945294 - Assertion failure: is<T>(), at ../jsobj.h:1169

Status: VERIFIED FIXED

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

The following testcase asserts on mozilla-central revision 84a5a5800bd3 (run with --fuzzing-safe --ion-eager):


var gTestcases = new Array();
var gTc = gTestcases.length;
function TestCase(n, d, e, a)
  gTestcases[gTc++] = this;
TestCase.prototype.dump = function () {}
function reportCompare () new TestCase();
function jsTestDriverEnd() {
  for (var i = 0; i < gTestcases.length; i++)
    gTestcases[i].dump();
}
try {
reportCompare();
function TestCase(n, d, e, a) {
  gTestcases[gTc++]=this;
}
TestCase.prototype.dump=this;
new TestCase;
jsTestDriverEnd();
} catch(exc2) {}
jsTestDriverEnd();

Comment 1

[Jason Orendorff [:jorendorff]]

var arr = [];

var C = function () {};
C.prototype.dump = function () {};
arr[0] = new C;

C = function () {};
C.prototype.dump = this;
arr[1] = new C;

function f() {
    for (var i = 0; i < arr.length; i++)
        arr[i].dump();
}

try {
    f();
} catch (exc) {}
f();


The assertion that fails is in this call to JSObject::as<JSFunction>():

    // Ensure that the relevant property typeset for each type object is
    // is a single-object typeset containing a JSFunction
    for (unsigned int i = 0; i < objCount; i++) {
        ...
        ...
        if (!inlinePropTable->addEntry(alloc(), baseTypeObj, &singleton->as<JSFunction>()))
            return false;
    }

Maybe just checking singleton->is<JSFunction>() beforehand would be enough?

When it happens, objCount == 2 and i == 1, and singleton->getClass()->name is "global", as you might expect.

Comment 2

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Is this likely to be related to bug 875530 comment 11 in any way?

Comment 3

[Jan de Mooij [:jandem]]

Regression from bug 932875 I think.

Comment 4

[Jan de Mooij [:jandem]]

Attachment: Patch

(In reply to Jason Orendorff [:jorendorff] from comment #1)
> Maybe just checking singleton->is<JSFunction>() beforehand would be enough?

Comment 5

[Jan de Mooij [:jandem]]

https://hg.mozilla.org/integration/mozilla-inbound/rev/a9aaef3ab91f

Comment 6

[Carsten Book [:Tomcat]]

https://hg.mozilla.org/mozilla-central/rev/a9aaef3ab91f

Comment 7

[Benjamin Kerensa [:bkerensa]]

Reconsider uplift here no need to track.

Comment 8

[Jan de Mooij [:jandem]]

Comment on attachment 8341638 [details] [diff] [review]
Patch

[Approval Request Comment]
Bug caused by (feature/regressing bug #): Bug 932875
User impact if declined: Crashes, correctness bugs, maybe sec issues
Testing completed (on m-c, etc.): On m-c
Risk to taking this patch (and alternatives if risky): Very low
String or IDL/UUID changes made by this patch: None

Comment 9

[Ryan VanderMeulen (PTO, back 6-April)]

https://hg.mozilla.org/releases/mozilla-aurora/rev/47cb3fdf32f9

Comment 10

[Ada [:adalucinet]]

With both testcases (comment 0 and comment 1) I get: TypeError: gTestcases[i].dump(...) is not a function or TypeError: arr[i].dump(...) is not a function. Both were ran with --fuzzing-safe --ion-eager command.
Any idea on this?

Comment 11

[Jan de Mooij [:jandem]]

(In reply to Alexandra Lucinet, QA Mentor [:adalucinet] from comment #10)
> With both testcases (comment 0 and comment 1) I get: TypeError:
> gTestcases[i].dump(...) is not a function or TypeError: arr[i].dump(...) is
> not a function. Both were ran with --fuzzing-safe --ion-eager command.
> Any idea on this?

The bug was that the test triggered an assertion failure. With the fix for this bug the testcase throws an exception, that's the correct/expected behavior. I'll mark this verified then :)