Closed Bug 953108 Opened 6 years ago Closed 6 years ago

Assertion failure: v.isObject(), at vm/GlobalObject.cpp:42 or Crash [@ operator->]

Categories

(Core :: JavaScript Engine, defect, critical)

x86
Linux
defect
Not set
critical

Tracking

()

VERIFIED FIXED
mozilla29
Tracking Status
firefox29 --- verified

People

(Reporter: decoder, Assigned: nmatsakis)

References

(Blocks 1 open bug)

Details

(4 keywords, Whiteboard: [jsbugmon:update])

Crash Data

Attachments

(2 files, 2 obsolete files)

The following testcase asserts on mozilla-central revision cd3e9359fd64 (run with --fuzzing-safe):


var float32x4 = SIMD.float32x4;
float32x4.array(1);
CC-ing Ivan and Niko who both worked on the SIMD stuff.
Attachment #8351441 - Attachment is obsolete: true
Whiteboard: [jsbugmon:update,bisect]
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   http://hg.mozilla.org/mozilla-central/rev/abdeb55e8a16
user:        Ivan Jibaja
date:        Wed Dec 18 16:28:32 2013 -0500
summary:     Bug 946042 - Add all SIMD functions to the interpreter. r=till

This iteration took 343.590 seconds to run.
Needinfo from Ivan based on comment 4 :)
Flags: needinfo?(ivan)
This is probably my fault. Seems like something going awry with initialization.
Flags: needinfo?(ivan)
Also crashes [@ operator->] with a null-deref. Setting needinfo in Niko per comment 6 so this stays on the radar.
Crash Signature: [@ operator->]
Flags: needinfo?(nmatsakis)
Keywords: crash
Summary: Assertion failure: v.isObject(), at vm/GlobalObject.cpp:42 → Assertion failure: v.isObject(), at vm/GlobalObject.cpp:42 or Crash [@ operator->]
Assignee: nobody → nmatsakis
Flags: needinfo?(nmatsakis)
Attached patch Bug953108.diff (obsolete) — Splinter Review
For array() to work, the typed object module must be initialized. For the moment, this also installs a global name (TypedObject). If SIMD stabilizes before the full typed object API -- as seems probable -- we'll want to have a separate ifdef which we can use to avoid installing the TypedObject module.
Attachment #8357039 - Flags: review?(till)
Attached patch Bug953108.diffSplinter Review
Put the test in the public domain before Till can ask me to.
Attachment #8357039 - Attachment is obsolete: true
Attachment #8357039 - Flags: review?(till)
Attachment #8357040 - Flags: review?(till)
Comment on attachment 8357040 [details] [diff] [review]
Bug953108.diff

Review of attachment 8357040 [details] [diff] [review]:
-----------------------------------------------------------------

That makes a lot of sense, yes
Attachment #8357040 - Flags: review?(till) → review+
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 9409405e0739).
This landed on m-c.

http://hg.mozilla.org/mozilla-central/rev/99afe134bc7a
Status: NEW → RESOLVED
Closed: 6 years ago
Keywords: regression
Resolution: --- → FIXED
Whiteboard: [jsbugmon:update,ignore] → [jsbugmon:update]
Target Milestone: --- → mozilla29
Keywords: verifyme
Status: RESOLVED → VERIFIED
JSBugMon: This bug has been automatically verified fixed.
Flags: in-testsuite+
Keywords: verifyme
You need to log in before you can comment on or make changes to this bug.