823390 - Assertion failure: isGlobal() while compiling regex literal in self-hosted JavaScript

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Norbert Lindenberg]

Attachment: Test case for regular expression literal in self-hosted code. Do not check in.

Assertion failure: isGlobal(), at js/src/vm/GlobalObject.h:503
occurs while compiling self-hosted JavaScript code that contains a regex literal.

To reproduce, apply the attached patch, build the js shell, and run
$ js regex.js

Comment 1

[Norbert Lindenberg]

Stack trace:

JSObject::asGlobal (this=0x101727be0) at GlobalObject.h:503
503	    JS_ASSERT(isGlobal());
(gdb) bt
#0  JSObject::asGlobal (this=0x101727be0) at GlobalObject.h:503
#1  0x00000001000169c9 in JSObject::global (this=0x101727be0) at jsobjinlines.h:1220
#2  0x00000001004a0e37 in js::mjit::Compiler::jsop_regexp (this=0x7fff5fbf5758) at /Users/standards/mozilla/intl/js/src/methodjit/Compiler.cpp:6987
#3  0x000000010048693b in js::mjit::Compiler::generateMethod (this=0x7fff5fbf5758) at /Users/standards/mozilla/intl/js/src/methodjit/Compiler.cpp:3226
#4  0x000000010047e56a in js::mjit::Compiler::performCompilation (this=0x7fff5fbf5758) at /Users/standards/mozilla/intl/js/src/methodjit/Compiler.cpp:567
#5  0x000000010047dd51 in js::mjit::Compiler::compile (this=0x7fff5fbf5758) at /Users/standards/mozilla/intl/js/src/methodjit/Compiler.cpp:145
#6  0x000000010048f512 in js::mjit::CanMethodJIT (cx=0x1013156f0, script={<js::HandleBase<JSScript *>> = {<No data fields>}, ptr = 0x7fff5fbfa2a8}, pc=0x101321898 "T", construct=false, request=js::mjit::CompileRequest_Interpreter, frame=0x102000218) at /Users/standards/mozilla/intl/js/src/methodjit/Compiler.cpp:1108
#7  0x000000010016dcfd in js::RunScript (cx=0x1013156f0, script={<js::HandleBase<JSScript *>> = {<No data fields>}, ptr = 0x7fff5fbfa2a8}, fp=0x102000218) at /Users/standards/mozilla/intl/js/src/jsinterp.cpp:339
#8  0x00000001005503a6 in UncachedInlineCall (f=@0x7fff5fbfa680, initial=js::INITIAL_NONE, pret=0x7fff5fbfa5e8, unjittable=0x7fff5fbfa5f0, argc=1) at /Users/standards/mozilla/intl/js/src/methodjit/InvokeHelpers.cpp:372
#9  0x0000000100550616 in js::mjit::stubs::UncachedCallHelper (f=@0x7fff5fbfa680, argc=1, lowered=false, ucr=@0x7fff5fbfa5d8) at /Users/standards/mozilla/intl/js/src/methodjit/InvokeHelpers.cpp:460
#10 0x0000000100527404 in js::mjit::CallCompiler::update (this=0x7fff5fbfa640) at /Users/standards/mozilla/intl/js/src/methodjit/MonoIC.cpp:1236
#11 0x00000001005248c2 in js::mjit::ic::Call (f=@0x7fff5fbfa680, ic=0x101323ab0) at /Users/standards/mozilla/intl/js/src/methodjit/MonoIC.cpp:1317
#12 0x0000000101442103 in ?? ()
#13 0x00000001004686d5 in js::mjit::EnterMethodJIT (cx=0x1013156f0, fp=0x102000190, code=0x101441d20, stackLimit=0x1023e0000, partial=true) at /Users/standards/mozilla/intl/js/src/methodjit/MethodJIT.cpp:1039
#14 0x0000000100468b68 in CheckStackAndEnterMethodJIT (cx=0x1013156f0, fp=0x102000190, code=0x101441d20, partial=true) at /Users/standards/mozilla/intl/js/src/methodjit/MethodJIT.cpp:1097
#15 0x0000000100468a28 in js::mjit::JaegerShot (cx=0x1013156f0, partial=true) at /Users/standards/mozilla/intl/js/src/methodjit/MethodJIT.cpp:1115
#16 0x00000001001742a1 in js::Interpret (cx=0x1013156f0, entryFrame=0x1020000b8, interpMode=js::JSINTERP_NORMAL) at /Users/standards/mozilla/intl/js/src/jsinterp.cpp:2420
#17 0x000000010016dd71 in js::RunScript (cx=0x1013156f0, script={<js::HandleBase<JSScript *>> = {<No data fields>}, ptr = 0x7fff5fbfcdb0}, fp=0x1020000b8) at /Users/standards/mozilla/intl/js/src/jsinterp.cpp:348
#18 0x000000010017b9a3 in js::InvokeKernel (cx=0x1013156f0, args={<JS::CallReceiver> = {usedRval_ = false, argv_ = 0x1020000b0}, argc_ = 1}, construct=js::NO_CONSTRUCT) at /Users/standards/mozilla/intl/js/src/jsinterp.cpp:406
#19 0x0000000100173bb6 in js::Interpret (cx=0x1013156f0, entryFrame=0x102000030, interpMode=js::JSINTERP_NORMAL) at /Users/standards/mozilla/intl/js/src/jsinterp.cpp:2365
#20 0x000000010016dd71 in js::RunScript (cx=0x1013156f0, script={<js::HandleBase<JSScript *>> = {<No data fields>}, ptr = 0x7fff5fbff490}, fp=0x102000030) at /Users/standards/mozilla/intl/js/src/jsinterp.cpp:348
#21 0x000000010017c9aa in js::ExecuteKernel (cx=0x1013156f0, script={<js::HandleBase<JSScript *>> = {<No data fields>}, ptr = 0x7fff5fbff490}, scopeChain=@0x10171f060, thisv=@0x7fff5fbff358, type=js::EXECUTE_GLOBAL, evalInFrame=0x0, result=0x0) at /Users/standards/mozilla/intl/js/src/jsinterp.cpp:537
#22 0x000000010017cca1 in js::Execute (cx=0x1013156f0, script={<js::HandleBase<JSScript *>> = {<No data fields>}, ptr = 0x7fff5fbff490}, scopeChainArg=@0x10171f060, rval=0x0) at /Users/standards/mozilla/intl/js/src/jsinterp.cpp:574
#23 0x0000000100072598 in JS_ExecuteScript (cx=0x1013156f0, objArg=0x10171f060, scriptArg=0x101723100, rval=0x0) at /Users/standards/mozilla/intl/js/src/jsapi.cpp:5573
#24 0x000000010000c19a in Process (cx=0x1013156f0, obj_=0x10171f060, filename=0x7fff5fbffc8a "regex.js", forceTTY=false) at /Users/standards/mozilla/intl/js/src/shell/js.cpp:579
#25 0x000000010000a973 in ProcessArgs (cx=0x1013156f0, obj_=0x10171f060, op=0x7fff5fbffa08) at /Users/standards/mozilla/intl/js/src/shell/js.cpp:4940
#26 0x0000000100009959 in Shell (cx=0x1013156f0, op=0x7fff5fbffa08, envp=0x7fff5fbffb40) at /Users/standards/mozilla/intl/js/src/shell/js.cpp:4977
#27 0x000000010000b358 in main (argc=2, argv=0x7fff5fbffb28, envp=0x7fff5fbffb40) at /Users/standards/mozilla/intl/js/src/shell/js.cpp:5181

Comment 2

[Norbert Lindenberg]

Attachment: Test case for regular expression literal in self-hosted code. Do not check in.

Comment 3

[Shu-yu Guo [:shu]]

Attachment: fix

This seems to be a case of the incorrect |clearParent| and |clearType| calls a la bug 808949.

This patch kills those calls.

Comment 4

[Shu-yu Guo [:shu]]

https://hg.mozilla.org/integration/mozilla-inbound/rev/e6940cd4d42a

https://tbpl.mozilla.org/?tree=Try&rev=95a9a551352d

Comment 5

[:Ms2ger (he/him; ⌚ UTC+1/+2)]

https://hg.mozilla.org/mozilla-central/rev/e6940cd4d42a