Closed Bug 1111477 Opened 10 years ago Closed 10 years ago

Assertion failure: cur_ == frame_.fun()->environment(), at vm/ScopeObject.cpp

Categories

(Core :: JavaScript Engine: JIT, defect)

Product:
Core
Component:
JavaScript Engine: JIT
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla37
Tracking Flags:
Tracking Status
firefox36 --- fixed
firefox37 --- fixed

People

(Reporter: gkw, Assigned: shu)

References

Details

(Keywords: assertion, regression, testcase)

Attachments

(2 files)

stack
12.32 KB, text/plain
Details
Always initialize scope chain for bailout to baseline if bailing in-place for debug mode.
1.82 KB, patch
jandem
: review+
Details | Diff | Splinter Review 
// Randomly chosen test: js/src/jit-test/tests/debug/bug1107913.js
g = newGlobal()
g.parent = this
g.eval("Debugger(parent).onExceptionUnwind = function() {}")
// Randomly chosen test: js/src/jit-test/tests/auto-regress/bug675251.js
function m() {
    function f() {
        m()
    }
    [
        function() {
            f()
        }
    ]
    for (var i = 0; i < 1; i++) {
        f()
    }
}
m()

asserts js debug 32-bit ARM-simulator shell on m-c changeset f14dcd1c8c0b with --fuzzing-safe --no-threads --ion-eager at Assertion failure: cur_ == frame_.fun()->environment(), at vm/ScopeObject.cpp.

Debug configure options:

LD=ld CROSS_COMPILE=1 CC="clang -Qunused-arguments -msse2 -mfpmath=sse -arch i386" RANLIB=ranlib CXX="clang++ -Qunused-arguments -msse2 -mfpmath=sse -arch i386" AS=$CC AR=ar STRIP="strip -x -S" HOST_CC="clang -Qunused-arguments -msse2 -mfpmath=sse" AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 HOST_CXX="clang++ -Qunused-arguments -msse2 -mfpmath=sse" sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=i386-apple-darwin9.2.0 --enable-macos-target=10.5 --enable-arm-simulator --enable-debug --enable-optimize --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests

This was found by combining random js tests together with jsfunfuzz, the specific file(s) is/are:

http://hg.mozilla.org/mozilla-central/file/f14dcd1c8c0b/js/src/jit-test/tests/debug/bug1107913.js
http://hg.mozilla.org/mozilla-central/file/f14dcd1c8c0b/js/src/jit-test/tests/auto-regress/bug675251.js

Due to skipped revisions, the first bad revision could be any of:
changeset:   https://hg.mozilla.org/mozilla-central/rev/b160657339f8
user:        Shu-yu Guo
date:        Thu Nov 13 14:39:39 2014 -0800
summary:     Bug 1032869 - Part 2: Move debuggee-ness to frames and selectively deoptimize when Debugger needs to observe execution. (r=jimb)

changeset:   https://hg.mozilla.org/mozilla-central/rev/bb2f13ba7b1c
user:        Shu-yu Guo
date:        Thu Nov 13 14:39:40 2014 -0800
summary:     Bug 1062629 - Off-thread compartment debug mode should match main thread compartment debug mode. (r=jimb)

changeset:   https://hg.mozilla.org/mozilla-central/rev/1176cc3c3b34
user:        Shu-yu Guo
date:        Thu Nov 13 14:39:40 2014 -0800
summary:     Bug 1063328 - Fix on-stack live iterator handling when bailing out in-place due to debug mode OSR. (r=jandem)

changeset:   https://hg.mozilla.org/mozilla-central/rev/f8e316fa65bb
user:        Shu-yu Guo
date:        Thu Nov 13 14:39:40 2014 -0800
summary:     Bug 1063330 - Remove the JS shell's evalInFrame. (r=jimb)

changeset:   https://hg.mozilla.org/mozilla-central/rev/96a2f59f6ce4
user:        Shu-yu Guo
date:        Thu Nov 13 14:39:40 2014 -0800
summary:     Bug 1032869 - Part 3: Don't consider onExceptionUnwind an all-execution-observing hook. (r=jandem)

changeset:   https://hg.mozilla.org/mozilla-central/rev/06d07689a043
user:        Shu-yu Guo
date:        Thu Nov 13 14:39:41 2014 -0800
summary:     Bug 1032869 - Part 4: Add an auto-updated DebugModeOSRVolatileJitFrameIterator. (r=jandem)

Shu-yu, are any of these bugs possible regressors?
Flags: needinfo?(shu)
Attached file stack 
(lldb) bt 5
* thread #1: tid = 0x3601d9, 0x00761079 js-dbg-opt-32-dm-nsprBuild-armSim-darwin-f14dcd1c8c0b`js::ScopeIter::settle(this=<unavailable>) + 3001 at ScopeObject.cpp:1214, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
  * frame #0: 0x00761079 js-dbg-opt-32-dm-nsprBuild-armSim-darwin-f14dcd1c8c0b`js::ScopeIter::settle(this=<unavailable>) + 3001 at ScopeObject.cpp:1214
    frame #1: 0x007603d5 js-dbg-opt-32-dm-nsprBuild-armSim-darwin-f14dcd1c8c0b`js::ScopeIter::ScopeIter(this=0xbfffc6fd, frame=(ptr_ = 31457330), pc=<unavailable>, cx=<unavailable>, _notifier=<unavailable>) + 437 at ScopeObject.cpp:1100
    frame #2: 0x0034c220 js-dbg-opt-32-dm-nsprBuild-armSim-darwin-f14dcd1c8c0b`js::jit::HandleException(js::jit::ResumeFromException*) [inlined] js::jit::HandleExceptionBaseline(cx=<unavailable>, frame=0x01e00060, unwoundScopeToPc=<unavailable>, calledDebugEpilogue=0x00000000) + 325 at JitFrames.cpp:622
    frame #3: 0x0034c0db js-dbg-opt-32-dm-nsprBuild-armSim-darwin-f14dcd1c8c0b`js::jit::HandleException(rfe=<unavailable>) + 3163 at JitFrames.cpp:799
    frame #4: 0x004afc37 js-dbg-opt-32-dm-nsprBuild-armSim-darwin-f14dcd1c8c0b`js::jit::Simulator::softwareInterrupt(this=0x0300a800, instr=<unavailable>) + 2343 at Simulator-arm.cpp:2140
(lldb)
Unending torments.

I also don't know how to write a test case for this; the fuzz test only
triggers this case on the ARM sim.
Attachment #8536834 - Flags: review?(jdemooij)
Flags: needinfo?(shu)
Assignee: nobody → shu
Comment on attachment 8536834 [details] [diff] [review]
Always initialize scope chain for bailout to baseline if bailing in-place for debug mode.

Review of attachment 8536834 [details] [diff] [review]:
-----------------------------------------------------------------

::: js/src/jit/BaselineBailouts.cpp
@@ +676,5 @@
>                  // we leave scopeChain nullptr and enter baseline code before
>                  // the prologue.
> +                //
> +                // If we are propagating an exception for debug mode, we will
> +                // resume not resume into baseline code, but instead into

"we will resume not resume"???
(In reply to Jim Blandy :jimb from comment #3)
> Comment on attachment 8536834 [details] [diff] [review]
> Always initialize scope chain for bailout to baseline if bailing in-place
> for debug mode.
> 
> Review of attachment 8536834 [details] [diff] [review]:
> -----------------------------------------------------------------
> 
> ::: js/src/jit/BaselineBailouts.cpp
> @@ +676,5 @@
> >                  // we leave scopeChain nullptr and enter baseline code before
> >                  // the prologue.
> > +                //
> > +                // If we are propagating an exception for debug mode, we will
> > +                // resume not resume into baseline code, but instead into
> 
> "we will resume not resume"???

Oops, good watching out.
Attachment #8536834 - Flags: review?(jdemooij) → review+
https://hg.mozilla.org/mozilla-central/rev/f9efd7ae7629
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla37
Blocks: 1114757
Fixed for Fx36 by the roll-up in bug 1114757.
status-firefox36: --- → fixed
status-firefox37: affectedfixed
Flags: in-testsuite?
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: