Closed Bug 1353648 Opened 7 years ago Closed 7 years ago

Assertion failure: this->is<T>(), at js/src/jsobj.h:568

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla55
Tracking Flags:
Tracking Status
firefox52 --- unaffected
firefox-esr52 --- unaffected
firefox53 --- unaffected
firefox54 --- fixed
firefox55 --- fixed

People

(Reporter: gkw, Assigned: tcampbell)

References

Details

(Keywords: assertion, bugmon, testcase, Whiteboard: [jsbugmon:update])

Attachments

(1 file)

Detailed Crash Information
4.77 KB, text/plain
Details 
The following testcase crashes on mozilla-central revision b043233ec04f (build with --enable-debug --enable-more-deterministic, run with --fuzzing-safe --no-threads --ion-eager):

(function () {
    for (var i = 0; i < 2; i++) {
        try {
            for (let x in Array(-1)) {}
        } catch (e) {
            with({}) {}
        }
    }
})()

Backtrace:

#0  0x00000000005448a4 in JSObject::as<js::CallObject> (this=<optimized out>) at js/src/jsobj.h:568
#1  0x0000000000ad795c in js::EnvironmentIter::settle (this=this@entry=0x7ffe44e53b60) at js/src/vm/EnvironmentObject.cpp:1302
#2  0x0000000000ad7cb8 in js::EnvironmentIter::EnvironmentIter(JSContext*, js::AbstractFramePtr, unsigned char*, mozilla::detail::GuardObjectNotifier&&) (this=0x7ffe44e53b60, cx=0x7f2f85875000, frame=..., pc=0x7f2f85845335 <incomplete sequence \307>, _notifier=<unknown type in /home/gkwubu/shell-cache/js-dbg-64-dm-linux-b043233ec04f/js-dbg-64-dm-linux-b043233ec04f, CU 0x457e87e, DIE 0x47c1d95>) at js/src/vm/EnvironmentObject.cpp:1233
#3  0x0000000000e722ef in js::jit::FinishBailoutToBaseline (bailoutInfo=0x0) at js/src/jit/BaselineBailouts.cpp:1967
/snip

For detailed crash information, see attachment.
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/0a3a0f9eb773
user:        Ted Campbell
date:        Wed Feb 15 15:28:15 2017 -0500
summary:     Bug 1273858 - Ion-compile JSOP_FRESHENLEXICALENV/JSOP_RECREATELEXICALENV r=jandem

Ted, is bug 1273858 a likely regressor?
Blocks: 1273858
Flags: needinfo?(tcampbell)
Yep, very likely is. I'll take a look at it.
Assignee: nobody → tcampbell
Flags: needinfo?(tcampbell)
Depends on: 1354275
Fixed in https://hg.mozilla.org/mozilla-central/rev/9590ce12459c
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
status-firefox52: --- → unaffected
status-firefox53: --- → unaffected
status-firefox54: --- → affected
status-firefox55: affectedfixed
status-firefox-esr52: --- → unaffected
Flags: in-testsuite+
Target Milestone: --- → mozilla55
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: