Closed
Bug 921035
Opened 11 years ago
Closed 11 years ago
Assertion failure: hasCallObj(), at ../jit/BaselineFrame-inl.h:73 or Crash [@ callObj]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla27
| Tracking | Status | |
|---|---|---|
| firefox24 | --- | unaffected |
| firefox25 | --- | unaffected |
| firefox26 | --- | unaffected |
| firefox27 | --- | affected |
| firefox-esr17 | --- | unaffected |
| firefox-esr24 | --- | unaffected |
People
(Reporter: decoder, Assigned: djvj)
References
Details
(4 keywords, Whiteboard: [jsbugmon:])
Crash Data
Attachments
(2 files)
|
910 bytes,
text/plain
|
Details | |
|
1.76 KB,
patch
|
h4writer
:
review+
|
Details | Diff | Splinter Review |
The following testcase asserts on mozilla-central revision e85b0372cece (run with --fuzzing-safe --ion-eager):
function $ERROR() {}
function testMultipleArgumentsObjects() {
var testargs = arguments;
var f = function (which) {
var args = [ testargs ];
return args[which][0];
};
var arr = [0, 0, 0, 0, 1];
for (var i = 0; i < arr.length; i++)
$ERROR[i] = f(arr[i]);
}
testMultipleArgumentsObjects()
|
Reporter | |
Comment 1•11 years ago
|
||
|
|
Reporter | |
Updated•11 years ago
|
|
|
Reporter | |
Updated•11 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
|
|
Reporter | |
Comment 2•11 years ago
|
||
JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: http://hg.mozilla.org/mozilla-central/rev/cd646a300ffe user: Kannan Vijayan date: Mon Sep 23 10:50:30 2013 -0400 summary: Bug 918405 - Enable OSR-ing into Ion in functions with needsArgsObj. r=h4writer This iteration took 400.086 seconds to run.
|
||
Comment 3•11 years ago
|
||
Kannan, is bug 918405 a likely regressor?
|
|
||
Updated•11 years ago
|
status-firefox24:
--- → unaffected
status-firefox25:
--- → unaffected
status-firefox26:
--- → unaffected
status-firefox27:
--- → affected
status-firefox-esr17:
--- → unaffected
status-firefox-esr24:
--- → unaffected
|
||
Comment 4•11 years ago
|
||
Thanks!
|
|
||
Comment 5•11 years ago
|
||
Thanks!
|
Assignee | |
Comment 8•11 years ago
|
||
(In reply to Gary Kwong [:gkw] [:nth10sd] (still catching up on bugmail) from comment #3) > Kannan, is bug 918405 a likely regressor? Yes. There's a good chance it's a regressor.
Flags: needinfo?(kvijayan)
|
|
Reporter | |
Updated•11 years ago
|
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
|
|
Reporter | |
Comment 9•11 years ago
|
||
JSBugMon: The testcase found in this bug no longer reproduces (tried revision ddd03c32fab1).
|
|
Reporter | |
Updated•11 years ago
|
Whiteboard: [jsbugmon:update,ignore] → [jsbugmon:bisectfix]
|
|
Reporter | |
Updated•11 years ago
|
Whiteboard: [jsbugmon:bisectfix] → [jsbugmon:]
|
|
Reporter | |
Comment 10•11 years ago
|
||
JSBugMon: Fix Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first good revision is: changeset: http://hg.mozilla.org/mozilla-central/rev/27921f21cddf user: Phil Ringnalda date: Mon Oct 14 14:03:03 2013 -0700 summary: Back out 755ecb4d6e2c and 7ea09c8bf385 (bug 925962) for bustage This iteration took 422.358 seconds to run.
|
|
Assignee | |
Comment 11•11 years ago
|
||
I don't think bug 925962 is actually related to the issue. I also think bug 918405 revealed the issue but is not the cause of it. I haven't fully narrowed this down yet, but as far as I can tell, the function |testMultipleArgumentsObjects| is heavyweight, has a call object created for it when running in baseline, enters Ion via OSR (and the Call object is correctly carried into the Ion entry).. however, later there's a bailout from an inlined call to |f| within |testMultipleArgumentsObjects|, and when unpacking scopeChain objects from the snapshot in this bailout, the call object is not being captured. Looking at the IonGraph spew for the function, during the Eliminate phis pass, the ResumePoint handle to the scope chain definition seems to be "lost" (refers to a nonexistant definition).
Assignee: general → kvijayan
|
|
Assignee | |
Comment 12•11 years ago
|
||
Yeah, aggressive phi elimination is getting rid of the scopeChain even though we may need it later to construct an arguments object.
|
|
Assignee | |
Comment 13•11 years ago
|
||
Attachment #817359 -
Flags: review?(hv1989)
|
||
Comment 14•11 years ago
|
||
Comment on attachment 817359 [details] [diff] [review] save-scope-chain.patch Review of attachment 817359 [details] [diff] [review]: ----------------------------------------------------------------- Good find. Would be good to have an active testcase for this in jit-tests in order to not regress this.
Attachment #817359 -
Flags: review?(hv1989) → review+
|
|
Assignee | |
Comment 15•11 years ago
|
||
Tried to create a testcase that asserted on tip for this yesterday, didn't get anywhere. I'm checking in with the original test case, which is better than nothing.
|
||
Comment 16•11 years ago
|
||
Turns out the original test case is worse than nothing, because it'll get you backed out in http://hg.mozilla.org/integration/mozilla-inbound/rev/062d17374196 by failing like https://tbpl.mozilla.org/php/getParsedLog.php?id=29195313&tree=Mozilla-Inbound ;)
|
|
Assignee | |
Comment 17•11 years ago
|
||
Forgot that the correct outcome for that test case is for it to throw. Will check in shortly.
|
|
Assignee | |
Comment 18•11 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/e41c12eedc22
|
||
Comment 19•11 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/e41c12eedc22
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla27
You need to log in
before you can comment on or make changes to this bug.
Description
•