Closed Bug 1071068 Opened 10 years ago Closed 10 years ago

Assertion failure: it.type() == JitFrame_IonJS, at jit/Ion.cpp:625 or Crash [@ js::jit::JitFrameIterator::script]

Categories

(Core :: JavaScript Engine: JIT, defect)

Product:
Core
Component:
JavaScript Engine: JIT
Platform:
ARM
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1067984
Tracking Flags:
Tracking Status
firefox35 --- affected

People

(Reporter: decoder, Unassigned)

Details

(Keywords: assertion, crash, testcase, Whiteboard: [jsbugmon:update,ignore])

Crash Data

Attachments

(1 file)

[crash-signature] Machine-readable crash signature
575 bytes, text/plain
Details 
The following testcase asserts on mozilla-central revision 5bd6e09f074e (run with --fuzzing-safe --ion-regalloc=backtracking):


function script1() { return arguments.length; }
test1();
function test1() {
    function f(arr) {
        for (var i = 0; i < 10; ++i) {
            for (var j = 0; j < arr.length; ++j) {
              (function() {
                for (i = 0; i < 5; i++)
                  f(false, 42);
              })();
            }
        }
    }
    f([ script1, ]);
}
function test2() {
    function tryAndFail(o) {}
    function applyIt1(f) {}
}
Crash trace:


Program received signal SIGSEGV, Segmentation fault.
js::jit::JitFrameIterator::script (this=0xffffc2e0) at js/src/jit/IonFrames.cpp:207
207         JSScript *script = ScriptFromCalleeToken(calleeToken());
#0  js::jit::JitFrameIterator::script (this=0xffffc2e0) at js/src/jit/IonFrames.cpp:207
#1  0x081c8cd2 in js::jit::LazyLinkTopActivation (cx=0x92b6ad0) at js/src/jit/Ion.cpp:628
#2  0x0832af7a in js::jit::Simulator::softwareInterrupt (this=0x92b6078, instr=0x92ce5ec) at js/src/jit/arm/Simulator-arm.cpp:2136
#3  0x0832857c in js::jit::Simulator::instructionDecode (this=this@entry=0x92b6078, instr=instr@entry=0x92ce5ec) at js/src/jit/arm/Simulator-arm.cpp:4043
#4  0x08338924 in js::jit::Simulator::execute<false> (this=0x92b6078) at js/src/jit/arm/Simulator-arm.cpp:4096
#5  0x0832b5ed in js::jit::Simulator::callInternal (this=this@entry=0x92b6078, entry=entry@entry=0xf2fb0880 "\360O-\351\r\200\240\341\234\300\t\343(\311", <incomplete sequence \343>) at js/src/jit/arm/Simulator-arm.cpp:4184
#6  0x0832b696 in js::jit::Simulator::call (this=0x92b6078, entry=0xf2fb0880 "\360O-\351\r\200\240\341\234\300\t\343(\311", <incomplete sequence \343>, argument_count=8) at js/src/jit/arm/Simulator-arm.cpp:4267
#7  0x08176ed0 in EnterBaseline (cx=0x92b6ad0, data=...) at js/src/jit/BaselineJIT.cpp:115
eax     0x27fdddb       41934299
=> 0x822723b <js::jit::JitFrameIterator::script() const+27>:    mov    0x8(%eax),%eax


Marking s-s based on crash address.
Crash Signature: [@ js::jit::JitFrameIterator::script]
status-firefox35: --- → affected
Keywords: crash
Whiteboard: [jsbugmon:update,bisect]
(In reply to Christian Holler (:decoder) from comment #2)
> #1  0x081c8cd2 in js::jit::LazyLinkTopActivation (cx=0x92b6ad0) at
> js/src/jit/Ion.cpp:628

NI: Hannes
Flags: needinfo?(hv1989)
Could it be that you forgot to mention this is ARM (simulator?).
If that is the case, this is probably fixed by bug 1067984 (Will land soonish).
Flags: needinfo?(hv1989)
Flags: needinfo?(choller)
Ok, I should have read the full bt. It is definitely the simulator.

@decoder: it might be good to include configure flags in reports)
Flags: needinfo?(choller)
This should be fixed. Decoder can you confirm?
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update,bisect,bisectfix]
Whiteboard: [jsbugmon:update,bisect,bisectfix] → [jsbugmon:update,bisectfix]
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/de8214005a4a
user:        Jason Orendorff
date:        Thu Sep 11 17:57:29 2014 -0500
summary:     Bug 1051760 - Fix "Assertion failure: !vp.isMagic(), at jsobj.cpp:4600" with arguments, direct eval, and a destructuring declaration. r=Waldo.

This iteration took 615.402 seconds to run.
(In reply to Hannes Verschore [:h4writer], pto till 22 September from comment #6)
> This should be fixed. Decoder can you confirm?

This doesn't seem to be fixed, otherwise the bot would have removed the update flag and bisected the fix with the regular bisection.
Whiteboard: [jsbugmon:update,bisectfix] → [jsbugmon:update,ignore]
JSBugMon: The testcase found in this bug no longer reproduces (tried revision bb61415bd7e6).
JSBugMon: Fix Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first good revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/0c8fa599e889
parent:      206590:2d6ffa903e38
user:        Hannes Verschore
date:        Mon Sep 22 22:45:08 2014 +0200
summary:     Bug 1067984 - IonMonkey: Temporarily disable lazy linking for non i686/x64, r=mjrosenb

This iteration took 570.856 seconds to run.
Aha so indeed fixed by bug 1067984 :D.

Now the autobisect is pointing to a wrong bug. It should point to bug 1047346. Which landed the day before. Possibly the testcase uses a feature added/fixed by the bug autobisect is reporting.
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → DUPLICATE
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: