1548538 - Assertion failure: getter.isInterpretedLazy(), at js/src/jit/CacheIR.cpp:449

Status: RESOLVED FIXED

(Core :: JavaScript Engine: JIT, defect, P1)

Description

[Christian Holler (:decoder)]

The following testcase crashes on mozilla-central revision e8766f96041a (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe --cpu-count=2 --ion-offthread-compile=off --baseline-eager):

function __f_19() {
    "use asm";
    return {}
}
var sym = Symbol();
var o = {};
o.__defineGetter__(sym, __f_19);
o[sym];

Backtrace:

received signal SIGSEGV, Segmentation fault.
IsCacheableGetPropCallScripted (obj=0x1101f0d891c0, holder=<optimized out>, shape=<optimized out>, isTemporarilyUnoptimizable=0x7fffffffc127) at js/src/jit/CacheIR.cpp:449
#0  IsCacheableGetPropCallScripted (obj=0x1101f0d891c0, holder=<optimized out>, shape=<optimized out>, isTemporarilyUnoptimizable=0x7fffffffc127) at js/src/jit/CacheIR.cpp:449
#1  0x00005555561aa66e in CanAttachNativeGetProp (cx=0x7ffff5f19000, obj=..., id=..., holder=holder@entry=..., shape=shape@entry=..., pc=0x7ffff5ffb6ec "7Q\231Ш\005\235\n\270\260Ӡ\235\b\270\260ˠ\270\260֘\002\260\244\270\260̠\260", resultFlags=js::jit::GetPropertyResultFlags::All) at js/src/jit/CacheIR.cpp:591
#2  0x00005555561da081 in js::jit::GetPropIRGenerator::tryAttachNative (this=this@entry=0x7fffffffc320, obj=obj@entry=..., objId=..., objId@entry=..., id=id@entry=...) at js/src/jit/CacheIR.cpp:1037
#3  0x00005555561e17e6 in js::jit::GetPropIRGenerator::tryAttachStub (this=this@entry=0x7fffffffc320) at js/src/jit/CacheIR.cpp:266
#4  0x000055555608dee8 in js::jit::TryAttachGetPropStub (name=name@entry=0x555556b2af46 "GetElem", cx=<optimized out>, frame=frame@entry=0x7fffffffc750, stub=stub@entry=0x7ffff58f13f0, kind=kind@entry=<incomplete type>, val=..., idVal=..., receiver=...) at js/src/jit/BaselineIC.cpp:2060
#5  0x00005555560b4597 in js::jit::DoGetElemFallback (cx=<optimized out>, frame=0x7fffffffc750, stub=0x7ffff58f13f0, lhs=..., rhs=..., res=...) at js/src/jit/BaselineIC.cpp:2121
#6  0x000017638f863af3 in ?? ()
[...]
#20 0x0000000000000000 in ?? ()
rax	0x555557c9d9a0	93825033427360
rbx	0x137c5f8005a8	21424899098024
rcx	0x7ffff6c1c2dd	140737333281501
rdx	0x555556c2a748	93825016178504
rsi	0x7ffff6eeb770	140737336227696
rdi	0x7ffff6eea540	140737336223040
rbp	0x7fffffffc0f0	140737488339184
rsp	0x7fffffffc0c0	140737488339136
r8	0x7ffff6eeb770	140737336227696
r9	0x7ffff7fe6cc0	140737354034368
r10	0x58	88
r11	0x7ffff6b927a0	140737332717472
r12	0x1101f0d891c0	18700033364416
r13	0x7fffffffc127	140737488339239
r14	0x7fffffffc0c0	140737488339136
r15	0x7fffffffc1b0	140737488339376
rip	0x5555561a758d <IsCacheableGetPropCallScripted(JSObject*, JSObject*, js::Shape*, bool*)+317>
=> 0x5555561a758d <IsCacheableGetPropCallScripted(JSObject*, JSObject*, js::Shape*, bool*)+317>:	movl   $0x0,0x0
   0x5555561a7598 <IsCacheableGetPropCallScripted(JSObject*, JSObject*, js::Shape*, bool*)+328>:	ud2

Marking s-s until investigated because the test involves Symbol and is a JIT assertion.

Comment 1

[Iain Ireland [:iain]]

Not a sec bug. I added an assertion while refactoring some of the GetProp IC code, and did not realize that asm.js functions could reach that point. It should be a one-line fix. Patch coming shortly.

Comment 2

[Iain Ireland [:iain]]

Attachment: Bug 1548538: Refactor IsCacheableGetPropCall r=tcampbell

Cleaning some stuff up while we're touching this code.

Comment 3

[Pulsebot]

Pushed by iireland@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/87ead560a269
Refactor IsCacheableGetPropCall r=tcampbell

Comment 4

[Cristina Coroiu [:ccoroiu]]

https://hg.mozilla.org/mozilla-central/rev/87ead560a269