Closed Bug 1509293 Opened 5 years ago Closed 5 years ago

Assertion failure: !hasLazyGroup(), at js/src/vm/JSObject.h:138

Categories

(Core :: JavaScript Engine: JIT, defect)

x86_64
Linux
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla65
Tracking Status
firefox-esr60 --- wontfix
firefox63 --- wontfix
firefox64 --- wontfix
firefox65 --- fixed

People

(Reporter: decoder, Assigned: mgaudet)

Details

(4 keywords, Whiteboard: [jsbugmon:update])

Attachments

(2 files)

The following testcase crashes on mozilla-central revision eeddcefcdad8 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe --ion-offthread-compile=off):

var summary = 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx';
Array.prototype.push([...summary]);


Backtrace:

received signal SIGSEGV, Segmentation fault.
JSObject::group (this=<optimized out>) at js/src/vm/JSObject.h:138
#0  JSObject::group (this=<optimized out>) at js/src/vm/JSObject.h:138
#1  0x000055555614cfe7 in js::jit::CallIRGenerator::tryAttachArrayPush (this=0x7fffffffc310) at js/src/jit/CacheIR.cpp:5046
#2  0x000055555614d54f in js::jit::CallIRGenerator::tryAttachStub (this=this@entry=0x7fffffffc310) at js/src/jit/CacheIR.cpp:5233
#3  0x000055555604c0b4 in js::jit::DoCallFallback (cx=<optimized out>, frame=0x7fffffffc618, stub_=<optimized out>, argc=<optimized out>, vp=0x7fffffffc5c8, res=...) at js/src/jit/BaselineIC.cpp:3634
#4  0x0000346590f3c0a3 in ?? ()
[...]
#26 0x0000000000000000 in ?? ()
rax	0x555557b4f480	93825032057984
rbx	0x7fffffffc310	140737488339728
rcx	0x555556a68ec8	93825014337224
rdx	0x0	0
rsi	0x7ffff6eeb770	140737336227696
rdi	0x7ffff6eea540	140737336223040
rbp	0x7fffffffbf70	140737488338800
rsp	0x7fffffffbf70	140737488338800
r8	0x7ffff6eeb770	140737336227696
r9	0x7ffff7fe6cc0	140737354034368
r10	0x58	88
r11	0x7ffff6b927a0	140737332717472
r12	0x0	0
r13	0x7fffffffbfa0	140737488338848
r14	0x7fffffffbf90	140737488338832
r15	0x7fffffffbfc0	140737488338880
rip	0x5555558bd75d <JSObject::group() const+61>
=> 0x5555558bd75d <JSObject::group() const+61>:	movl   $0x0,0x0
   0x5555558bd768 <JSObject::group() const+72>:	ud2
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/5bb170d70875
user:        Kannan Vijayan
date:        Tue Jul 25 11:28:38 2017 -0400
summary:     Bug 1366375 - Add CacheIR stub for optimizing calls to array_push.  r=jandem

This iteration took 261.482 seconds to run.
Assignee: nobody → mgaudet
Status: NEW → ASSIGNED
Pushed by mgaudet@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/da3635436bf1
Add missing lazyProtoCheck to tryAttachArrayPush r=djvj
https://hg.mozilla.org/mozilla-central/rev/da3635436bf1
Status: ASSIGNED → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla65
Should we land this testcase still?
Flags: needinfo?(mgaudet)
Flags: needinfo?(mgaudet)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: