Closed
Bug 1118911
Opened 9 years ago
Closed 9 years ago
Assertion failure: it.isBaselineJS(), at js/src/jit/JitFrames.cpp:1565
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla38
People
(Reporter: decoder, Assigned: nbp)
Details
(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update])
Attachments
(1 file)
1.58 KB,
patch
|
jandem
:
review+
Sylvestre
:
approval-mozilla-aurora+
Sylvestre
:
approval-mozilla-beta+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision 33781a3a5201 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --enable-debug, run with --fuzzing-safe --thread-count=2 --ion-eager --ion-offthread-compile=off): function test() { function f() k.apply(this, arguments); if (undefined >> undefined !== 0) {} for (var [ v , c ] = 0 in this.tracemonkey) { } } try { test(); } catch(exc1) {} test(); Backtrace: Program received signal SIGSEGV, Segmentation fault. 0x0000000000701c58 in js::jit::GetPcScript (cx=0x1a207d0, scriptRes=0x7fffffffa650, pcRes=0x0) at js/src/jit/JitFrames.cpp:1565 1565 MOZ_ASSERT(it.isBaselineJS()); #0 0x0000000000701c58 in js::jit::GetPcScript (cx=0x1a207d0, scriptRes=0x7fffffffa650, pcRes=0x0) at js/src/jit/JitFrames.cpp:1565 #1 0x00000000008fa8f2 in JSContext::currentScript (this=0x1a207d0, ppc=0x0, allowCrossCompartment=JSContext::ALLOW_CROSS_COMPARTMENT) at js/src/jscntxtinlines.h:467 #2 0x00000000008b5fdf in findVersion (this=0x1a207d0) at js/src/jscntxt.cpp:1224 #3 JS::CompileOptions::CompileOptions (this=0x7fffffffa830, cx=0x1a207d0, version=<optimized out>) at js/src/jsapi.cpp:3977 #4 0x000000000099f864 in js::CloneScript (cx=0x1a207d0, enclosingScope=(JSObject * const) 0x7ffff5676a00 [object Function "test"], fun=(JSFunction * const) 0x7ffff5676e80 [object Function "f"], src=0x7ffff5664358, newKind=<optimized out>) at js/src/jsscript.cpp:3085 #5 0x00000000009a030d in js::CloneFunctionScript (cx=0x1a207d0, original=..., clone=(JSFunction * const) 0x7ffff5676e80 [object Function "f"], newKind=js::GenericObject) at js/src/jsscript.cpp:3182 #6 0x00000000009a4140 in js::CloneFunctionObject (cx=0x1a207d0, fun=(JSFunction * const) 0x7ffff5676a80 [object Function "f"], parent=..., allocKind=<optimized out>, newKindArg=js::GenericObject) at js/src/jsfun.cpp:2097 #7 0x0000000000aabe6c in js::CloneFunctionObjectIfNotSingleton (cx=0x1a207d0, fun=(JSFunction * const) 0x7ffff5676a80 [object Function "f"], parent=(JSObject * const) 0x7ffff5660060 [object global] delegate, newKind=js::GenericObject) at js/src/jsfuninlines.h:85 #8 0x0000000000a4cb2f in js::Lambda (cx=0x1a207d0, fun=..., parent=...) at js/src/vm/Interpreter.cpp:3649 #9 0x00000000007f4fc8 in js::jit::RLambda::recover (this=<optimized out>, cx=0x1a207d0, iter=...) at js/src/jit/Recover.cpp:1239 #10 0x000000000077a143 in js::jit::SnapshotIterator::computeInstructionResults (this=<optimized out>, cx=0x1a207d0, results=0x7fffffffc200) at js/src/jit/JitFrames.cpp:2142 #11 0x000000000077a379 in js::jit::SnapshotIterator::initInstructionResults (this=0x7fffffffb860, fallback=...) at js/src/jit/JitFrames.cpp:2096 #12 0x000000000067dcfd in init (cx=0x1a207d0, this=0x7fffffffb860) at js/src/jit/BaselineBailouts.cpp:414 #13 js::jit::BailoutIonToBaseline (cx=0x1a207d0, activation=<optimized out>, iter=..., invalidate=false, bailoutInfo=0x7fffffffbef8, excInfo=0x0, poppedLastSPSFrameOut=0x7fffffffbd0f) at js/src/jit/BaselineBailouts.cpp:1457 #14 0x00000000005c1934 in js::jit::Bailout (sp=0x7fffffffbf00, bailoutInfo=0x7fffffffbef8) at js/src/jit/Bailouts.cpp:54 #15 0x00007ffff557f3cc in ?? () #16 0x0000000001a20701 in ?? () #17 0x00007fffffffbef8 in ?? () #18 0x00007fffffffbf20 in ?? () #19 0x0000000000000000 in ?? () rax 0x0 0 rbx 0x21 33 rcx 0x7ffff6cb3f7d 140737333903229 rdx 0x0 0 rsi 0x7ffff6f87a80 140737336867456 rdi 0x7ffff6f86180 140737336861056 rbp 0x7fffffffa640 140737488332352 rsp 0x7fffffffa200 140737488331264 r8 0x7ffff7fe8740 140737354041152 r9 0x72746e65632d616c 8247338199356891500 r10 0x7fffffff9f90 140737488330640 r11 0x7ffff6c3b940 140737333410112 r12 0x19fb2d0 27243216 r13 0x7ffff557f7a5 140737309570981 r14 0x1a207d0 27396048 r15 0x0 0 rip 0x701c58 <js::jit::GetPcScript(JSContext*, JSScript**, unsigned char**)+1032> => 0x701c58 <js::jit::GetPcScript(JSContext*, JSScript**, unsigned char**)+1032>: movl $0x7b,0x0 0x701c63 <js::jit::GetPcScript(JSContext*, JSScript**, unsigned char**)+1043>: callq 0x4049f0 <abort@plt>
Reporter | ||
Updated•9 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
Reporter | ||
Comment 1•9 years ago
|
||
JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/a50d660f09da user: Nicolas B. Pierron date: Fri Dec 19 15:28:30 2014 +0100 summary: Bug 1073033 part 3 - Recover MLambda on bailouts. r=shu This iteration took 447.158 seconds to run.
Reporter | ||
Comment 2•9 years ago
|
||
Needinfo from nbp based on comment 1 :)
Flags: needinfo?(nicolas.b.pierron)
Assignee | ||
Comment 3•9 years ago
|
||
The problem here is that Bug 1070962 introduced the BailoutJS frame, and that GetPCScript can be called from the CompilerOptions class to query the version of the script, when CooneScript is used by the RLambda::recover function.
Attachment #8548885 -
Flags: review?(jdemooij)
Assignee | ||
Updated•9 years ago
|
Flags: needinfo?(nicolas.b.pierron)
Comment 4•9 years ago
|
||
Comment on attachment 8548885 [details] [diff] [review] GetPcScript should care about bailout frames. Review of attachment 8548885 [details] [diff] [review]: ----------------------------------------------------------------- Looks good. We should backport to Aurora right?
Attachment #8548885 -
Flags: review?(jdemooij) → review+
Assignee | ||
Comment 5•9 years ago
|
||
(In reply to Jan de Mooij [:jandem] from comment #4) > Looks good. We should backport to Aurora right? Yes, this would be safe. On the other hand, I am not sure if this is necessary.
Assignee | ||
Comment 6•9 years ago
|
||
(Try) https://treeherder.mozilla.org/#/jobs?repo=try&revision=56b7527da917 (Inbound) https://hg.mozilla.org/integration/mozilla-inbound/rev/cca2a0bf4951
Assignee: nobody → nicolas.b.pierron
Status: NEW → ASSIGNED
https://hg.mozilla.org/mozilla-central/rev/cca2a0bf4951
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla38
Assignee | ||
Updated•9 years ago
|
status-firefox35:
--- → unaffected
status-firefox36:
--- → ?
Assignee | ||
Comment 8•9 years ago
|
||
Comment on attachment 8548885 [details] [diff] [review] GetPcScript should care about bailout frames. Approval Request Comment [Feature/regressing bug #]: At least Bug 1073033, maybe Bug 1070962. [User impact if declined]: Potential crashes. [Describe test coverage new/current, TBPL]: merged to mozilla-central. [Risks and why]: Low risk, this patch makes use of functions which are made to support this kind of inputs under this context. [String/UUID change made/needed]: N/A
Attachment #8548885 -
Flags: approval-mozilla-beta?
Attachment #8548885 -
Flags: approval-mozilla-aurora?
Comment 9•9 years ago
|
||
Comment on attachment 8548885 [details] [diff] [review] GetPcScript should care about bailout frames. Since the JS crashes are hard to track and this patch has a test, taking it for safety.
Attachment #8548885 -
Flags: approval-mozilla-beta?
Attachment #8548885 -
Flags: approval-mozilla-beta+
Attachment #8548885 -
Flags: approval-mozilla-aurora?
Attachment #8548885 -
Flags: approval-mozilla-aurora+
Comment 10•9 years ago
|
||
https://hg.mozilla.org/releases/mozilla-aurora/rev/bcf64fae59bd https://hg.mozilla.org/releases/mozilla-beta/rev/b8922f819a88
status-firefox38:
--- → fixed
Flags: in-testsuite+
Comment 11•9 years ago
|
||
https://hg.mozilla.org/releases/mozilla-b2g37_v2_2/rev/bcf64fae59bd
status-b2g-v2.2:
--- → fixed
status-b2g-master:
--- → fixed
Updated•9 years ago
|
Flags: qe-verify-
You need to log in
before you can comment on or make changes to this bug.
Description
•