1011730 - Assertion failure: containsPC(pc), at jsscript.h

Status: VERIFIED FIXED

(Core :: JavaScript Engine: JIT, defect)

Description

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Attachment: stack

enableSPSProfilingWithSlowAssertions()
function f() {
    if (!([] instanceof Array)) {
        throw (function() {})
    }
    return function() {
        for (var i = 0; i < 1; i++) {
            f()
        }
    };
}
f()()

asserts js debug shell on m-c changeset 616dc757d98a with --ion-eager --ion-parallel-compile=off at Assertion failure: containsPC(pc), at jsscript.h

My configure flags are:

CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-optimize --enable-debug --enable-profiling --enable-gczeal --enable-debug-symbols --disable-tests --with-ccache --enable-threadsafe <other NSPR options>

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   http://hg.mozilla.org/mozilla-central/rev/19eafdcdefe3
user:        Dan Gohman
date:        Fri May 16 06:40:09 2014 -0700
summary:     Bug 844779 - IonMonkey: Make loops contiguous. r=h4writer

:sunfish, is bug 844779 a likely regressor?

Because this involves SPS, setting s-s and assuming sec-high for now. Also, this is flooding jsfunfuzz, so setting [fuzzblocker].

Comment 1

[Dan Gohman [:sunfish]]

The crash happens in the SPS instrumentation code. It happens only when the MakeLoopsContiguous code moves a block which ends in a throw. I'm unfamiliar with both SPS profiling and throwing, so I reverted the patch until I can investigate:

https://hg.mozilla.org/integration/mozilla-inbound/rev/28db7381c979

Comment 2

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Fixed by the backout landing on m-c:

https://hg.mozilla.org/mozilla-central/rev/28db7381c979

Comment 3

[Christian Holler (:decoder)]

JSBugMon: This bug has been automatically verified fixed.