Closed Bug 883395 Opened 7 years ago Closed 7 years ago

Crash [@ js::intrinsic_UnsafeGetElement] or Assertion failure: args[arri].isObject(), at vm/SelfHosting.cpp with --enable-more-deterministic

Categories

(Core :: JavaScript Engine, defect, critical)

x86_64
macOS
defect
Not set
critical

Tracking

()

RESOLVED FIXED

People

(Reporter: gkw, Unassigned)

References

(Blocks 2 open bugs)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [fuzzblocker] [jsbugmon:update])

Crash Data

Attachments

(1 file)

Attached file debug and opt stacks
function f(a) {
    hns = Object.getOwnPropertyNames(a);
    for (var j = 0; j < hns.length; ++j) {
        hn = hns[j];
        try {
            v = a[hn]
        } catch (e) {}
    }
}
var gns = Object.getOwnPropertyNames(this);
for (i = 0; i < gns.length; ++i) {
    var gn = gns[i];
    g = this[gn];
    if (typeof g == "function" && g.toString().indexOf("]") != 1) {
        f(g.prototype, "")
    }
}

asserts js debug shell on m-i changeset ce43d28276e4 without any CLI arguments at Assertion failure: args[arri].isObject(), at vm/SelfHosting.cpp and crashes js opt shell at js::intrinsic_UnsafeGetElement

(tested on a 64-bit threadsafe deterministic shell)

This seems highly likely to be caused by bug 880208, and is a definitely fuzzblocker as it crashes / asserts within jsfunfuzz itself (outside of generated code).

https://hg.mozilla.org/integration/mozilla-inbound/rev/18c1fd169792
Flags: needinfo?(nmatsakis)
This needs --enable-more-deterministic but not --enable-threadsafe. I'm going to have to disable fuzzing deterministic shells (and thus compareJIT.py) until this is fixed.

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   135050:18c1fd169792
user:        Nicholas D. Matsakis
date:        Thu Jun 06 11:01:15 2013 -0400
summary:     Bug 880208 - Add UnsafeGet and UnsafeGetImmutable intrinsics r=djvj

This iteration took 124.926 seconds to run.
Summary: Crash [@ js::intrinsic_UnsafeGetElement] or Assertion failure: args[arri].isObject(), at vm/SelfHosting.cpp → Crash [@ js::intrinsic_UnsafeGetElement] or Assertion failure: args[arri].isObject(), at vm/SelfHosting.cpp with --enable-more-deterministic
I have a testcase that does not require --enable-more-deterministic, I spoke to Luke and unfortunately it looks like this testcase will affect real-world usage and to spare the agony of debugging nightly crashes, we may have to back bug 880208 out.
This is likely fixed by the backout in bug 880208 comment 6. The testcase that does not require --enable-more-deterministic is in bug 880208 comment 7.
Status: NEW → RESOLVED
Closed: 7 years ago
Flags: needinfo?(nmatsakis)
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.