Assertion failure: it.type() == JitFrame_IonJS, at jit/Ion.cpp:625 or Crash [@ js::jit::JitFrameIterator::script]

RESOLVED DUPLICATE of bug 1067984

Status

()

Core
JavaScript Engine: JIT
--
critical
RESOLVED DUPLICATE of bug 1067984
4 years ago
a year ago

People

(Reporter: decoder, Unassigned)

Tracking

(Blocks: 1 bug, {assertion, crash, testcase})

Trunk
ARM
Linux
assertion, crash, testcase
Points:
---

Firefox Tracking Flags

(firefox35 affected)

Details

(Whiteboard: [jsbugmon:update,ignore], crash signature)

Attachments

(1 attachment)

(Reporter)

Description

4 years ago
The following testcase asserts on mozilla-central revision 5bd6e09f074e (run with --fuzzing-safe --ion-regalloc=backtracking):


function script1() { return arguments.length; }
test1();
function test1() {
    function f(arr) {
        for (var i = 0; i < 10; ++i) {
            for (var j = 0; j < arr.length; ++j) {
              (function() {
                for (i = 0; i < 5; i++)
                  f(false, 42);
              })();
            }
        }
    }
    f([ script1, ]);
}
function test2() {
    function tryAndFail(o) {}
    function applyIt1(f) {}
}
(Reporter)

Comment 1

4 years ago
Created attachment 8493165 [details]
[crash-signature] Machine-readable crash signature
(Reporter)

Comment 2

4 years ago
Crash trace:


Program received signal SIGSEGV, Segmentation fault.
js::jit::JitFrameIterator::script (this=0xffffc2e0) at js/src/jit/IonFrames.cpp:207
207         JSScript *script = ScriptFromCalleeToken(calleeToken());
#0  js::jit::JitFrameIterator::script (this=0xffffc2e0) at js/src/jit/IonFrames.cpp:207
#1  0x081c8cd2 in js::jit::LazyLinkTopActivation (cx=0x92b6ad0) at js/src/jit/Ion.cpp:628
#2  0x0832af7a in js::jit::Simulator::softwareInterrupt (this=0x92b6078, instr=0x92ce5ec) at js/src/jit/arm/Simulator-arm.cpp:2136
#3  0x0832857c in js::jit::Simulator::instructionDecode (this=this@entry=0x92b6078, instr=instr@entry=0x92ce5ec) at js/src/jit/arm/Simulator-arm.cpp:4043
#4  0x08338924 in js::jit::Simulator::execute<false> (this=0x92b6078) at js/src/jit/arm/Simulator-arm.cpp:4096
#5  0x0832b5ed in js::jit::Simulator::callInternal (this=this@entry=0x92b6078, entry=entry@entry=0xf2fb0880 "\360O-\351\r\200\240\341\234\300\t\343(\311", <incomplete sequence \343>) at js/src/jit/arm/Simulator-arm.cpp:4184
#6  0x0832b696 in js::jit::Simulator::call (this=0x92b6078, entry=0xf2fb0880 "\360O-\351\r\200\240\341\234\300\t\343(\311", <incomplete sequence \343>, argument_count=8) at js/src/jit/arm/Simulator-arm.cpp:4267
#7  0x08176ed0 in EnterBaseline (cx=0x92b6ad0, data=...) at js/src/jit/BaselineJIT.cpp:115
eax     0x27fdddb       41934299
=> 0x822723b <js::jit::JitFrameIterator::script() const+27>:    mov    0x8(%eax),%eax


Marking s-s based on crash address.
Crash Signature: [@ js::jit::JitFrameIterator::script]
status-firefox35: --- → affected
Keywords: crash
Whiteboard: [jsbugmon:update,bisect]
(In reply to Christian Holler (:decoder) from comment #2)
> #1  0x081c8cd2 in js::jit::LazyLinkTopActivation (cx=0x92b6ad0) at
> js/src/jit/Ion.cpp:628

NI: Hannes
Flags: needinfo?(hv1989)
Could it be that you forgot to mention this is ARM (simulator?).
If that is the case, this is probably fixed by bug 1067984 (Will land soonish).
Flags: needinfo?(hv1989)
Flags: needinfo?(choller)
Ok, I should have read the full bt. It is definitely the simulator.

@decoder: it might be good to include configure flags in reports)
Flags: needinfo?(choller)
This should be fixed. Decoder can you confirm?
(Reporter)

Updated

4 years ago
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update,bisect,bisectfix]
(Reporter)

Updated

4 years ago
Whiteboard: [jsbugmon:update,bisect,bisectfix] → [jsbugmon:update,bisectfix]
(Reporter)

Comment 7

4 years ago
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/de8214005a4a
user:        Jason Orendorff
date:        Thu Sep 11 17:57:29 2014 -0500
summary:     Bug 1051760 - Fix "Assertion failure: !vp.isMagic(), at jsobj.cpp:4600" with arguments, direct eval, and a destructuring declaration. r=Waldo.

This iteration took 615.402 seconds to run.
(Reporter)

Comment 8

4 years ago
(In reply to Hannes Verschore [:h4writer], pto till 22 September from comment #6)
> This should be fixed. Decoder can you confirm?

This doesn't seem to be fixed, otherwise the bot would have removed the update flag and bisected the fix with the regular bisection.
(Reporter)

Updated

3 years ago
Whiteboard: [jsbugmon:update,bisectfix] → [jsbugmon:update,ignore]
(Reporter)

Comment 9

3 years ago
JSBugMon: The testcase found in this bug no longer reproduces (tried revision bb61415bd7e6).
JSBugMon: Fix Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first good revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/0c8fa599e889
parent:      206590:2d6ffa903e38
user:        Hannes Verschore
date:        Mon Sep 22 22:45:08 2014 +0200
summary:     Bug 1067984 - IonMonkey: Temporarily disable lazy linking for non i686/x64, r=mjrosenb

This iteration took 570.856 seconds to run.
Aha so indeed fixed by bug 1067984 :D.

Now the autobisect is pointing to a wrong bug. It should point to bug 1047346. Which landed the day before. Possibly the testcase uses a feature added/fixed by the bug autobisect is reporting.
Status: NEW → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 1067984

Updated

3 years ago
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.