Closed Bug 883395 Opened 12 years ago Closed 12 years ago

Crash [@ js::intrinsic_UnsafeGetElement] or Assertion failure: args[arri].isObject(), at vm/SelfHosting.cpp with --enable-more-deterministic

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: gkw, Unassigned)

References

Details

(Keywords: assertion, regression, testcase, Whiteboard: [fuzzblocker] [jsbugmon:update])

Crash Data

Attachments

(1 file)

debug and opt stacks
15.15 KB, text/plain
Details
Attached file debug and opt stacks
function f(a) { hns = Object.getOwnPropertyNames(a); for (var j = 0; j < hns.length; ++j) { hn = hns[j]; try { v = a[hn] } catch (e) {} } } var gns = Object.getOwnPropertyNames(this); for (i = 0; i < gns.length; ++i) { var gn = gns[i]; g = this[gn]; if (typeof g == "function" && g.toString().indexOf("]") != 1) { f(g.prototype, "") } } asserts js debug shell on m-i changeset ce43d28276e4 without any CLI arguments at Assertion failure: args[arri].isObject(), at vm/SelfHosting.cpp and crashes js opt shell at js::intrinsic_UnsafeGetElement (tested on a 64-bit threadsafe deterministic shell) This seems highly likely to be caused by bug 880208, and is a definitely fuzzblocker as it crashes / asserts within jsfunfuzz itself (outside of generated code). https://hg.mozilla.org/integration/mozilla-inbound/rev/18c1fd169792
Flags: needinfo?(nmatsakis)
This needs --enable-more-deterministic but not --enable-threadsafe. I'm going to have to disable fuzzing deterministic shells (and thus compareJIT.py) until this is fixed. autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: 135050:18c1fd169792 user: Nicholas D. Matsakis date: Thu Jun 06 11:01:15 2013 -0400 summary: Bug 880208 - Add UnsafeGet and UnsafeGetImmutable intrinsics r=djvj This iteration took 124.926 seconds to run.
Summary: Crash [@ js::intrinsic_UnsafeGetElement] or Assertion failure: args[arri].isObject(), at vm/SelfHosting.cpp → Crash [@ js::intrinsic_UnsafeGetElement] or Assertion failure: args[arri].isObject(), at vm/SelfHosting.cpp with --enable-more-deterministic
I have a testcase that does not require --enable-more-deterministic, I spoke to Luke and unfortunately it looks like this testcase will affect real-world usage and to spare the agony of debugging nightly crashes, we may have to back bug 880208 out.
This is likely fixed by the backout in bug 880208 comment 6. The testcase that does not require --enable-more-deterministic is in bug 880208 comment 7.
Status: NEW → RESOLVED
Closed: 12 years ago
Flags: needinfo?(nmatsakis)
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: