Closed
Bug 1102329
Opened 10 years ago
Closed 10 years ago
Assertion failure: this->is<T>(), at jsobj.h
Categories
(Core :: JavaScript Engine: JIT, defect)
Tracking
()
RESOLVED
FIXED
mozilla36
Tracking | Status | |
---|---|---|
firefox36 | --- | affected |
People
(Reporter: gkw, Assigned: bhackett1024)
References
Details
(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update])
Attachments
(2 files)
(deleted),
text/plain
|
Details | |
(deleted),
patch
|
jandem
:
review+
|
Details | Diff | Splinter Review |
// Random chosen test: js/src/jit-test/tests/basic/function-bind.js
A = Array.bind()
// Random chosen test: js/src/jit-test/tests/TypedObject/neutertypedobjunsizedarray.js
var {
StructType
} = TypedObject
var A = new StructType({});
(function() {
new A
for (var i = 0; i < 9; i++) {}
})()
asserts js debug shell on m-c changeset 7d17b594834f with --fuzzing-safe --ion-eager --no-threads at Assertion failure: this->is<T>(), at jsobj.h.
Debug configure options:
CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --enable-optimize --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests
This was found by combining random jit-tests together with jsfunfuzz, the specific file(s) is/are:
http://hg.mozilla.org/mozilla-central/file/7d17b594834f/js/src/jit-test/tests/basic/function-bind.js
http://hg.mozilla.org/mozilla-central/file/7d17b594834f/js/src/jit-test/tests/TypedObject/neutertypedobjunsizedarray.js
=== Tinderbox Build Bisection Results by autoBisect ===
The "good" changeset has the timestamp "20141104140142" and the hash "a9a7f16c817b".
The "bad" changeset has the timestamp "20141104142049" and the hash "ed6401282c18".
Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=a9a7f16c817b&tochange=ed6401282c18
Brian, is bug 1091015 a likely regressor?
Flags: needinfo?(bhackett1024)
Reporter | ||
Updated•10 years ago
|
status-firefox36:
--- → affected
Reporter | ||
Comment 1•10 years ago
|
||
(lldb) bt 5
* thread #1: tid = 0x1f61bb, 0x00000001002d7787 js-dbg-opt-64-dm-nsprBuild-darwin-7d17b594834f`js::jit::IonBuilder::inlineCalls(this=<unavailable>, callInfo=<unavailable>, targets=<unavailable>, originals=<unavailable>, choiceSet=<unavailable>, maybeCache=<unavailable>) + 3639 at IonBuilder.cpp:4908, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
* frame #0: 0x00000001002d7787 js-dbg-opt-64-dm-nsprBuild-darwin-7d17b594834f`js::jit::IonBuilder::inlineCalls(this=<unavailable>, callInfo=<unavailable>, targets=<unavailable>, originals=<unavailable>, choiceSet=<unavailable>, maybeCache=<unavailable>) + 3639 at IonBuilder.cpp:4908
frame #1: 0x00000001002d67f0 js-dbg-opt-64-dm-nsprBuild-darwin-7d17b594834f`js::jit::IonBuilder::inlineCallsite(this=0x0000000103047a58, targets=0x00007fff5fbfd960, originals=0x00007fff5fbfd9b8, lambda=<unavailable>, callInfo=0x00007fff5fbfd8d0) + 256 at IonBuilder.cpp:4772
frame #2: 0x00000001002cac69 js-dbg-opt-64-dm-nsprBuild-darwin-7d17b594834f`js::jit::IonBuilder::jsop_call(this=0x0000000103047a58, argc=<unavailable>, constructing=<unavailable>) + 1241 at IonBuilder.cpp:5559
frame #3: 0x00000001002c2446 js-dbg-opt-64-dm-nsprBuild-darwin-7d17b594834f`js::jit::IonBuilder::inspectOpcode(this=0x0000000103047a58, op=<unavailable>) + 1174 at IonBuilder.cpp:1662
frame #4: 0x00000001002bf776 js-dbg-opt-64-dm-nsprBuild-darwin-7d17b594834f`js::jit::IonBuilder::traverseBytecode(this=0x0000000103047a58) + 662 at IonBuilder.cpp:1336
(lldb)
Assignee | ||
Comment 2•10 years ago
|
||
Bleah, again. I went through IonBuilder.cpp and related files and this is the only JSFunction downcast that wasn't checked (either explicitly or via choiceSet.) It would be nice if we were using JSObject instead of JSFunction throughout the inlining code but it would be a fair amount of work and wouldn't I think open up new optimization possibilities that are worth considering.]
Flags: needinfo?(bhackett1024)
Attachment #8526777 -
Flags: review?(jdemooij)
Updated•10 years ago
|
Attachment #8526777 -
Flags: review?(jdemooij) → review+
Assignee | ||
Comment 3•10 years ago
|
||
Comment 4•10 years ago
|
||
Assignee: nobody → bhackett1024
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla36
You need to log in
before you can comment on or make changes to this bug.
Description
•