816462 - IonMonkey: Assertion failure: JS_ObjectIsFunction(__null, this), at ../../jsfun.h:290 or Bus Error

Status: RESOLVED DUPLICATE of bug 816492

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

The following testcase asserts on mozilla-central revision c63d5cff18ba (run with --ion-eager):


function allTests() {
  new Date(2010, 1, 1).toString();
}

Date = newGlobal("new-compartment").Date;
allTests();

Comment 1

[Christian Holler (:decoder)]

Opt build crashes like this:

Program received signal SIGBUS, Bus error.
ensureRanAnalysis (cx=0xb365c0, this=0xfffbfffff602d7c0) at ../jsinferinlines.h:1715
1715        if (!self->ensureHasTypes(cx))
(gdb) bt
#0  ensureRanAnalysis (cx=0xb365c0, this=0xfffbfffff602d7c0) at ../jsinferinlines.h:1715
#1  AnalyzeNewScriptProperties (cx=0xb365c0, type=0x7ffff6009220, fun=0x7ffff6032040, pbaseobj=..., initializerList=0x7fffffffce30) at /srv/repos/mozilla-central/js/src/jsinfer.cpp:4654
#2  0x00000000004a0abb in CheckNewScriptProperties (cx=0xb365c0, type=..., fun=0x7ffff6032040) at /srv/repos/mozilla-central/js/src/jsinfer.cpp:4964
#3  0x00000000004a146e in JSCompartment::getNewType (this=0xb413f0, cx=0xb365c0, proto_=..., fun_=0x7ffff6032040, isDOM=<optimized out>) at /srv/repos/mozilla-central/js/src/jsinfer.cpp:5888
#4  0x00000000004a153a in JSObject::getNewType (this=<optimized out>, cx=<optimized out>, fun_=<optimized out>, isDOM=<optimized out>) at /srv/repos/mozilla-central/js/src/jsinfer.cpp:5914
#5  0x00000000004dc3b1 in js_CreateThisForFunctionWithProto (cx=0xb365c0, callee=..., proto=<optimized out>) at /srv/repos/mozilla-central/js/src/jsobj.cpp:2359
#6  0x00007ffff7feb722 in ?? ()
#7  0x0000000000000000 in ?? ()
(gdb) x /i $pc 
=> 0x4a06c0 <AnalyzeNewScriptProperties(JSContext*, js::types::TypeObject*, JSFunction*, JS::MutableHandleObject, js::Vector<js::types::TypeNewScript::Initializer, 0ul, js::TempAllocPolicy>*)+80>:
    cmpq   $0x0,0x48(%rbp)
(gdb) info reg rbp
rbp            0xfffbfffff602d7c0       0xfffbfffff602d7c0

Comment 2

[Christian Holler (:decoder)]

JSBugMon: The testcase found in this bug no longer reproduces (tried revision 85471409cbfb).
JSBugMon: Bisection requested, result:
Due to skipped revisions, the first bad revision could be any of:
changeset:   114283:5158d648702e
user:        Hannes Verschore
date:        Tue Nov 27 22:03:37 2012 +0100
summary:     Bug 813773: Enable IM to IM fastpath for constructing calls, r=nbp,sstangl

changeset:   114284:7e5deb571bbe
user:        Geoff Brown
date:        Tue Nov 27 14:05:18 2012 -0700
summary:     Bug 814496 - sutAgent: Stop RedirOutputThread when timeout exceeded; r=wlach

This iteration took 67.417 seconds to run.

Comment 3

[Christian Holler (:decoder)]

Marking sec-critical and requesting fix bisection to find out what might have fixed this.

Comment 4

[Christian Holler (:decoder)]

JSBugMon: Fix Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first good revision is:
changeset:   114452:6b4e13b0d1e4
user:        Hubert Figuière
date:        Wed Nov 28 23:00:56 2012 -0500
summary:     Bug 816378 - Backout 5158d648702e (Bug 813773). a=bustage,Waldo

This iteration took 0.470 seconds to run.

Comment 5

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Hannes, this may be related to the earlier patches in bug 813773. Do you mind landing the testcase or something?

Comment 6

[Hannes Verschore [:h4writer]]

This is the same fault as bug 816492. Crash signature is different, but is caused by the same culprit: calling "js_CreateThisForFunctionWithProto" with prototype of Native. You'll see it in this and in other bug. The testcase of bug 816492 was pushed in http://hg.mozilla.org/integration/mozilla-inbound/rev/ba667d2eeaba . Therefore no need to push this.