Closed Bug 1298854 Opened 9 years ago Closed 9 years ago

Assertion failure: this->is<T>(), at js/src/jsobj.h:562

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla51
Tracking Flags:
Tracking Status
firefox51 --- fixed

People

(Reporter: gkw, Unassigned)

References

Details

(Keywords: assertion, bugmon, testcase, Whiteboard: [jsbugmon:update])

Attachments

(2 files)

Detailed Crash Information
100.89 KB, text/plain
Details
Fix hasInitialEnv computation for RematFrames.
5.42 KB, patch
jandem
: review+
Details | Diff | Splinter Review
The following testcase crashes on mozilla-central revision 4f72b1d05267 (build with --enable-debug --enable-more-deterministic, run with --fuzzing-safe --no-threads --ion-eager): // jsfunfuzz-generated options('strict_mode'); // Adapted from randomly chosen test: js/src/jit-test/tests/debug/RematerializedFrame-retval.js var m = parseModule("\ var g = newGlobal();\ var dbg = new Debugger;\ setInterruptCallback(function() {\ dbg.addDebuggee(g);\ dbg.getNewestFrame();\ return true;\ });\ g.eval(\"(\" + function f() {\ invokeInterruptCallback(function() {\ f();\ });\ } + \")();\");\ "); m.declarationInstantiation(); m.evaluation(); Backtrace: 0 js-dbg-64-dm-clang-darwin-4f72b1d05267 0x0000000104c862fc js::EnvironmentIter::settle() + 2204 (jsobj.h:562) 1 js-dbg-64-dm-clang-darwin-4f72b1d05267 0x0000000104d23205 js::UnwindAllEnvironmentsInFrame(JSContext*, js::EnvironmentIter&) + 37 (Interpreter.cpp:1060) 2 js-dbg-64-dm-clang-darwin-4f72b1d05267 0x00000001049d462a js::jit::DebugEpilogue(JSContext*, js::jit::BaselineFrame*, unsigned char*, bool) + 186 (BaselineFrame.h:139) 3 js-dbg-64-dm-clang-darwin-4f72b1d05267 0x000000010481aa40 js::jit::HandleException(js::jit::ResumeFromException*) + 4944 (JitFrames.cpp:463) /snip For detailed crash information, see attachment.
Due to skipped revisions, the first bad revision could be any of: changeset: https://hg.mozilla.org/mozilla-central/rev/cb6fc6d38f8d user: Shu-yu Guo date: Thu Aug 25 01:28:47 2016 -0700 summary: Bug 1263355 - Rewrite the frontend: bindings. (r=jorendorff,Waldo) changeset: https://hg.mozilla.org/mozilla-central/rev/18bec78f348e user: Shu-yu Guo date: Thu Aug 25 01:28:47 2016 -0700 summary: Bug 1263355 - Report memory metrics for Scopes. (r=njn) Shu-yu, is bug 1263355 a likely regressor?
Blocks: 1263355
Flags: needinfo?(shu)
Not committing test case because it's too slow.
Flags: needinfo?(shu)
Attachment #8786112 - Flags: review?(jdemooij) → review+
Pushed by shu@rfrn.org: https://hg.mozilla.org/integration/mozilla-inbound/rev/4585f2f66645 Fix hasInitialEnv computation for RematFrames. (r=jandem)
https://hg.mozilla.org/mozilla-central/rev/4585f2f66645
Status: NEW → RESOLVED
Closed: 9 years ago
status-firefox51: affectedfixed
Flags: in-testsuite?
Resolution: --- → FIXED
Target Milestone: --- → mozilla51
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: