IonMonkey: Assertion failure: script->types, at ../jsinferinlines.h:992 or Crash [@ js_CreateThisForFunctionWithProto]

VERIFIED FIXED in Firefox 21

Status

()

defect
--
critical
VERIFIED FIXED
7 years ago
6 years ago

People

(Reporter: decoder, Assigned: bhackett)

Tracking

(Blocks 1 bug, {assertion, crash, testcase})

Trunk
mozilla22
x86_64
Linux
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(firefox21 fixed, firefox22 fixed)

Details

(Whiteboard: [jsbugmon:update][qa-], crash signature)

Attachments

(1 attachment)

Reporter

Description

7 years ago
The following testcase asserts on mozilla-central revision 4919e8091542 (run with --ion-eager):


eval("(function() { " + "\
var Constr = function( ... property)  {};\
Constr.prototype = 0.0;\
var c = new Constr(  ) ;\
" + " })();");
Reporter

Comment 1

7 years ago
Crash looks harmless:

==4558== Invalid read of size 4
==4558==    at 0x4D8691: js_CreateThisForFunctionWithProto(JSContext*, JS::Handle<JSObject*>, JSObject*) (jsobj.cpp:4840)
==4558==    by 0x4D8B8E: js_CreateThisForFunction(JSContext*, JS::Handle<JSObject*>, bool) (jsobj.cpp:1452)
==4558==    by 0x788DB1: js::ion::CreateThis(JSContext*, JS::Handle<JSObject*>, JS::MutableHandle<JS::Value>) (VMFunctions.cpp:503)
==4558==    by 0x4029765: ???
==4558==    by 0x6EC7A1: EnterIon(JSContext*, js::StackFrame*, void*) (Ion.cpp:1578)
==4558==    by 0x4B162D: js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) (jsinterp.cpp:2415)
==4558==    by 0x4B3AAA: js::RunScript(JSContext*, JS::Handle<JSScript*>, js::StackFrame*) (jsinterp.cpp:348)
==4558==    by 0x4B3D04: js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::ExecuteType, js::StackFrame*, JS::Value*) (jsinterp.cpp:537)
==4558==    by 0x616D3A: EvalKernel(JSContext*, JS::CallArgs const&, EvalType, js::StackFrame*, JS::Handle<JSObject*>) (Eval.cpp:286)
==4558==    by 0x618148: js::DirectEval(JSContext*, JS::CallArgs const&) (Eval.cpp:337)
==4558==    by 0x4AE3A5: js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) (jsinterp.cpp:2334)
==4558==    by 0x4B3AAA: js::RunScript(JSContext*, JS::Handle<JSScript*>, js::StackFrame*) (jsinterp.cpp:348)
==4558==  Address 0x48 is not stack'd, malloc'd or (recently) free'd
Blocks: IonFuzz
Crash Signature: [@ js_CreateThisForFunctionWithProto]
Keywords: crash
Summary: Assertion failure: script->types, at ../jsinferinlines.h:992 or Crash [@ js_CreateThisForFunctionWithProto] → IonMonkey: Assertion failure: script->types, at ../jsinferinlines.h:992 or Crash [@ js_CreateThisForFunctionWithProto]
Whiteboard: [jsbugmon:update,bisect]
Reporter

Updated

7 years ago
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
Reporter

Comment 2

7 years ago
JSBugMon: Bisection requested, failed due to error (try manually).
Reporter

Updated

7 years ago
Whiteboard: [jsbugmon:update] → [jsbugmon:update,bisect]
Reporter

Updated

7 years ago
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
Reporter

Comment 3

7 years ago
JSBugMon: Bisection requested, failed due to error (try manually).
Reporter

Updated

7 years ago
Whiteboard: [jsbugmon:update] → [jsbugmon:]
Reporter

Comment 4

7 years ago
JSBugMon: Cannot process bug: Unknown exception (check manually)
Reporter

Updated

6 years ago
Whiteboard: [jsbugmon:] → [jsbugmon:update,bisect]
Reporter

Updated

6 years ago
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
Reporter

Comment 5

6 years ago
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   119380:88daef90f2ab
user:        Brian Hackett
date:        Sun Jan 20 02:49:21 2013 -0700
summary:     Bug 821361 - Optimize type information in closures that only run once, r=luke.

This iteration took 111.004 seconds to run.
Reporter

Comment 6

6 years ago
Brian or Luke, can you take a look?
Assignee

Comment 7

6 years ago
Posted patch patchSplinter Review
Preexisting issue, though I don't think it was possible to hit before bug 821361.
Assignee: general → bhackett1024
Attachment #725767 - Flags: review?(jdemooij)
Attachment #725767 - Flags: review?(jdemooij) → review+
Assignee

Comment 9

6 years ago
Comment on attachment 725767 [details] [diff] [review]
patch

[Approval Request Comment]
Bug caused by (feature/regressing bug #): old, recently exposed
User impact if declined: potential null crash
Risk to taking this patch (and alternatives if risky): none
Attachment #725767 - Flags: approval-mozilla-aurora?
https://hg.mozilla.org/mozilla-central/rev/839b5dce269c
Status: NEW → RESOLVED
Closed: 6 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla22
Comment on attachment 725767 [details] [diff] [review]
patch

low risk patch, avoids null crash.Approving for uplift
Attachment #725767 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
is there any manual verification needed, considering the automated test that is available?
Reporter

Comment 14

6 years ago
No verification needed as the test has been landed (and also uplifted).
Status: RESOLVED → VERIFIED
Marking [qa-] as per comment 14. Please remove this whiteboard tag and add the qawanted keyword if some testing is needed.
Whiteboard: [jsbugmon:update] → [jsbugmon:update][qa-]
You need to log in before you can comment on or make changes to this bug.