Closed
Bug 1318634
Opened 8 years ago
Closed 8 years ago
Assertion failure: *isOwnProperty == (receivers.empty() && convertUnboxedGroups.empty()), at js/src/jit/BaselineInspector.cpp:897
Categories
(Core :: JavaScript Engine, defect, P1)
Tracking
()
RESOLVED
FIXED
mozilla53
| Tracking | Status | |
|---|---|---|
| firefox53 | --- | fixed |
People
(Reporter: gkw, Assigned: jandem)
References
Details
(Keywords: assertion, bugmon, testcase, Whiteboard: [jsbugmon:update])
Attachments
(2 files)
|
30.21 KB,
text/plain
|
Details | |
|
1.52 KB,
patch
|
h4writer
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision 28e2a6dde76a (build with --enable-debug --enable-more-deterministic, run with --fuzzing-safe --no-threads --ion-eager):
+/y/;
+/y/;
uneval(/x/.__proto__);
/x/.__proto__.__proto__ = function() {};
/x/.__proto__.__proto__[/z/];
Backtrace:
0 js-dbg-64-dm-clang-darwin-28e2a6dde76a 0x0000000103fb44ca js::jit::BaselineInspector::commonGetPropFunction(unsigned char*, JSObject**, js::Shape**, JSFunction**, js::Shape**, bool*, mozilla::Vector<js::ReceiverGuard, 4ul, js::jit::JitAllocPolicy>&, mozilla::Vector<js::ObjectGroup*, 4ul, js::jit::JitAllocPolicy>&) + 1882 (BaselineInspector.cpp:897)
1 js-dbg-64-dm-clang-darwin-28e2a6dde76a 0x000000010366c069 js::jit::IonBuilder::getPropTryCommonGetter(bool*, js::jit::MDefinition*, js::PropertyName*, js::TemporaryTypeSet*) + 265 (IonBuilder.cpp:12174)
2 js-dbg-64-dm-clang-darwin-28e2a6dde76a 0x0000000103651d8d js::jit::IonBuilder::jsop_getprop(js::PropertyName*) + 1517 (IonBuilder.cpp:11555)
3 js-dbg-64-dm-clang-darwin-28e2a6dde76a 0x0000000103642888 js::jit::IonBuilder::inspectOpcode(JSOp) + 648 (IonBuilder.cpp:2065)
4 js-dbg-64-dm-clang-darwin-28e2a6dde76a 0x000000010363e4a2 js::jit::IonBuilder::traverseBytecode() + 674 (IonBuilder.cpp:1547)
/snip
For detailed crash information, see attachment.
|
Reporter | |
Comment 1•8 years ago
|
||
|
|
Reporter | |
Comment 2•8 years ago
|
||
autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/3656a6f2cd7e user: Jan de Mooij date: Tue Nov 15 15:54:14 2016 +0100 summary: Bug 1310125 part 2 - Port Baseline scripted getter IC stub to CacheIR. r=h4writer Jan, is bug 1310125 a likely regressor?
Blocks: 1310125
Flags: needinfo?(jdemooij)
|
Assignee | |
Comment 3•8 years ago
|
||
Small bug, we need to add the receiver after doing the other checks. I also wrote a less obscure test for this and added some correctness checks.
Assignee: nobody → jdemooij
Status: NEW → ASSIGNED
Flags: needinfo?(jdemooij)
Attachment #8812170 -
Flags: review?(hv1989)
|
||
Comment 4•8 years ago
|
||
Comment on attachment 8812170 [details] [diff] [review] Patch Review of attachment 8812170 [details] [diff] [review]: ----------------------------------------------------------------- Good catch
Attachment #8812170 -
Flags: review?(hv1989) → review+
|
|
||
Updated•8 years ago
|
Priority: -- → P1
Pushed by jandemooij@gmail.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/528b50a82eab Fix AddCacheIRGetPropFunction to add the receiver after doing other checks. r=h4writer
|
||
Comment 6•8 years ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/528b50a82eab
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla53
You need to log in
before you can comment on or make changes to this bug.
Description
•