Closed Bug 1395120 Opened 7 years ago Closed 7 years ago

Assertion failure: obj->as<UnboxedPlainObject>().layout().lookup(id), at js/src/vm/Interpreter-inl.h:413

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1397071
Tracking Flags:
Tracking Status
firefox57 --- fixed

People

(Reporter: decoder, Unassigned)

References

Details

(4 keywords, Whiteboard: [jsbugmon:update][adv-main57-]) 

The following testcase crashes on mozilla-central revision d10c97627b51 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-stdcxx-compat --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe --no-threads):

setJitCompilerOption("ion.warmup.trigger", 8);
function testOption(Constructor, property, values) {
  testValues = values.slice(0);
  testValues.forEach(function (value) {
    options[property] = value;
    obj = new Constructor(undefined, options);
      actual = obj.resolvedOptions()[property];
  });
}
function getDateTimeComponents() {
  return ["weekday", "day", "hour"];
}
function getDateTimeComponentValues(component) {
  var components = {
    weekday: ["narrow", "short", "long"],
    day: ["2-digit", "numeric"],
    hour: ["2-digit", "numeric"],
  };
  var result = components[component];
  return result;
}
getDateTimeComponents().forEach(function (component) {
    testOption(Intl.DateTimeFormat, component, getDateTimeComponentValues(component));
});



Backtrace:

 received signal SIGSEGV, Segmentation fault.
0x0000000000748708 in js::InitPropertyOperation (rhs=..., id=..., obj=..., op=<optimized out>, cx=0x7ffff6924000) at js/src/vm/Interpreter-inl.h:413
#0  0x0000000000748708 in js::InitPropertyOperation (rhs=..., id=..., obj=..., op=<optimized out>, cx=0x7ffff6924000) at js/src/vm/Interpreter-inl.h:413
#1  js::jit::IonSetPropertyIC::update (cx=0x7ffff6924000, outerScript=..., ic=0x7ffff59fa328, obj=..., idVal=..., rhs=...) at js/src/jit/IonIC.cpp:247
#2  0x0000374d8bd190ed in ?? ()
#3  0x0000000000000000 in ?? ()
rax	0x0	0
rbx	0x7ffff59fa328	140737314267944
rcx	0x7ffff6c28a2d	140737333332525
rdx	0x0	0
rsi	0x7ffff6ef7770	140737336276848
rdi	0x7ffff6ef6540	140737336272192
rbp	0x7fffffff8d00	140737488325888
rsp	0x7fffffff8980	140737488324992
r8	0x7ffff6ef7770	140737336276848
r9	0x7ffff7fe4740	140737354024768
r10	0x58	88
r11	0x7ffff6b9f750	140737332770640
r12	0x7fffffff8a20	140737488325152
r13	0x7ffff6924000	140737330167808
r14	0x7ffff5edb3d0	140737319384016
r15	0x7fffffff8a00	140737488325120
rip	0x748708 <js::jit::IonSetPropertyIC::update(JSContext*, JS::Handle<JSScript*>, js::jit::IonSetPropertyIC*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::Handle<JS::Value>)+2408>
=> 0x748708 <js::jit::IonSetPropertyIC::update(JSContext*, JS::Handle<JSScript*>, js::jit::IonSetPropertyIC*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::Handle<JS::Value>)+2408>:	movl   $0x0,0x0
   0x748713 <js::jit::IonSetPropertyIC::update(JSContext*, JS::Handle<JSScript*>, js::jit::IonSetPropertyIC*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::Handle<JS::Value>)+2419>:	ud2    


I'm not sure what this assertion means, but since it mentions unboxing and this is happening in IC, I'm marking it s-s until triaged by JS developers.
Flags: needinfo?(jdemooij)
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/2e4748827cda
user:        Jon Coppeard
date:        Wed Aug 09 18:05:15 2017 +0100
summary:     Bug 1374239 - Store and re-throw module instantiation and evaluation errors r=shu

This iteration took 0.893 seconds to run.
Jon, is bug 1374239 a likely regressor?
Blocks: 1374239
Flags: needinfo?(jdemooij) → needinfo?(jcoppeard)
Nope, I can't see anything module related here.
Flags: needinfo?(jcoppeard)
Flags: needinfo?(jdemooij)
This is probably the same issue as bug 1397071. I'll fix this week.
(In reply to Jan de Mooij [:jandem] from comment #6)
> This is probably the same issue as bug 1397071. I'll fix this week.

Confirmed.
Status: NEW → RESOLVED
Closed: 7 years ago
Flags: needinfo?(jdemooij)
Resolution: --- → DUPLICATE
Whiteboard: [jsbugmon:update] → [jsbugmon:update][adv-min57-]
Whiteboard: [jsbugmon:update][adv-min57-] → [jsbugmon:update][adv-main57-]
Group: core-security-release
Group: javascript-core-security, core-security-release
You need to log in before you can comment on or make changes to this bug.