TI: Assertion failure: !hasLazyType(), at ../jsobj.h:808

RESOLVED FIXED

Status

()

Core
JavaScript Engine
--
critical
RESOLVED FIXED
7 years ago
7 years ago

People

(Reporter: decoder, Unassigned)

Tracking

(Blocks: 2 bugs, {assertion, testcase})

Trunk
x86_64
Linux
assertion, testcase
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

(Reporter)

Description

7 years ago
Created attachment 549396 [details]
Testcase for shell

The attached testcase asserts on TI revision d43c6dddeb2b (run with -j -m -n -a), tested on 64 bit.
(Reporter)

Comment 1

7 years ago
Seems like my report script doesn't properly set the Platform flags, will fix this now.
OS: Other → Linux
Hardware: Other → x86_64
WFM, can you paste a stack from where it is asserting?  Should be simple, somewhere we are calling JSObject::type instead of JSObject::getType.
(Reporter)

Comment 3

7 years ago
The original testcase posted here doesn't work for me either anymore on tip, but its unminimized version still does. Here is the stack:

#0  0x00007ffff7bcdb3b in raise (sig=<value optimized out>) at ../nptl/sysdeps/unix/sysv/linux/pt-raise.c:42
#1  0x00000000005d4276 in CrashInJS () at /home/decoder/LangFuzz/jaegermonkey/js/src/jsutil.cpp:88
#2  0x00000000005d42ce in JS_Assert (s=0x7c73e2 "!hasLazyType()", file=0x7c7396 "../jsobj.h", ln=808) at /home/decoder/LangFuzz/jaegermonkey/js/src/jsutil.cpp:96
#3  0x00000000004138a0 in JSObject::type (this=0x7ffff640da80) at ../jsobj.h:808
#4  0x00000000004e5683 in JSObject::splicePrototype (this=0x7ffff640da80, cx=0xbb0760, proto=0x7ffff640ede0) at /home/decoder/LangFuzz/jaegermonkey/js/src/jsinfer.cpp:5033
#5  0x000000000051b47a in js::SetProto (cx=0xbb0760, obj=0x7ffff640da80, proto=0x7ffff640ede0, checkForCycles=true) at /home/decoder/LangFuzz/jaegermonkey/js/src/jsobj.cpp:4537
#6  0x000000000050ea9a in obj_setProto (cx=0xbb0760, obj=0x7ffff640da80, id=..., strict=0, vp=0x7fffffff9c00) at /home/decoder/LangFuzz/jaegermonkey/js/src/jsobj.cpp:199
#7  0x0000000000525db6 in js::CallJSPropertyOpSetter (cx=0xbb0760, op=0x50e986 <obj_setProto(JSContext*, JSObject*, jsid, JSBool, js::Value*)>, obj=0x7ffff640da80, id=..., 
    strict=0, vp=0x7fffffff9c00) at /home/decoder/LangFuzz/jaegermonkey/js/src/jscntxtinlines.h:363
#8  0x0000000000526c59 in js::Shape::set (this=0x7ffff6401540, cx=0xbb0760, obj=0x7ffff640da80, strict=false, vp=0x7fffffff9c00)
    at /home/decoder/LangFuzz/jaegermonkey/js/src/jsscopeinlines.h:312
#9  0x000000000051f259 in js_SetPropertyHelper (cx=0xbb0760, obj=0x7ffff640da80, id=..., defineHow=1, vp=0x7fffffff9c00, strict=0)
    at /home/decoder/LangFuzz/jaegermonkey/js/src/jsobj.cpp:5953
#10 0x00000000007c55b1 in js::mjit::stubs::SetName<0> (f=..., origAtom=0x7ffff66019c0) at /home/decoder/LangFuzz/jaegermonkey/js/src/methodjit/StubCalls.cpp:265
#11 0x000000000072ed45 in DisabledSetPropIC<0> (f=..., pic=0xbffdd8) at /home/decoder/LangFuzz/jaegermonkey/js/src/methodjit/PolyIC.cpp:1880
#12 0x00000000006965f4 in throwpoline_exit () at /home/decoder/LangFuzz/jaegermonkey/js/src/methodjit/MethodJIT.cpp:152
#13 0x00007ffff7f78a52 in ?? ()
#14 0x0000000000000001 in ?? ()
#15 0x00007fffffffc280 in ?? ()
#16 0x00007ffff64048b0 in ?? ()
#17 0x00007ffff67791c0 in ?? ()
#18 0x0000000000bda3fd in ?? ()
#19 0x0000000000000000 in ?? ()


If you need an updated test, let me know.
(Reporter)

Updated

7 years ago
Blocks: 676763
From the stack it looks like the problem is we triggered a GC while splicing the prototype for an object with singleton type.  This reverted the object to a lazy type, since there was no stack reference held on the object's type, and broke the assumption made by later code in the function that the object does not have a lazy type.

http://hg.mozilla.org/projects/jaegermonkey/rev/cc17967ae10b
Status: NEW → RESOLVED
Last Resolved: 7 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.