Closed
Bug 1317402
Opened 8 years ago
Closed 8 years ago
Assertion failure: res == isBigEnoughForAShapeTableSlow(), at js/src/vm/Shape.h:996
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla53
Tracking | Status | |
---|---|---|
firefox50 | --- | unaffected |
firefox51 | --- | unaffected |
firefox52 | --- | fixed |
firefox53 | --- | fixed |
People
(Reporter: decoder, Assigned: jandem)
References
Details
(4 keywords, Whiteboard: [jsbugmon:update])
Attachments
(1 file)
1.85 KB,
patch
|
jonco
:
review+
jcristau
:
approval-mozilla-aurora+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision 1196bf3032e1 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug --enable-optimize, run with --fuzzing-safe --baseline-eager): gTestcases = new Array; gTc = gTestcases; function TestCase() constructor.defineProperty(gTestcases, gTc++, { value: this }); myObj = { p1: 'a', p2: 'b', set p3({}) {}, valueOf, parseInt, NaN, Infinity, eval, parseFloat, isNaN, isFinite } with(myObj) with(myObj) e = delete p3; THIS = eval("this"); GLOBAL_PROPERTIES = Array; i = 0; for (p in THIS) GLOBAL_PROPERTIES[i++] = p; for (i = 0; i < 1000; i++) TestCase(gczeal(9) + eval("THIS[GLOBAL_PROPERTIES[i]]")); Backtrace: received signal SIGSEGV, Segmentation fault. js::Shape::isBigEnoughForAShapeTable (this=<optimized out>) at js/src/vm/Shape.h:996 #0 js::Shape::isBigEnoughForAShapeTable (this=<optimized out>) at js/src/vm/Shape.h:996 #1 js::Shape::maybeCreateTableForLookup (cx=0x7ffff695f000, this=0x7ffff068cf58) at js/src/vm/Shape-inl.h:62 #2 js::Shape::search<(js::MaybeAdding)0> (id=..., start=0x7ffff068cf58, cx=0x7ffff695f000) at js/src/vm/Shape-inl.h:91 #3 js::NativeObject::lookup (this=<optimized out>, cx=0x7ffff695f000, id=...) at js/src/vm/NativeObject.cpp:256 #4 0x0000000000b44e52 in js::LookupOwnPropertyInline<(js::AllowGC)1> (cx=0x7ffff695f000, obj=obj@entry=..., id=id@entry=..., propp=..., propp@entry=..., donep=donep@entry=0x7fffffffc80f) at js/src/vm/NativeObject-inl.h:475 #5 0x0000000000b6da32 in NativeGetPropertyInline<(js::AllowGC)1> (cx=0x7ffff695f000, obj=..., receiver=..., id=..., nameLookup=nameLookup@entry=NotNameLookup, vp=...) at js/src/vm/NativeObject.cpp:2071 #6 0x0000000000b6e240 in js::NativeGetProperty (cx=<optimized out>, obj=..., obj@entry=..., receiver=..., id=..., id@entry=..., vp=..., vp@entry=...) at js/src/vm/NativeObject.cpp:2115 #7 0x0000000000566a44 in js::GetProperty (vp=..., id=..., receiver=..., obj=..., cx=<optimized out>) at js/src/vm/NativeObject.h:1523 #8 js::GetProperty (cx=0x7ffff695f000, obj=..., receiver=..., id=..., vp=...) at js/src/jsobj.h:854 #9 0x00000000009bf0ac in js::ToPrimitiveSlow (cx=cx@entry=0x7ffff695f000, preferredType=preferredType@entry=JSTYPE_VOID, vp=..., vp@entry=...) at js/src/jsobj.cpp:3072 #10 0x0000000000b4224d in js::ToPrimitive (vp=..., cx=0x7ffff695f000) at js/src/jsobj.h:1056 #11 AddOperation (cx=0x7ffff695f000, lhs=..., rhs=..., res=...) at js/src/vm/Interpreter.cpp:1381 #12 0x0000000000b4237a in js::AddValues (cx=<optimized out>, lhs=..., lhs@entry=..., rhs=..., rhs@entry=..., res=..., res@entry=...) at js/src/vm/Interpreter.cpp:4550 #13 0x00000000007d0329 in js::jit::DoBinaryArithFallback (cx=0x7ffff695f000, payload=<optimized out>, stub_=<optimized out>, lhs=..., rhs=..., ret=...) at js/src/jit/SharedIC.cpp:926 #14 0x00007ffff7e4115a in ?? () [...] #40 0x0000000000000000 in ?? () rax 0x20187c0 33654720 rbx 0x7ffff068cf58 140737226788696 rcx 0x121fa50 19003984 rdx 0x0 0 rsi 0x7ffff6ef7770 140737336276848 rdi 0x7ffff6ef6540 140737336272192 rbp 0x7fffffffc6e0 140737488340704 rsp 0x7fffffffc6a0 140737488340640 r8 0x7ffff6ef7770 140737336276848 r9 0x7ffff7fe4740 140737354024768 r10 0x58 88 r11 0x7ffff6b9f750 140737332770640 r12 0x7ffff061e0ec 140737226334444 r13 0x7ffff695f000 140737330409472 r14 0x1 1 r15 0x7fffffffca00 140737488341504 rip 0xb3ecd2 <js::NativeObject::lookup(js::ExclusiveContext*, jsid)+754> => 0xb3ecd2 <js::NativeObject::lookup(js::ExclusiveContext*, jsid)+754>: movl $0x0,0x0 0xb3ecdd <js::NativeObject::lookup(js::ExclusiveContext*, jsid)+765>: ud2
Updated•8 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
Comment 1•8 years ago
|
||
JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/b3cf01afceb6 user: Jan de Mooij date: Thu Nov 03 19:15:15 2016 +0100 summary: Bug 1314569 - Purge ShapeTables on shrinking GCs. r=jonco This iteration took 256.368 seconds to run.
Jan, is bug 1314569 a likely regressor?
Blocks: 1314569
Flags: needinfo?(jdemooij)
Updated•8 years ago
|
status-firefox50:
--- → unaffected
status-firefox51:
--- → unaffected
status-firefox53:
--- → affected
Assignee | ||
Comment 3•8 years ago
|
||
Shapes have two bits that are used to cache "isBigEnoughForAShapeTable". We just need to clear these bits when we remove a property from a dictionary object, as the cache may no longer be correct. Before bug 1314569, dictionary objects always had a ShapeTable, so this wasn't an issue.
Assignee: nobody → jdemooij
Status: NEW → ASSIGNED
Flags: needinfo?(jdemooij)
Attachment #8810803 -
Flags: review?(jcoppeard)
Comment 4•8 years ago
|
||
Comment on attachment 8810803 [details] [diff] [review] Patch Review of attachment 8810803 [details] [diff] [review]: ----------------------------------------------------------------- Oh, nice catch.
Attachment #8810803 -
Flags: review?(jcoppeard) → review+
Pushed by jandemooij@gmail.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/5c79c47c3979 Clear the isBigEnoughForAShapeTable cache when removing dictionary shapes. r=jonco
Comment 6•8 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/5c79c47c3979
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla53
Assignee | ||
Comment 7•8 years ago
|
||
Comment on attachment 8810803 [details] [diff] [review] Patch Approval Request Comment [Feature/regressing bug #]: Bug 1314569. [User impact if declined]: Assertion failures. [Describe test coverage new/current, TreeHerder]: Fixes the fuzz test. [Risks and why]: Very low risk. [String/UUID change made/needed]: None.
Attachment #8810803 -
Flags: approval-mozilla-aurora?
Comment 8•8 years ago
|
||
Comment on attachment 8810803 [details] [diff] [review] Patch let's take this in aurora52 to fix a new regression
Attachment #8810803 -
Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Comment 9•8 years ago
|
||
bugherder uplift |
https://hg.mozilla.org/releases/mozilla-aurora/rev/8a41b1669fba
You need to log in
before you can comment on or make changes to this bug.
Description
•