Closed Bug 675232 Opened 8 years ago Closed 8 years ago

TI: Assertion failure: !hasLazyType(), at ../jsobj.h:808


(Core :: JavaScript Engine, defect, critical)

Not set





(Reporter: decoder, Unassigned)


(Blocks 2 open bugs)


(Keywords: assertion, testcase)


(1 file)

Attached file Testcase for shell
The attached testcase asserts on TI revision d43c6dddeb2b (run with -j -m -n -a), tested on 64 bit.
Seems like my report script doesn't properly set the Platform flags, will fix this now.
OS: Other → Linux
Hardware: Other → x86_64
WFM, can you paste a stack from where it is asserting?  Should be simple, somewhere we are calling JSObject::type instead of JSObject::getType.
The original testcase posted here doesn't work for me either anymore on tip, but its unminimized version still does. Here is the stack:

#0  0x00007ffff7bcdb3b in raise (sig=<value optimized out>) at ../nptl/sysdeps/unix/sysv/linux/pt-raise.c:42
#1  0x00000000005d4276 in CrashInJS () at /home/decoder/LangFuzz/jaegermonkey/js/src/jsutil.cpp:88
#2  0x00000000005d42ce in JS_Assert (s=0x7c73e2 "!hasLazyType()", file=0x7c7396 "../jsobj.h", ln=808) at /home/decoder/LangFuzz/jaegermonkey/js/src/jsutil.cpp:96
#3  0x00000000004138a0 in JSObject::type (this=0x7ffff640da80) at ../jsobj.h:808
#4  0x00000000004e5683 in JSObject::splicePrototype (this=0x7ffff640da80, cx=0xbb0760, proto=0x7ffff640ede0) at /home/decoder/LangFuzz/jaegermonkey/js/src/jsinfer.cpp:5033
#5  0x000000000051b47a in js::SetProto (cx=0xbb0760, obj=0x7ffff640da80, proto=0x7ffff640ede0, checkForCycles=true) at /home/decoder/LangFuzz/jaegermonkey/js/src/jsobj.cpp:4537
#6  0x000000000050ea9a in obj_setProto (cx=0xbb0760, obj=0x7ffff640da80, id=..., strict=0, vp=0x7fffffff9c00) at /home/decoder/LangFuzz/jaegermonkey/js/src/jsobj.cpp:199
#7  0x0000000000525db6 in js::CallJSPropertyOpSetter (cx=0xbb0760, op=0x50e986 <obj_setProto(JSContext*, JSObject*, jsid, JSBool, js::Value*)>, obj=0x7ffff640da80, id=..., 
    strict=0, vp=0x7fffffff9c00) at /home/decoder/LangFuzz/jaegermonkey/js/src/jscntxtinlines.h:363
#8  0x0000000000526c59 in js::Shape::set (this=0x7ffff6401540, cx=0xbb0760, obj=0x7ffff640da80, strict=false, vp=0x7fffffff9c00)
    at /home/decoder/LangFuzz/jaegermonkey/js/src/jsscopeinlines.h:312
#9  0x000000000051f259 in js_SetPropertyHelper (cx=0xbb0760, obj=0x7ffff640da80, id=..., defineHow=1, vp=0x7fffffff9c00, strict=0)
    at /home/decoder/LangFuzz/jaegermonkey/js/src/jsobj.cpp:5953
#10 0x00000000007c55b1 in js::mjit::stubs::SetName<0> (f=..., origAtom=0x7ffff66019c0) at /home/decoder/LangFuzz/jaegermonkey/js/src/methodjit/StubCalls.cpp:265
#11 0x000000000072ed45 in DisabledSetPropIC<0> (f=..., pic=0xbffdd8) at /home/decoder/LangFuzz/jaegermonkey/js/src/methodjit/PolyIC.cpp:1880
#12 0x00000000006965f4 in throwpoline_exit () at /home/decoder/LangFuzz/jaegermonkey/js/src/methodjit/MethodJIT.cpp:152
#13 0x00007ffff7f78a52 in ?? ()
#14 0x0000000000000001 in ?? ()
#15 0x00007fffffffc280 in ?? ()
#16 0x00007ffff64048b0 in ?? ()
#17 0x00007ffff67791c0 in ?? ()
#18 0x0000000000bda3fd in ?? ()
#19 0x0000000000000000 in ?? ()

If you need an updated test, let me know.
Blocks: 676763
From the stack it looks like the problem is we triggered a GC while splicing the prototype for an object with singleton type.  This reverted the object to a lazy type, since there was no stack reference held on the object's type, and broke the assumption made by later code in the function that the object does not have a lazy type.
Closed: 8 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.