Closed Bug 950456 Opened 11 years ago Closed 11 years ago

Assertion failure: [infer failure] Missing type in object [0x7f68c2d39858] value: [0x7f68c2d39698], at jsinfer.cpp:285 with Map

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla29
Tracking Flags:
Tracking Status
firefox27 --- unaffected
firefox28 --- unaffected
firefox29 --- fixed
firefox-esr24 --- unaffected
b2g18 --- unaffected

People

(Reporter: decoder, Assigned: bhackett1024)

References

Details

(Keywords: assertion, testcase, Whiteboard: [jsbugmon:update])

Attachments

(2 files)

[crash-signature] Machine-readable crash signature
605 bytes, text/plain
Details
patch
1.44 KB, patch
jandem
: review+
Details | Diff | Splinter Review 
The following testcase asserts on mozilla-central revision c049cb230d77 (run with --fuzzing-safe):


gczeal(2,1);
gcPreserveCode()
__defineGetter__('eval', 
    function() { 
        Map([['a', 'b'], ['b', 'c']]) === (Array(10)).length;
    });
eval;
try { eval(); } catch(exc1) {}
try { eval(); } catch(exc1) {}
try { eval(); } catch(exc1) {}
try { eval(); } catch(exc1) {}
Whiteboard: [jsbugmon:update,bisect]
Possibly related to bug 950460.
Depends on: 950460
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   http://hg.mozilla.org/mozilla-central/rev/2e5ff5614254
user:        Brian Hackett
date:        Thu Dec 12 13:10:54 2013 -0800
summary:     Bug 932982 - Trace type constraints and allow preserving jitcode in GCs without also marking all type information, r=billm, r=jandem

This iteration took 338.826 seconds to run.
Setting needinfo based on comment 3.
Flags: needinfo?(bhackett1024)
I can't reproduce on 10.8 or Linux.  Decoder, what are your exact configure options?
Flags: needinfo?(bhackett1024)
(In reply to Brian Hackett (:bhackett) from comment #5)
> I can't reproduce on 10.8 or Linux.  Decoder, what are your exact configure
> options?

I used --disable-threadsafe --enable-debug --enable-optimize --enable-valgrind with a 64 bit build.
Flags: needinfo?(bhackett1024)
Attached patch patchSplinter Review 
This is a preexisting baseline tracing issue that was exposed by bug 932982.  Monitor and update stubs weren't being properly traced.
Assignee: general → bhackett1024
Attachment #8348304 - Flags: review?(jdemooij)
Flags: needinfo?(bhackett1024)
Attachment #8348304 - Flags: review?(jdemooij) → review+
(In reply to Brian Hackett (:bhackett) from comment #7)
> This is a preexisting baseline tracing issue that was exposed by bug 932982.
> Monitor and update stubs weren't being properly traced.

To clarify, there wasn't any way to trigger this bug before bug 932982 landed.  (Before bug 932982, whenever we preserved the baseline jitcode for a script we also marked all singleton objects and type objects in the compartment, which are the only things marked by update/monitor type stubs).
https://hg.mozilla.org/mozilla-central/rev/5c3e2e933e48
Status: NEW → RESOLVED
Closed: 11 years ago
status-firefox29: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla29
Status: RESOLVED → VERIFIED
JSBugMon: This bug has been automatically verified fixed.
Can we go ahead and land the test since this is trunk-only?
Flags: in-testsuite?
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: