = new Debugger;\
    setInterruptCallback(function() {\
        dbg.addDebuggee(g);\
        dbg.getNewestFrame();\
        return true;\
    });\
    g.eval(\"(\" + function f() {\
        invokeInterruptCallback(function() {\
            f();\
        });\
    } + \")();\");\
");
m.declarationInstantiation();
m.evaluation();


Backtrace:

0   js-dbg-64-dm-clang-darwin-4f72b1d05267	0x0000000104c862fc js::EnvironmentIter::settle() + 2204 (jsobj.h:562)
1   js-dbg-64-dm-clang-darwin-4f72b1d05267	0x0000000104d23205 js::UnwindAllEnvironmentsInFrame(JSContext*, js::EnvironmentIter&) + 37 (Interpreter.cpp:1060)
2   js-dbg-64-dm-clang-darwin-4f72b1d05267	0x00000001049d462a js::jit::DebugEpilogue(JSContext*, js::jit::BaselineFrame*, unsigned char*, bool) + 186 (BaselineFrame.h:139)
3   js-dbg-64-dm-clang-darwin-4f72b1d05267	0x000000010481aa40 js::jit::HandleException(js::jit::ResumeFromException*) + 4944 (JitFrames.cpp:463)
/snip

For detailed crash information, see attachment.
Due to skipped revisions, the first bad revision could be any of:

changeset:   https://hg.mozilla.org/mozilla-central/rev/cb6fc6d38f8d
user:        Shu-yu Guo
date:        Thu Aug 25 01:28:47 2016 -0700
summary:     Bug 1263355 - Rewrite the frontend: bindings. (r=jorendorff,Waldo)

changeset:   https://hg.mozilla.org/mozilla-central/rev/18bec78f348e
user:        Shu-yu Guo
date:        Thu Aug 25 01:28:47 2016 -0700
summary:     Bug 1263355 - Report memory metrics for Scopes. (r=njn)

Shu-yu, is bug 1263355 a likely regressor?
Blocks: 1263355
Flags: needinfo?(shu)
Not committing test case because it's too slow.
Flags: needinfo?(shu)
Attachment #8786112 - Flags: review?(jdemooij) → review+
Pushed by shu@rfrn.org:
https://hg.mozilla.org/integration/mozilla-inbound/rev/4585f2f66645
Fix hasInitialEnv computation for RematFrames. (r=jandem)
https://hg.mozilla.org/mozilla-central/rev/4585f2f66645
Status: NEW → RESOLVED
Closed: 6 years ago
status-firefox51: affectedfixed
Flags: in-testsuite?
Resolution: --- → FIXED
Target Milestone: --- → mozilla51
You need to log in before you can comment on or make changes to this bug.