The following testcase crashes on mozilla-central revision 6ea654cad929 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-debug, run with --fuzzing-safe min.js): shortestPaths(this, [this], 5) Backtrace: Program received signal SIGSEGV, Segmentation fault. UniquePtr (aOther=<unknown type in /home/ubuntu/mozilla-central/js/src/opt64/dist/bin/js, CU 0x32a472a, DIE 0x33ea0f0>, this=0x8) at js/src/opt64/dist/include/mozilla/UniquePtr.h:229 #0 UniquePtr (aOther=<unknown type in /home/ubuntu/mozilla-central/js/src/opt64/dist/bin/js, CU 0x32a472a, DIE 0x33ea0f0>, this=0x8) at js/src/opt64/dist/include/mozilla/UniquePtr.h:229 #1 new_<mozilla::UniquePtr<JS::ubi::BackEdge, JS::DeletePolicy<JS::ubi::BackEdge> > > (aU=aU@entry=<unknown type in /home/ubuntu/mozilla-central/js/src/opt64/dist/bin/js, CU 0x32a472a, DIE 0x33ea149>, aDst=0x8) at js/src/opt64/dist/include/mozilla/Vector.h:74 #2 internalAppend<mozilla::UniquePtr<JS::ubi::BackEdge, JS::DeletePolicy<JS::ubi::BackEdge> > > (aU=aU@entry=<unknown type in /home/ubuntu/mozilla-central/js/src/opt64/dist/bin/js, CU 0x32a472a, DIE 0x33daef6>, this=this@entry=0x7ffff6917738) at js/src/opt64/dist/include/mozilla/Vector.h:1123 #3 mozilla::Vector<mozilla::UniquePtr<JS::ubi::BackEdge, JS::DeletePolicy<JS::ubi::BackEdge> >, 0ul, mozilla::MallocAllocPolicy>::infallibleAppend<mozilla::UniquePtr<JS::ubi::BackEdge, JS::DeletePolicy<JS::ubi::BackEdge> > >(mozilla::UniquePtr<JS::ubi::BackEdge, JS::DeletePolicy<JS::ubi::BackEdge> >&&) (this=this@entry=0x7ffff6917738, aU=aU@entry=<unknown type in /home/ubuntu/mozilla-central/js/src/opt64/dist/bin/js, CU 0x32a472a, DIE 0x3459af0>) at js/src/opt64/dist/include/mozilla/Vector.h:617 #4 0x00000000008629c6 in JS::ubi::ShortestPaths::Handler::operator() (this=0x7fffffffd350, traversal=..., origin=..., edge=..., back=<optimized out>, first=first@entry=false) at js/src/opt64/dist/include/js/UbiNodeShortestPaths.h:149 #5 0x0000000000864541 in JS::ubi::BreadthFirst<JS::ubi::ShortestPaths::Handler>::traverse (this=this@entry=0x7fffffffd4b0) at js/src/opt64/dist/include/js/UbiNodeBreadthFirst.h:151 #6 0x000000000083a85e in Create (targets=<unknown type in /home/ubuntu/mozilla-central/js/src/opt64/dist/bin/js, CU 0x32a472a, DIE 0x34b7828>, root=..., maxNumPaths=<optimized out>, noGC=<synthetic pointer>, rt=0x7ffff6937000) at js/src/opt64/dist/include/js/UbiNodeShortestPaths.h:254 #7 ShortestPaths (cx=0x7ffff6907000, argc=<optimized out>, vp=<optimized out>) at js/src/builtin/TestingFunctions.cpp:2624 #8 0x00000000008866e1 in CallJSNative (args=..., native=0x838c70 <ShortestPaths(JSContext*, unsigned int, JS::Value*)>, cx=0x7ffff6907000) at js/src/jscntxtinlines.h:235 [...] #20 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:7120 rax 0x1 1 rbx 0x7ffff69955e0 140737330632160 rcx 0x7ffff69955e0 140737330632160 rdx 0x8 8 rsi 0x7fffffffd0f0 140737488343280 rdi 0x7ffff6917738 140737330116408 rbp 0x7fffffffd3e0 140737488344032 rsp 0x7fffffffd088 140737488343176 r8 0x0 0 r9 0x50 80 r10 0x0 0 r11 0x1e 30 r12 0x7ffff6917720 140737330116384 r13 0x7fffffffd4b0 140737488344240 r14 0x3448cb9a 877185946 r15 0x7ffff3c14458 140737282917464 rip 0x861fca <mozilla::Vector<mozilla::UniquePtr<JS::ubi::BackEdge, JS::DeletePolicy<JS::ubi::BackEdge> >, 0ul, mozilla::MallocAllocPolicy>::infallibleAppend<mozilla::UniquePtr<JS::ubi::BackEdge, JS::DeletePolicy<JS::ubi::BackEdge> > >(mozilla::UniquePtr<JS::ubi::BackEdge, JS::DeletePolicy<JS::ubi::BackEdge> >&&)+26> => 0x861fca <mozilla::Vector<mozilla::UniquePtr<JS::ubi::BackEdge, JS::DeletePolicy<JS::ubi::BackEdge> >, 0ul, mozilla::MallocAllocPolicy>::infallibleAppend<mozilla::UniquePtr<JS::ubi::BackEdge, JS::DeletePolicy<JS::ubi::BackEdge> > >(mozilla::UniquePtr<JS::ubi::BackEdge, JS::DeletePolicy<JS::ubi::BackEdge> >&&)+26>: mov %rcx,(%rdx) 0x861fcd <mozilla::Vector<mozilla::UniquePtr<JS::ubi::BackEdge, JS::DeletePolicy<JS::ubi::BackEdge> >, 0ul, mozilla::MallocAllocPolicy>::infallibleAppend<mozilla::UniquePtr<JS::ubi::BackEdge, JS::DeletePolicy<JS::ubi::BackEdge> > >(mozilla::UniquePtr<JS::ubi::BackEdge, JS::DeletePolicy<JS::ubi::BackEdge> >&&)+29>: add $0x1,%rax

JSBugMon: Bisection requested, result: === Treeherder Build Bisection Results by autoBisect === The "good" changeset has the timestamp "20160216024750" and the hash "374422755fccfd9e8296195ad60b6f4b752238e6". The "bad" changeset has the timestamp "20160216032050" and the hash "d73b4d5f5d259b9015d7af8f7bfaae81d33529ec". Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=374422755fccfd9e8296195ad60b6f4b752238e6&tochange=d73b4d5f5d259b9015d7af8f7bfaae81d33529ec

Guessing this is related to bug 961323. Nick, thoughts?

The start node was being marked "visited" at the start of the traversal, but this broke the invariant that if we come across a target node that is marked "visited" then we had better have an entry for it in our results map. In order to maintain this invariant and stop triggering these assertion failures, this commit stops marking the start node as "visited" right off the bat.

Comment on attachment 8722027 [details] [diff] [review] Fix assertion failure when reaching start node in JS::ubi::ShortestPaths Review of attachment 8722027 [details] [diff] [review]: ----------------------------------------------------------------- I think I've screwed up cases like this (paths that end at the starting node) too...

Try push: https://treeherder.mozilla.org/#/jobs?repo=try&revision=740408079659