Crash [@ js::intrinsic_UnsafeGetElement] or Assertion failure: args[arri].isObject(), at vm/SelfHosting.cpp with --enable-more-deterministic

RESOLVED FIXED

Status

()

--
critical
RESOLVED FIXED
5 years ago
5 years ago

People

(Reporter: gkw, Unassigned)

Tracking

(Blocks: 2 bugs, {assertion, regression, testcase})

Trunk
x86_64
Mac OS X
assertion, regression, testcase
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [fuzzblocker] [jsbugmon:update], crash signature)

Attachments

(1 attachment)

(Reporter)

Description

5 years ago
Created attachment 762938 [details]
debug and opt stacks

function f(a) {
    hns = Object.getOwnPropertyNames(a);
    for (var j = 0; j < hns.length; ++j) {
        hn = hns[j];
        try {
            v = a[hn]
        } catch (e) {}
    }
}
var gns = Object.getOwnPropertyNames(this);
for (i = 0; i < gns.length; ++i) {
    var gn = gns[i];
    g = this[gn];
    if (typeof g == "function" && g.toString().indexOf("]") != 1) {
        f(g.prototype, "")
    }
}

asserts js debug shell on m-i changeset ce43d28276e4 without any CLI arguments at Assertion failure: args[arri].isObject(), at vm/SelfHosting.cpp and crashes js opt shell at js::intrinsic_UnsafeGetElement

(tested on a 64-bit threadsafe deterministic shell)

This seems highly likely to be caused by bug 880208, and is a definitely fuzzblocker as it crashes / asserts within jsfunfuzz itself (outside of generated code).

https://hg.mozilla.org/integration/mozilla-inbound/rev/18c1fd169792
Flags: needinfo?(nmatsakis)
(Reporter)

Comment 1

5 years ago
This needs --enable-more-deterministic but not --enable-threadsafe. I'm going to have to disable fuzzing deterministic shells (and thus compareJIT.py) until this is fixed.

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   135050:18c1fd169792
user:        Nicholas D. Matsakis
date:        Thu Jun 06 11:01:15 2013 -0400
summary:     Bug 880208 - Add UnsafeGet and UnsafeGetImmutable intrinsics r=djvj

This iteration took 124.926 seconds to run.
Summary: Crash [@ js::intrinsic_UnsafeGetElement] or Assertion failure: args[arri].isObject(), at vm/SelfHosting.cpp → Crash [@ js::intrinsic_UnsafeGetElement] or Assertion failure: args[arri].isObject(), at vm/SelfHosting.cpp with --enable-more-deterministic
(Reporter)

Comment 2

5 years ago
I have a testcase that does not require --enable-more-deterministic, I spoke to Luke and unfortunately it looks like this testcase will affect real-world usage and to spare the agony of debugging nightly crashes, we may have to back bug 880208 out.
(Reporter)

Comment 3

5 years ago
This is likely fixed by the backout in bug 880208 comment 6. The testcase that does not require --enable-more-deterministic is in bug 880208 comment 7.
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Flags: needinfo?(nmatsakis)
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.