849778 - IonMonkey: Assertion failure: !frame.asStackFrame()->runningInIon(), at vm/ArgumentsObject.cpp:28

Status: RESOLVED WORKSFORME

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

The following testcase asserts on mozilla-central revision eccf45749400 (run with --ion-eager):


function g() {}
var max = 400; 
function f(b) {
    if (b) {
        f(b - 1);
        g = {
            apply:toString
        };
    }
    g.apply(null, arguments);
}
f(max - 1);

Comment 1

[Christian Holler (:decoder)]

JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   121232:979de88d617d
user:        Nicolas B. Pierron
date:        Thu Feb 07 14:35:05 2013 -0800
summary:     Bug 835499 - Remove the runningInIon flag at the end of convertFrame. r=dvander

This iteration took 102.325 seconds to run.

Comment 2

[Christian Holler (:decoder)]

Nicolas, can you take a look based on comment 1? Thanks.

Comment 3

[Christian Holler (:decoder)]

JSBugMon: Cannot process bug: Unknown exception (check manually)

Comment 4

[Christian Holler (:decoder)]

JSBugMon: The testcase found in this bug no longer reproduces (tried revision f20b0ce9e528).

Comment 5

[Christian Holler (:decoder)]

JSBugMon: Fix Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first good revision is:
changeset:   127409:b942f88d95c5
parent:      127408:73009fa09525
parent:      124325:eccf45749400
user:        Jan de Mooij
date:        Mon Mar 11 15:18:12 2013 +0100
summary:     Merge from mozilla-central.

Not all ancestors of this changeset have been checked.
Use bisect --extend to continue the bisection from
the common ancestor, cb432984d5ce.

This iteration took 152.636 seconds to run.

Oops! We didn't test rev 73009fa09525, a parent of the blamed revision! Let's do that now.
We did not test rev 73009fa09525 because it is not a descendant of either eccf45749400 or 475dc5f51bdb.
Rev 73009fa09525: Updating... Compiling... Testing... [Uninteresting] It didn't crash. (0.056 seconds)
good (not interesting) 
Bisect lied to us! Parent rev 73009fa09525 was also good!

Perhaps we should expand the search to include the common ancestor of the blamed changeset's parents.
The common ancestor of 73009fa09525 and eccf45749400 is cb432984d5ce.
Rev cb432984d5ce: Updating... Compiling... Testing... Exit status: CRASHED signal 11 (SIGSEGV) (0.056 seconds)
bad (interesting) 
The following line is still under testing:
Try setting -s to cb432984d5ce, and -e to 475dc5f51bdb, and re-run autoBisect.

Comment 6

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

This probably got fixed by the BaselineCompiler landing, but bisection all the branches has gotten `hg bisect` confused.

Comment 7

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

I meant "bisection of all the merges".

Comment 8

[Nicolas B. Pierron [:nbp]]

Bug 835499 was a problem in the bailout of self-hosted JS functions, I did not investigated this issue yet, but the introduction of the baseline compiler made the bailouts go from Ion->Interpreter to Ion->Baseline instead.

This is what the merge appear as fixing this issue.  I would bet that this issue would still be reproducible when baseline is disabled.  Hopefully, Jan is going to remove this option (see Bug 868431) as he removes the ability to bailout to the interpreter from IonMonkey.  Which mean that this bug would not exists any more, as the baseline compiler shares the same stack layout as the interpreter.

Does this bug might still affect people who disable the baseline compiler without disabling IonMonkey?

Comment 9

[Jan de Mooij [:jandem]]

Comment 8 was probably correct. Test case WFM now with various flags.