Closed
Bug 1509293
Opened 5 years ago
Closed 5 years ago
Assertion failure: !hasLazyGroup(), at js/src/vm/JSObject.h:138
Categories
(Core :: JavaScript Engine: JIT, defect)
Tracking
()
RESOLVED
FIXED
mozilla65
People
(Reporter: decoder, Assigned: mgaudet)
Details
(4 keywords, Whiteboard: [jsbugmon:update])
Attachments
(2 files)
The following testcase crashes on mozilla-central revision eeddcefcdad8 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe --ion-offthread-compile=off): var summary = 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'; Array.prototype.push([...summary]); Backtrace: received signal SIGSEGV, Segmentation fault. JSObject::group (this=<optimized out>) at js/src/vm/JSObject.h:138 #0 JSObject::group (this=<optimized out>) at js/src/vm/JSObject.h:138 #1 0x000055555614cfe7 in js::jit::CallIRGenerator::tryAttachArrayPush (this=0x7fffffffc310) at js/src/jit/CacheIR.cpp:5046 #2 0x000055555614d54f in js::jit::CallIRGenerator::tryAttachStub (this=this@entry=0x7fffffffc310) at js/src/jit/CacheIR.cpp:5233 #3 0x000055555604c0b4 in js::jit::DoCallFallback (cx=<optimized out>, frame=0x7fffffffc618, stub_=<optimized out>, argc=<optimized out>, vp=0x7fffffffc5c8, res=...) at js/src/jit/BaselineIC.cpp:3634 #4 0x0000346590f3c0a3 in ?? () [...] #26 0x0000000000000000 in ?? () rax 0x555557b4f480 93825032057984 rbx 0x7fffffffc310 140737488339728 rcx 0x555556a68ec8 93825014337224 rdx 0x0 0 rsi 0x7ffff6eeb770 140737336227696 rdi 0x7ffff6eea540 140737336223040 rbp 0x7fffffffbf70 140737488338800 rsp 0x7fffffffbf70 140737488338800 r8 0x7ffff6eeb770 140737336227696 r9 0x7ffff7fe6cc0 140737354034368 r10 0x58 88 r11 0x7ffff6b927a0 140737332717472 r12 0x0 0 r13 0x7fffffffbfa0 140737488338848 r14 0x7fffffffbf90 140737488338832 r15 0x7fffffffbfc0 140737488338880 rip 0x5555558bd75d <JSObject::group() const+61> => 0x5555558bd75d <JSObject::group() const+61>: movl $0x0,0x0 0x5555558bd768 <JSObject::group() const+72>: ud2
Updated•5 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
Comment 1•5 years ago
|
||
JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/5bb170d70875 user: Kannan Vijayan date: Tue Jul 25 11:28:38 2017 -0400 summary: Bug 1366375 - Add CacheIR stub for optimizing calls to array_push. r=jandem This iteration took 261.482 seconds to run.
Assignee | ||
Comment 2•5 years ago
|
||
Assignee | ||
Updated•5 years ago
|
Assignee: nobody → mgaudet
Status: NEW → ASSIGNED
Pushed by mgaudet@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/da3635436bf1 Add missing lazyProtoCheck to tryAttachArrayPush r=djvj
Comment 4•5 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/da3635436bf1
Status: ASSIGNED → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla65
Comment 5•5 years ago
|
||
Should we land this testcase still?
status-firefox63:
--- → wontfix
status-firefox64:
--- → wontfix
status-firefox-esr60:
--- → wontfix
Flags: needinfo?(mgaudet)
Assignee | ||
Comment 6•5 years ago
|
||
Assignee | ||
Updated•5 years ago
|
Flags: needinfo?(mgaudet)
Pushed by mgaudet@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/57f8289e1159 Add test case r=djvj
Comment 8•5 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/57f8289e1159
You need to log in
before you can comment on or make changes to this bug.
Description
•