Closed Bug 1317402 Opened 3 years ago Closed 3 years ago

Assertion failure: res == isBigEnoughForAShapeTableSlow(), at js/src/vm/Shape.h:996

Categories

(Core :: JavaScript Engine, defect, critical)

x86_64
Linux
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla53
Tracking Status
firefox50 --- unaffected
firefox51 --- unaffected
firefox52 --- fixed
firefox53 --- fixed

People

(Reporter: decoder, Assigned: jandem)

References

(Blocks 1 open bug)

Details

(4 keywords, Whiteboard: [jsbugmon:update])

Attachments

(1 file)

The following testcase crashes on mozilla-central revision 1196bf3032e1 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug --enable-optimize, run with --fuzzing-safe --baseline-eager):

gTestcases = new Array;
gTc = gTestcases;
function TestCase() constructor.defineProperty(gTestcases, gTc++, {
    value: this
});
myObj = {
    p1: 'a',
    p2: 'b',
    set p3({}) {},
    valueOf,
    parseInt,
    NaN,
    Infinity,
    eval,
    parseFloat,
    isNaN,
    isFinite
}
with(myObj) with(myObj) e = delete p3;
THIS = eval("this");
GLOBAL_PROPERTIES = Array;
i = 0;
for (p in THIS)
  GLOBAL_PROPERTIES[i++] = p;
for (i = 0; i < 1000; i++) 
  TestCase(gczeal(9) + eval("THIS[GLOBAL_PROPERTIES[i]]"));



Backtrace:

 received signal SIGSEGV, Segmentation fault.
js::Shape::isBigEnoughForAShapeTable (this=<optimized out>) at js/src/vm/Shape.h:996
#0  js::Shape::isBigEnoughForAShapeTable (this=<optimized out>) at js/src/vm/Shape.h:996
#1  js::Shape::maybeCreateTableForLookup (cx=0x7ffff695f000, this=0x7ffff068cf58) at js/src/vm/Shape-inl.h:62
#2  js::Shape::search<(js::MaybeAdding)0> (id=..., start=0x7ffff068cf58, cx=0x7ffff695f000) at js/src/vm/Shape-inl.h:91
#3  js::NativeObject::lookup (this=<optimized out>, cx=0x7ffff695f000, id=...) at js/src/vm/NativeObject.cpp:256
#4  0x0000000000b44e52 in js::LookupOwnPropertyInline<(js::AllowGC)1> (cx=0x7ffff695f000, obj=obj@entry=..., id=id@entry=..., propp=..., propp@entry=..., donep=donep@entry=0x7fffffffc80f) at js/src/vm/NativeObject-inl.h:475
#5  0x0000000000b6da32 in NativeGetPropertyInline<(js::AllowGC)1> (cx=0x7ffff695f000, obj=..., receiver=..., id=..., nameLookup=nameLookup@entry=NotNameLookup, vp=...) at js/src/vm/NativeObject.cpp:2071
#6  0x0000000000b6e240 in js::NativeGetProperty (cx=<optimized out>, obj=..., obj@entry=..., receiver=..., id=..., id@entry=..., vp=..., vp@entry=...) at js/src/vm/NativeObject.cpp:2115
#7  0x0000000000566a44 in js::GetProperty (vp=..., id=..., receiver=..., obj=..., cx=<optimized out>) at js/src/vm/NativeObject.h:1523
#8  js::GetProperty (cx=0x7ffff695f000, obj=..., receiver=..., id=..., vp=...) at js/src/jsobj.h:854
#9  0x00000000009bf0ac in js::ToPrimitiveSlow (cx=cx@entry=0x7ffff695f000, preferredType=preferredType@entry=JSTYPE_VOID, vp=..., vp@entry=...) at js/src/jsobj.cpp:3072
#10 0x0000000000b4224d in js::ToPrimitive (vp=..., cx=0x7ffff695f000) at js/src/jsobj.h:1056
#11 AddOperation (cx=0x7ffff695f000, lhs=..., rhs=..., res=...) at js/src/vm/Interpreter.cpp:1381
#12 0x0000000000b4237a in js::AddValues (cx=<optimized out>, lhs=..., lhs@entry=..., rhs=..., rhs@entry=..., res=..., res@entry=...) at js/src/vm/Interpreter.cpp:4550
#13 0x00000000007d0329 in js::jit::DoBinaryArithFallback (cx=0x7ffff695f000, payload=<optimized out>, stub_=<optimized out>, lhs=..., rhs=..., ret=...) at js/src/jit/SharedIC.cpp:926
#14 0x00007ffff7e4115a in ?? ()
[...]
#40 0x0000000000000000 in ?? ()
rax	0x20187c0	33654720
rbx	0x7ffff068cf58	140737226788696
rcx	0x121fa50	19003984
rdx	0x0	0
rsi	0x7ffff6ef7770	140737336276848
rdi	0x7ffff6ef6540	140737336272192
rbp	0x7fffffffc6e0	140737488340704
rsp	0x7fffffffc6a0	140737488340640
r8	0x7ffff6ef7770	140737336276848
r9	0x7ffff7fe4740	140737354024768
r10	0x58	88
r11	0x7ffff6b9f750	140737332770640
r12	0x7ffff061e0ec	140737226334444
r13	0x7ffff695f000	140737330409472
r14	0x1	1
r15	0x7fffffffca00	140737488341504
rip	0xb3ecd2 <js::NativeObject::lookup(js::ExclusiveContext*, jsid)+754>
=> 0xb3ecd2 <js::NativeObject::lookup(js::ExclusiveContext*, jsid)+754>:	movl   $0x0,0x0
   0xb3ecdd <js::NativeObject::lookup(js::ExclusiveContext*, jsid)+765>:	ud2
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/b3cf01afceb6
user:        Jan de Mooij
date:        Thu Nov 03 19:15:15 2016 +0100
summary:     Bug 1314569 - Purge ShapeTables on shrinking GCs. r=jonco

This iteration took 256.368 seconds to run.
Jan, is bug 1314569 a likely regressor?
Blocks: 1314569
Flags: needinfo?(jdemooij)
Attached patch PatchSplinter Review
Shapes have two bits that are used to cache "isBigEnoughForAShapeTable". We just need to clear these bits when we remove a property from a dictionary object, as the cache may no longer be correct.

Before bug 1314569, dictionary objects always had a ShapeTable, so this wasn't an issue.
Assignee: nobody → jdemooij
Status: NEW → ASSIGNED
Flags: needinfo?(jdemooij)
Attachment #8810803 - Flags: review?(jcoppeard)
Comment on attachment 8810803 [details] [diff] [review]
Patch

Review of attachment 8810803 [details] [diff] [review]:
-----------------------------------------------------------------

Oh, nice catch.
Attachment #8810803 - Flags: review?(jcoppeard) → review+
Pushed by jandemooij@gmail.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/5c79c47c3979
Clear the isBigEnoughForAShapeTable cache when removing dictionary shapes. r=jonco
https://hg.mozilla.org/mozilla-central/rev/5c79c47c3979
Status: ASSIGNED → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla53
Comment on attachment 8810803 [details] [diff] [review]
Patch

Approval Request Comment
[Feature/regressing bug #]: Bug 1314569.
[User impact if declined]: Assertion failures.
[Describe test coverage new/current, TreeHerder]: Fixes the fuzz test.
[Risks and why]: Very low risk.
[String/UUID change made/needed]: None.
Attachment #8810803 - Flags: approval-mozilla-aurora?
Comment on attachment 8810803 [details] [diff] [review]
Patch

let's take this in aurora52 to fix a new regression
Attachment #8810803 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
You need to log in before you can comment on or make changes to this bug.