Closed Bug 1118911 Opened 6 years ago Closed 6 years ago

Assertion failure: it.isBaselineJS(), at js/src/jit/JitFrames.cpp:1565


(Core :: JavaScript Engine, defect)

Not set



Tracking Status
firefox35 --- unaffected
firefox36 --- fixed
firefox37 --- fixed
firefox38 --- fixed
b2g-v2.2 --- fixed
b2g-master --- fixed


(Reporter: decoder, Assigned: nbp)


(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update])


(1 file)

The following testcase crashes on mozilla-central revision 33781a3a5201 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --enable-debug, run with --fuzzing-safe --thread-count=2 --ion-eager --ion-offthread-compile=off):

function test() {
  function f()
    k.apply(this, arguments);
  if (undefined >> undefined !== 0) {}
  for (var [ v , c ]  = 0 in this.tracemonkey) {  }
try { test(); } catch(exc1) {}


Program received signal SIGSEGV, Segmentation fault.
0x0000000000701c58 in js::jit::GetPcScript (cx=0x1a207d0, scriptRes=0x7fffffffa650, pcRes=0x0) at js/src/jit/JitFrames.cpp:1565
1565	        MOZ_ASSERT(it.isBaselineJS());
#0  0x0000000000701c58 in js::jit::GetPcScript (cx=0x1a207d0, scriptRes=0x7fffffffa650, pcRes=0x0) at js/src/jit/JitFrames.cpp:1565
#1  0x00000000008fa8f2 in JSContext::currentScript (this=0x1a207d0, ppc=0x0, allowCrossCompartment=JSContext::ALLOW_CROSS_COMPARTMENT) at js/src/jscntxtinlines.h:467
#2  0x00000000008b5fdf in findVersion (this=0x1a207d0) at js/src/jscntxt.cpp:1224
#3  JS::CompileOptions::CompileOptions (this=0x7fffffffa830, cx=0x1a207d0, version=<optimized out>) at js/src/jsapi.cpp:3977
#4  0x000000000099f864 in js::CloneScript (cx=0x1a207d0, enclosingScope=(JSObject * const) 0x7ffff5676a00 [object Function "test"], fun=(JSFunction * const) 0x7ffff5676e80 [object Function "f"], src=0x7ffff5664358, newKind=<optimized out>) at js/src/jsscript.cpp:3085
#5  0x00000000009a030d in js::CloneFunctionScript (cx=0x1a207d0, original=..., clone=(JSFunction * const) 0x7ffff5676e80 [object Function "f"], newKind=js::GenericObject) at js/src/jsscript.cpp:3182
#6  0x00000000009a4140 in js::CloneFunctionObject (cx=0x1a207d0, fun=(JSFunction * const) 0x7ffff5676a80 [object Function "f"], parent=..., allocKind=<optimized out>, newKindArg=js::GenericObject) at js/src/jsfun.cpp:2097
#7  0x0000000000aabe6c in js::CloneFunctionObjectIfNotSingleton (cx=0x1a207d0, fun=(JSFunction * const) 0x7ffff5676a80 [object Function "f"], parent=(JSObject * const) 0x7ffff5660060 [object global] delegate, newKind=js::GenericObject) at js/src/jsfuninlines.h:85
#8  0x0000000000a4cb2f in js::Lambda (cx=0x1a207d0, fun=..., parent=...) at js/src/vm/Interpreter.cpp:3649
#9  0x00000000007f4fc8 in js::jit::RLambda::recover (this=<optimized out>, cx=0x1a207d0, iter=...) at js/src/jit/Recover.cpp:1239
#10 0x000000000077a143 in js::jit::SnapshotIterator::computeInstructionResults (this=<optimized out>, cx=0x1a207d0, results=0x7fffffffc200) at js/src/jit/JitFrames.cpp:2142
#11 0x000000000077a379 in js::jit::SnapshotIterator::initInstructionResults (this=0x7fffffffb860, fallback=...) at js/src/jit/JitFrames.cpp:2096
#12 0x000000000067dcfd in init (cx=0x1a207d0, this=0x7fffffffb860) at js/src/jit/BaselineBailouts.cpp:414
#13 js::jit::BailoutIonToBaseline (cx=0x1a207d0, activation=<optimized out>, iter=..., invalidate=false, bailoutInfo=0x7fffffffbef8, excInfo=0x0, poppedLastSPSFrameOut=0x7fffffffbd0f) at js/src/jit/BaselineBailouts.cpp:1457
#14 0x00000000005c1934 in js::jit::Bailout (sp=0x7fffffffbf00, bailoutInfo=0x7fffffffbef8) at js/src/jit/Bailouts.cpp:54
#15 0x00007ffff557f3cc in ?? ()
#16 0x0000000001a20701 in ?? ()
#17 0x00007fffffffbef8 in ?? ()
#18 0x00007fffffffbf20 in ?? ()
#19 0x0000000000000000 in ?? ()
rax	0x0	0
rbx	0x21	33
rcx	0x7ffff6cb3f7d	140737333903229
rdx	0x0	0
rsi	0x7ffff6f87a80	140737336867456
rdi	0x7ffff6f86180	140737336861056
rbp	0x7fffffffa640	140737488332352
rsp	0x7fffffffa200	140737488331264
r8	0x7ffff7fe8740	140737354041152
r9	0x72746e65632d616c	8247338199356891500
r10	0x7fffffff9f90	140737488330640
r11	0x7ffff6c3b940	140737333410112
r12	0x19fb2d0	27243216
r13	0x7ffff557f7a5	140737309570981
r14	0x1a207d0	27396048
r15	0x0	0
rip	0x701c58 <js::jit::GetPcScript(JSContext*, JSScript**, unsigned char**)+1032>
=> 0x701c58 <js::jit::GetPcScript(JSContext*, JSScript**, unsigned char**)+1032>:	movl   $0x7b,0x0
   0x701c63 <js::jit::GetPcScript(JSContext*, JSScript**, unsigned char**)+1043>:	callq  0x4049f0 <abort@plt>
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
user:        Nicolas B. Pierron
date:        Fri Dec 19 15:28:30 2014 +0100
summary:     Bug 1073033 part 3 - Recover MLambda on bailouts. r=shu

This iteration took 447.158 seconds to run.
Needinfo from nbp based on comment 1 :)
Flags: needinfo?(nicolas.b.pierron)
The problem here is that Bug 1070962 introduced the BailoutJS frame, and
that GetPCScript can be called from the CompilerOptions class to query the
version of the script, when CooneScript is used by the RLambda::recover
Attachment #8548885 - Flags: review?(jdemooij)
Flags: needinfo?(nicolas.b.pierron)
Comment on attachment 8548885 [details] [diff] [review]
GetPcScript should care about bailout frames.

Review of attachment 8548885 [details] [diff] [review]:

Looks good. We should backport to Aurora right?
Attachment #8548885 - Flags: review?(jdemooij) → review+
(In reply to Jan de Mooij [:jandem] from comment #4)
> Looks good. We should backport to Aurora right?

Yes, this would be safe.
On the other hand, I am not sure if this is necessary.
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla38
Comment on attachment 8548885 [details] [diff] [review]
GetPcScript should care about bailout frames.

Approval Request Comment
[Feature/regressing bug #]:
At least Bug 1073033, maybe Bug 1070962.

[User impact if declined]:
Potential crashes.

[Describe test coverage new/current, TBPL]:
merged to mozilla-central.

[Risks and why]: 
Low risk, this patch makes use of functions which are made to support this kind of inputs under this context.

[String/UUID change made/needed]:
Attachment #8548885 - Flags: approval-mozilla-beta?
Attachment #8548885 - Flags: approval-mozilla-aurora?
Comment on attachment 8548885 [details] [diff] [review]
GetPcScript should care about bailout frames.

Since the JS crashes are hard to track and this patch has a test, taking it for safety.
Attachment #8548885 - Flags: approval-mozilla-beta?
Attachment #8548885 - Flags: approval-mozilla-beta+
Attachment #8548885 - Flags: approval-mozilla-aurora?
Attachment #8548885 - Flags: approval-mozilla-aurora+
Flags: qe-verify-
You need to log in before you can comment on or make changes to this bug.