Closed Bug 1122839 Opened 10 years ago Closed 10 years ago

Assertion failure: Unexpected object type, at jit/MacroAssembler.cpp

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla38
Tracking Flags:
Tracking Status
firefox38 --- affected

People

(Reporter: gkw, Assigned: bhackett1024)

References

Details

(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update])

Attachments

(2 files)

stack
6.49 KB, text/plain
Details
patch
1.39 KB, patch
jandem
: review+
Details | Diff | Splinter Review
x = ''; Object.defineProperty(this, "y", { get: function() { return x } }) y x = 0 x = new String; y.__proto__ = [] y asserts js debug shell on m-c changeset 5438e3f74848 with --fuzzing-safe --no-threads --ion-eager at Assertion failure: Unexpected object type, at jit/MacroAssembler.cpp Debug configure options: CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --enable-optimize --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests === Tinderbox Build Bisection Results by autoBisect === The "good" changeset has the timestamp "20150114065520" and the hash "61cd6ebaaee6". The "bad" changeset has the timestamp "20150114070118" and the hash "5cec093aeadc". Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=61cd6ebaaee6&tochange=5cec093aeadc Setting s-s to be safe because the assertion about jit types sounds scary. Brian, is bug 1116017 a likely regressor?
Flags: needinfo?(bhackett1024)
Attached file stack
(lldb) bt 5 * thread #1: tid = 0x5635f, 0x0000000101fc4cf2, queue = 'com.apple.main-thread', stop reason = EXC_BREAKPOINT (code=EXC_I386_BPT, subcode=0x0) * frame #0: 0x0000000101fc4cf2 frame #1: 0x00000001002ea7c3 js-dbg-opt-64-dm-nsprBuild-darwin-5438e3f74848`js::jit::IonCannon(JSContext*, js::RunState&) [inlined] EnterIon(data=0x0000000101fc4650) + 24 at Ion.cpp:2229 frame #2: 0x00000001002ea7ab js-dbg-opt-64-dm-nsprBuild-darwin-5438e3f74848`js::jit::IonCannon(cx=0x0000000000000000, state=0x00007fff5fbfe708) + 619 at Ion.cpp:2311 frame #3: 0x000000010075ba34 js-dbg-opt-64-dm-nsprBuild-darwin-5438e3f74848`js::RunScript(cx=0x0000000101d021d0, state=0x00007fff5fbfe5e0) + 244 at Interpreter.cpp:428 frame #4: 0x000000010074af3b js-dbg-opt-64-dm-nsprBuild-darwin-5438e3f74848`js::Invoke(cx=0x0000000101d021d0, args=CallArgs at 0x00007fff5fbfe660, construct=<unavailable>) + 539 at Interpreter.cpp:517 (lldb)
This sounds pretty bad, so marking critical. Adjust as desired.
Keywords: sec-critical
Do we go on and do bad things in an opt build? or do we do something reasonable in the asserted error case?
Attached patch patchSplinter Review
This is a bogus assert. Bug 1116017 relaxed the requirements we place on type sets --- they don't have to be exact, as long as one of their objects has unknown properties. That bug tried to fix up the places where we assert type set correctness in JIT code, but missed this spot.
Assignee: nobody → bhackett1024
Flags: needinfo?(bhackett1024)
Attachment #8552729 - Flags: review?(jdemooij)
Attachment #8552729 - Attachment is patch: true
Group: core-security
Attachment #8552729 - Flags: review?(jdemooij) → review+
https://hg.mozilla.org/mozilla-central/rev/3361d4f717d0
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla38
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: