Closed
Bug 675232
Opened 13 years ago
Closed 13 years ago
TI: Assertion failure: !hasLazyType(), at ../jsobj.h:808
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: decoder, Unassigned)
References
Details
(Keywords: assertion, testcase)
Attachments
(1 file)
924 bytes,
application/x-gzip
|
Details |
The attached testcase asserts on TI revision d43c6dddeb2b (run with -j -m -n -a), tested on 64 bit.
Reporter | ||
Comment 1•13 years ago
|
||
Seems like my report script doesn't properly set the Platform flags, will fix this now.
OS: Other → Linux
Hardware: Other → x86_64
Comment 2•13 years ago
|
||
WFM, can you paste a stack from where it is asserting? Should be simple, somewhere we are calling JSObject::type instead of JSObject::getType.
Reporter | ||
Comment 3•13 years ago
|
||
The original testcase posted here doesn't work for me either anymore on tip, but its unminimized version still does. Here is the stack:
#0 0x00007ffff7bcdb3b in raise (sig=<value optimized out>) at ../nptl/sysdeps/unix/sysv/linux/pt-raise.c:42
#1 0x00000000005d4276 in CrashInJS () at /home/decoder/LangFuzz/jaegermonkey/js/src/jsutil.cpp:88
#2 0x00000000005d42ce in JS_Assert (s=0x7c73e2 "!hasLazyType()", file=0x7c7396 "../jsobj.h", ln=808) at /home/decoder/LangFuzz/jaegermonkey/js/src/jsutil.cpp:96
#3 0x00000000004138a0 in JSObject::type (this=0x7ffff640da80) at ../jsobj.h:808
#4 0x00000000004e5683 in JSObject::splicePrototype (this=0x7ffff640da80, cx=0xbb0760, proto=0x7ffff640ede0) at /home/decoder/LangFuzz/jaegermonkey/js/src/jsinfer.cpp:5033
#5 0x000000000051b47a in js::SetProto (cx=0xbb0760, obj=0x7ffff640da80, proto=0x7ffff640ede0, checkForCycles=true) at /home/decoder/LangFuzz/jaegermonkey/js/src/jsobj.cpp:4537
#6 0x000000000050ea9a in obj_setProto (cx=0xbb0760, obj=0x7ffff640da80, id=..., strict=0, vp=0x7fffffff9c00) at /home/decoder/LangFuzz/jaegermonkey/js/src/jsobj.cpp:199
#7 0x0000000000525db6 in js::CallJSPropertyOpSetter (cx=0xbb0760, op=0x50e986 <obj_setProto(JSContext*, JSObject*, jsid, JSBool, js::Value*)>, obj=0x7ffff640da80, id=...,
strict=0, vp=0x7fffffff9c00) at /home/decoder/LangFuzz/jaegermonkey/js/src/jscntxtinlines.h:363
#8 0x0000000000526c59 in js::Shape::set (this=0x7ffff6401540, cx=0xbb0760, obj=0x7ffff640da80, strict=false, vp=0x7fffffff9c00)
at /home/decoder/LangFuzz/jaegermonkey/js/src/jsscopeinlines.h:312
#9 0x000000000051f259 in js_SetPropertyHelper (cx=0xbb0760, obj=0x7ffff640da80, id=..., defineHow=1, vp=0x7fffffff9c00, strict=0)
at /home/decoder/LangFuzz/jaegermonkey/js/src/jsobj.cpp:5953
#10 0x00000000007c55b1 in js::mjit::stubs::SetName<0> (f=..., origAtom=0x7ffff66019c0) at /home/decoder/LangFuzz/jaegermonkey/js/src/methodjit/StubCalls.cpp:265
#11 0x000000000072ed45 in DisabledSetPropIC<0> (f=..., pic=0xbffdd8) at /home/decoder/LangFuzz/jaegermonkey/js/src/methodjit/PolyIC.cpp:1880
#12 0x00000000006965f4 in throwpoline_exit () at /home/decoder/LangFuzz/jaegermonkey/js/src/methodjit/MethodJIT.cpp:152
#13 0x00007ffff7f78a52 in ?? ()
#14 0x0000000000000001 in ?? ()
#15 0x00007fffffffc280 in ?? ()
#16 0x00007ffff64048b0 in ?? ()
#17 0x00007ffff67791c0 in ?? ()
#18 0x0000000000bda3fd in ?? ()
#19 0x0000000000000000 in ?? ()
If you need an updated test, let me know.
Comment 4•13 years ago
|
||
From the stack it looks like the problem is we triggered a GC while splicing the prototype for an object with singleton type. This reverted the object to a lazy type, since there was no stack reference held on the object's type, and broke the assumption made by later code in the function that the object does not have a lazy type.
http://hg.mozilla.org/projects/jaegermonkey/rev/cc17967ae10b
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•