Assertion failure: is<T>(), at ../jsobj.h:1169

VERIFIED FIXED in Firefox 27

Status

()

defect
--
critical
VERIFIED FIXED
6 years ago
6 years ago

People

(Reporter: decoder, Assigned: jandem)

Tracking

(Blocks 1 bug, {assertion, testcase})

Trunk
mozilla28
x86_64
Linux
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox25 unaffected, firefox26 unaffected, firefox27- fixed, firefox28- verified)

Details

Attachments

(1 attachment)

The following testcase asserts on mozilla-central revision 84a5a5800bd3 (run with --fuzzing-safe --ion-eager):


var gTestcases = new Array();
var gTc = gTestcases.length;
function TestCase(n, d, e, a)
  gTestcases[gTc++] = this;
TestCase.prototype.dump = function () {}
function reportCompare () new TestCase();
function jsTestDriverEnd() {
  for (var i = 0; i < gTestcases.length; i++)
    gTestcases[i].dump();
}
try {
reportCompare();
function TestCase(n, d, e, a) {
  gTestcases[gTc++]=this;
}
TestCase.prototype.dump=this;
new TestCase;
jsTestDriverEnd();
} catch(exc2) {}
jsTestDriverEnd();
var arr = [];

var C = function () {};
C.prototype.dump = function () {};
arr[0] = new C;

C = function () {};
C.prototype.dump = this;
arr[1] = new C;

function f() {
    for (var i = 0; i < arr.length; i++)
        arr[i].dump();
}

try {
    f();
} catch (exc) {}
f();


The assertion that fails is in this call to JSObject::as<JSFunction>():

    // Ensure that the relevant property typeset for each type object is
    // is a single-object typeset containing a JSFunction
    for (unsigned int i = 0; i < objCount; i++) {
        ...
        ...
        if (!inlinePropTable->addEntry(alloc(), baseTypeObj, &singleton->as<JSFunction>()))
            return false;
    }

Maybe just checking singleton->is<JSFunction>() beforehand would be enough?

When it happens, objCount == 2 and i == 1, and singleton->getClass()->name is "global", as you might expect.
Is this likely to be related to bug 875530 comment 11 in any way?
Regression from bug 932875 I think.
Blocks: 932875
Posted patch PatchSplinter Review
(In reply to Jason Orendorff [:jorendorff] from comment #1)
> Maybe just checking singleton->is<JSFunction>() beforehand would be enough?
Assignee: general → jdemooij
Status: NEW → ASSIGNED
Attachment #8341638 - Flags: review?(bhackett1024)
Attachment #8341638 - Flags: review?(bhackett1024) → review+
https://hg.mozilla.org/mozilla-central/rev/a9aaef3ab91f
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla28
Reconsider uplift here no need to track.
Comment on attachment 8341638 [details] [diff] [review]
Patch

[Approval Request Comment]
Bug caused by (feature/regressing bug #): Bug 932875
User impact if declined: Crashes, correctness bugs, maybe sec issues
Testing completed (on m-c, etc.): On m-c
Risk to taking this patch (and alternatives if risky): Very low
String or IDL/UUID changes made by this patch: None
Attachment #8341638 - Flags: approval-mozilla-aurora?
Attachment #8341638 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Keywords: verifyme
With both testcases (comment 0 and comment 1) I get: TypeError: gTestcases[i].dump(...) is not a function or TypeError: arr[i].dump(...) is not a function. Both were ran with --fuzzing-safe --ion-eager command.
Any idea on this?
Flags: needinfo?(jdemooij)
Keywords: verifyme
(In reply to Alexandra Lucinet, QA Mentor [:adalucinet] from comment #10)
> With both testcases (comment 0 and comment 1) I get: TypeError:
> gTestcases[i].dump(...) is not a function or TypeError: arr[i].dump(...) is
> not a function. Both were ran with --fuzzing-safe --ion-eager command.
> Any idea on this?

The bug was that the test triggered an assertion failure. With the fix for this bug the testcase throws an exception, that's the correct/expected behavior. I'll mark this verified then :)
Status: RESOLVED → VERIFIED
Flags: needinfo?(jdemooij)
You need to log in before you can comment on or make changes to this bug.