872546 - Crash [@ js::ToBooleanSlow]

Status: RESOLVED DUPLICATE of bug 879723

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

The following testcase crashes on mozilla-central revision 26ab72bfa9df (run with --ion-eager):


var p = Proxy.create({
  has : function(id) {}
});
Object.prototype.__proto__ = p;
test();
function test() {
  var start = 0;
  var stop  = 0;
  var resolution = 5;
  while (stop - start == 0) {
    start = Date.now();
    stop = Date.now();
  }
  actual = (stop - start <= resolution);
  actual;
}
test();
actual = '';
test();
for (var i = 0; actual ;-i) {}

Comment 1

[Christian Holler (:decoder)]

The crash itself looks harmless:


Program received signal SIGSEGV, Segmentation fault.
js::ToBooleanSlow (v=...) at js/src/jsbool.cpp:194
194             return v.toString()->length() != 0;
#0  js::ToBooleanSlow (v=...) at js/src/jsbool.cpp:194
#1  0x0000000000847e60 in ToBoolean (v=...) at ../jsapi.h:1550
#2  js::ion::DoToBoolFallback (cx=0x19487b0, frame=0x7fffffffd408, stub=0x195a0a0, arg=$jsval(<error reading variable: Cannot access memory at address 0x7fff00000001>), ret=...) at js/src/ion/BaselineIC.cpp:2068
#3  0x00007ffff7f994da in ?? ()
[...]
rax     0x1     140733193388033
=> 0x477d05 <js::ToBooleanSlow(JS::Value const&)+213>:  mov    (%rax),%rax
   0x477d08 <js::ToBooleanSlow(JS::Value const&)+216>:  shr    $0x4,%rax



However, before reducing, this test asserted instead with

Assertion failure: (ptrBits & 0x7) == 0, at ./dist/include/js/Value.h:734

and in an opt-build I got this instead:

Assertion failure: [barrier verifier] Unmarked edge: <unknown>, at gc/Verifier.cpp:614


Both seem to indicate a GC problem, so I'm going to assume that this is s-s. Please let me know if the bug reproduced by this test and the assertions are connected. If not, then I will try to produce a second testcase reproducing the ptrBits assertion.

Comment 2

[Christian Holler (:decoder)]

Attachment: [crash-signature] Machine-readable crash signature

Comment 3

[Christian Holler (:decoder)]

JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   129595:a8d0317c24c1
user:        Brian Hackett
date:        Sun Apr 14 06:40:58 2013 -0600
summary:     Bug 861419 - Consider values in prototype when reading global names during Ion compilation.

This iteration took 11.935 seconds to run.

Comment 4

[Christian Holler (:decoder)]

Brian, can you take a look based on comment 3? Thanks.

Comment 5

[Andrew McCreight [:mccr8]]

Conservatively marking this high based on the assertion failures from comment 1.

Comment 6

[Brian Hackett [Laid off!]]

WFM on tip, can you still reproduce?  The blame is almost certainly wrong, that bug is pretty innocuous.

Comment 7

[Christian Holler (:decoder)]

JSBugMon: This bug has been automatically confirmed to be still valid (reproduced on revision 8eebe35aae63).

Comment 8

[Christian Holler (:decoder)]

JSBugMon: The testcase found in this bug no longer reproduces (tried revision 4c4dec8506ab).

Comment 9

[Christian Holler (:decoder)]

JSBugMon: Fix Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first good revision is:
changeset:   http://hg.mozilla.org/mozilla-central/rev/7ecbdd658637
user:        Shu-yu Guo
date:        Mon Jun 10 12:10:13 2013 -0700
summary:     Bug 879723 - Make sure property types reflect inherited types from the prototype when specializing a setgname. (r=bhackett)

This iteration took 10.762 seconds to run.

Comment 10

[Christian Holler (:decoder)]

Shu, is the bug in comment 9 likely the fix for this bug?

Comment 11

[Shu-yu Guo [:shu]]

(In reply to Christian Holler (:decoder) from comment #10)
> Shu, is the bug in comment 9 likely the fix for this bug?

Can't say for sure, but likely, since the fuzz test case futzes with the proto chain.