Assertion failure: self->template is<U>(), at js/src/jsobj.h:612

RESOLVED FIXED in Firefox 55

Status

()

Core
JavaScript Engine
--
critical
RESOLVED FIXED
8 months ago
8 months ago

People

(Reporter: gkw, Assigned: jandem)

Tracking

(Blocks: 1 bug, {assertion, jsbugmon, testcase})

Trunk
mozilla55
x86_64
Linux
assertion, jsbugmon, testcase
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox-esr52 unaffected, firefox53 unaffected, firefox54 unaffected, firefox55 fixed)

Details

(Whiteboard: [fuzzblocker][jsbugmon:update])

Attachments

(2 attachments)

(Reporter)

Description

8 months ago
The following testcase crashes on mozilla-central revision 9379831bb9c3 (build with --enable-debug --enable-more-deterministic --without-intl-api, run with --fuzzing-safe --no-threads --ion-eager):

const d = 0;
function f() {
    var m = Math;
    (function () {
        m; d = 0;
    })()
}
try { f(); } catch (e) {}
f();

Backtrace:

#0  0x0000000000637668 in js::HandleBase<JSObject*, JS::Handle<JSObject*> >::as<js::LexicalEnvironmentObject> (this=0x7fff6cc280a8) at js/src/jsobj.h:612
#1  js::jit::BindNameIRGenerator::tryAttachGlobalName (this=this@entry=0x7fff6cc27f00, objId=..., objId@entry=..., id=..., id@entry=...) at js/src/jit/CacheIR.cpp:1892
#2  0x000000000063777c in js::jit::BindNameIRGenerator::tryAttachStub (this=this@entry=0x7fff6cc27f00) at js/src/jit/CacheIR.cpp:1878
#3  0x000000000071a766 in js::jit::IonBindNameIC::update (cx=0x7fd902c75000, outerScript=..., ic=0x7fd902c5d978, envChain=...) at js/src/jit/IonIC.cpp:342
#4  0x00000563dcb47f31 in ?? ()
#5  0x0000000000030102 in ?? ()
/snip

For detailed crash information, see attachment.

I see lots of similar assertion failures, marking as [fuzzblocker].
(Reporter)

Comment 1

8 months ago
Created attachment 8858538 [details]
Detailed Crash Information
(Reporter)

Comment 2

8 months ago
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/c57012db4d11
user:        Jan de Mooij
date:        Fri Apr 14 12:29:15 2017 +0200
summary:     Bug 1353359 part 4 - Use BindName IC in Ion and remove the old IonCache infrastructure. r=evilpie

Jan, is bug 1353359 a likely regressor?
Blocks: 1353359
Flags: needinfo?(jdemooij)
(Assignee)

Comment 3

8 months ago
Created attachment 8858790 [details] [diff] [review]
Patch

IonBuilder::jsop_bindname was a bit bogus: it should pass the global lexical to the IC for JSOP_BINDGNAME.

This matches what we already do in BaselineCompiler::emit_JSOP_BINDNAME and in IonBuilder::jsop_getname so it's a very safe change.
Assignee: nobody → jdemooij
Status: NEW → ASSIGNED
Flags: needinfo?(jdemooij)
Attachment #8858790 - Flags: review?(evilpies)
(Assignee)

Updated

8 months ago
Duplicate of this bug: 1357018
(Assignee)

Comment 5

8 months ago
Bug 1353359 just exposed this: the code here was wrong before that. It didn't affect correctness though, it just meant JSOP_BINDGNAME in Ion was a bit slower than necessary, so we don't need to backport this.

Updated

8 months ago
Attachment #8858790 - Flags: review?(evilpies) → review+

Comment 6

8 months ago
Pushed by jandemooij@gmail.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/0dbf6b922416
Fix IonBuilder::jsop_bindname to pass the global lexical to the IC in the BINDGNAME case. r=evilpie

Comment 7

8 months ago
bugherder
https://hg.mozilla.org/mozilla-central/rev/0dbf6b922416
Status: ASSIGNED → RESOLVED
Last Resolved: 8 months ago
status-firefox55: affected → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla55
status-firefox53: --- → unaffected
status-firefox54: --- → unaffected
status-firefox-esr52: --- → unaffected
Duplicate of this bug: 1357280
You need to log in before you can comment on or make changes to this bug.