883972 - Assertion failure: hasArgs(), at ../vm/Stack.h:514 or Assertion failure: script->function(), at jsscript.cpp:2852 or Crash [@ js::ArgumentsObject::create<CopyFrameArgs>]

Status: RESOLVED DUPLICATE of bug 883623

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

The following testcase asserts on mozilla-central revision 36da3cb92193 (no options required):


function test() {
eval("\
  o = {\
    x : arguments.length\
  };\
  with(o) {}\
");
} test();

Comment 1

[Christian Holler (:decoder)]

Attachment: [crash-signature] Machine-readable crash signature

Comment 2

[Christian Holler (:decoder)]

This seems to be s-s. A slightly different test crashes opt:

function test() {
eval("\
  var o = {\
    x : arguments['4294967295']\
  };\
  with(o){}\
");
} test();


Program received signal SIGSEGV, Segmentation fault.
js::ArgumentsObject::create<CopyFrameArgs> (cx=0x162e510, script=0x7ffff5e51280, callee=(JSFunction * const) 0x7ffff5e5f240 [object Function "test"], numActuals=4125430400, copy=...) at js/src/vm/ArgumentsObject.cpp:212
212         copy.copyArgs(cx, dst, numArgs);
#0  js::ArgumentsObject::create<CopyFrameArgs> (cx=0x162e510, script=0x7ffff5e51280, callee=(JSFunction * const) 0x7ffff5e5f240 [object Function "test"], numActuals=4125430400, copy=...) at js/src/vm/ArgumentsObject.cpp:212
#1  0x0000000000877159 in js::ArgumentsObject::createExpected (cx=<optimized out>, frame=...) at js/src/vm/ArgumentsObject.cpp:242
#2  0x00000000005e9aff in JSScript::argumentsOptimizationFailed (cx=0x162e510, script=0x7ffff5e51280) at js/src/jsscript.cpp:2907
#3  0x0000000000457a87 in GetElemOptimizedArguments (done=<synthetic pointer>, res=$jsmagic(JS_OPTIMIZED_ARGUMENTS), rref=$jsval(4294967295), lref=$jsmagic(JS_OPTIMIZED_ARGUMENTS), frame=..., cx=0x162e510) at ../vm/Interpreter-inl.h:841
#4  GetElementOperation (res=$jsmagic(JS_OPTIMIZED_ARGUMENTS), rref=$jsval(4294967295), lref=$jsmagic(JS_OPTIMIZED_ARGUMENTS), op=JSOP_GETELEM, cx=0x162e510) at ../vm/Interpreter-inl.h:869
#5  Interpret (cx=0x162e510, entryFrame=<optimized out>) at js/src/vm/Interpreter.cpp:2101
#6  0x000000000045a8ea in js::RunScript (cx=0x162e510, fp=0x7ffff60ee128) at js/src/vm/Interpreter.cpp:348
#7  0x000000000045af18 in js::ExecuteKernel (cx=0x162e510, script=0xe000007ffff5e608, scopeChainArg=..., thisv=..., type=<optimized out>, evalInFrame=..., result=0x7ffff60ee100) at js/src/vm/Interpreter.cpp:533
rsi     0x46e64d28      140704318115112
rdi     0x27fac030      140733864132656
=> 0x876b40 <js::ArgumentsObject::create<CopyFrameArgs>(JSContext*, JS::HandleScript, JS::HandleFunction, unsigned int, CopyFrameArgs&)+528>:   movsq  %ds:(%rsi),%es:(%rdi)


The test also asserts in debug builds with this assertion:

Assertion failure: script->function(), at jsscript.cpp:2852

I'll update the signature in a few.

Comment 3

[Christian Holler (:decoder)]

Attachment: [crash-signature] Machine-readable crash signature

Comment 4

[Christian Holler (:decoder)]

Attachment: [crash-signature] Machine-readable crash signature

Comment 5

[Christian Holler (:decoder)]

This might already be fixed on tip (could be a dup), so let's wait what JSBugMon says.

Comment 6

[Christian Holler (:decoder)]

JSBugMon: The testcase found in this bug no longer reproduces (tried revision b7175c5829b5).
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   http://hg.mozilla.org/mozilla-central/rev/ce43d28276e4
user:        Brian Hackett
date:        Fri Jun 14 05:58:28 2013 -0600
summary:     Bug 678037 - Enable lazy JS parsing and fix various bugs, r=waldo,evilpie,nobody.

This iteration took 332.219 seconds to run.

Comment 7

[Christian Holler (:decoder)]

JSBugMon: Fix Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first good revision is:
changeset:   http://hg.mozilla.org/mozilla-central/rev/8a22078d93b2
user:        Brian Hackett
date:        Sun Jun 16 07:12:20 2013 -0600
summary:     Bug 883623 - Check free variables within eval'ed code before restarting processing of top level statements in the eval.

This iteration took 322.343 seconds to run.

Comment 8

[Christian Holler (:decoder)]

Indeed a dup to bug 883623, only on central and fixed.