TM: Assertion failure: (frameobj == NULL) == (*mTypeMap == JSVAL_TYPE_NULL), at ../jstracer.cpp:3174

RESOLVED FIXED

Status

()

Core
JavaScript Engine
--
critical
RESOLVED FIXED
7 years ago
4 years ago

People

(Reporter: jandem, Assigned: dvander)

Tracking

({assertion, regression, testcase})

unspecified
All
Mac OS X
assertion, regression, testcase
Points:
---

Firefox Tracking Flags

(blocking2.0 -)

Details

(Whiteboard: [sg:low][fixed-in-tracemonkey])

Attachments

(2 attachments)

(Reporter)

Description

7 years ago
---
function f(o) {
    var p = "arguments";
    for(var i=0; i<10; i++) {
        f[p];
    }
}
f({});
f({});
f({});
f({});
---
This asserts with -j -m -a:

Assertion failure: (frameobj == NULL) == (*mTypeMap == JSVAL_TYPE_NULL), at ../jstracer.cpp:3174

The patch in bug 632901 does not fix this; does not assert without -m.
(Reporter)

Comment 1

7 years ago
Created attachment 511976 [details]
Stack trace
(Reporter)

Comment 2

7 years ago
Also asserts with -j -m at revision bf89669b34cb, before bug 631951 landed. So this is not a regression from bug 631951.
(Reporter)

Comment 3

7 years ago
The first bad revision is:
changeset:   55725:339457364540
user:        Bill McCloskey <wmccloskey@mozilla.com>
date:        Thu Oct 21 09:36:39 2010 -0700
summary:     Bug 580468 - Use loop profiling to decide whether to use TM or JM (second try) (r=dmandelin)

This may be a red herring though.
(Reporter)

Comment 4

7 years ago
FWIW:

(gdb) p frameobj
$1 = (JSObject *) 0x0
(gdb) p *mTypeMap
$2 = JSVAL_TYPE_NONFUNOBJ
(Reporter)

Updated

7 years ago
Keywords: regression
(In reply to comment #3)
> The first bad revision is:
> changeset:   55725:339457364540
> user:        Bill McCloskey <wmccloskey@mozilla.com>
> date:        Thu Oct 21 09:36:39 2010 -0700
> summary:     Bug 580468 - Use loop profiling to decide whether to use TM or JM
> (second try) (r=dmandelin)
> 
> This may be a red herring though.

Yeah, sounds like that changed exposed a latent bug.
(Reporter)

Comment 6

7 years ago
OK, this *does* assert without -m (see bug 633929)
I thought NULL was a legal value for JSVAL_TYPE_NONFUNOBJ? -ing on that assumption (meaning incorrect assertion).
blocking2.0: ? → -
It's not, but it shouldn't block anyway. Looks like Another Arguments Bug, should be easy to fix.
Created attachment 512221 [details] [diff] [review]
fix

We're missing a deep bail by caching the result of a non-default getter. Low-risk patch.
Assignee: general → dvander
Status: NEW → ASSIGNED
Attachment #512221 - Flags: review?(cdleary)
Attachment #512221 - Flags: approval2.0?
Attachment #512221 - Flags: review?(cdleary) → review+
Attachment #512221 - Flags: approval2.0? → approval2.0+
Whiteboard: sg:low
http://hg.mozilla.org/tracemonkey/rev/34c05b9c0079
Whiteboard: sg:low → [sg:low][fixed-in-tracemonkey]
Status: ASSIGNED → RESOLVED
Last Resolved: 7 years ago
Resolution: --- → FIXED
Group: core-security
You need to log in before you can comment on or make changes to this bug.