1122853 - Crash [@ js::jit::NameIC::update] or Assertion failure: hasIonScript(), at js/src/jsscript.h:1337

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

The following testcase crashes on mozilla-central revision cac6192956ab (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --target=i686-pc-linux-gnu --enable-arm-simulator --disable-debug, run with --fuzzing-safe --thread-count=2 --ion-eager --arm-asm-nop-fill=1):

this.__defineSetter__("x", Function);
gczeal(14);
function f() {}
evaluate("for (var j = 0; j < 99; ++j) { x += f(); }", { noScriptRval : true, compileAndGo : true });



Backtrace:

Program received signal SIGSEGV, Segmentation fault.
js::jit::NameIC::update (cx=0x92d9208, cacheIndex=cacheIndex@entry=0, scopeChain=(JSObject * const) 0xf5d44040 [object global] delegate, vp=$jsval(-nan(0xfff8200000000))) at js/src/jit/IonCaches.cpp:3937
3937	    NameIC &cache = ion->getCache(cacheIndex).toName();
#0  js::jit::NameIC::update (cx=0x92d9208, cacheIndex=cacheIndex@entry=0, scopeChain=(JSObject * const) 0xf5d44040 [object global] delegate, vp=$jsval(-nan(0xfff8200000000))) at js/src/jit/IonCaches.cpp:3937
#1  0x0834d169 in js::jit::Simulator::softwareInterrupt (this=0x92d8790, instr=0x93065bc) at js/src/jit/arm/Simulator-arm.cpp:2173
#2  0x0834a44c in js::jit::Simulator::instructionDecode (this=this@entry=0x92d8790, instr=instr@entry=0x93065bc) at js/src/jit/arm/Simulator-arm.cpp:4162
#3  0x0835e9d4 in js::jit::Simulator::execute<false> (this=0x92d8790) at js/src/jit/arm/Simulator-arm.cpp:4217
#4  0x0834d6fd in js::jit::Simulator::callInternal (this=this@entry=0x92d8790, entry=entry@entry=0xf7815db8 "\377\377\377\352\360O-\351\377\377\377\352\r\200\240\341\377\377\377\352,\304\006\343\377\377\377\352,\311@\343\377\377\377", <incomplete sequence \352>) at js/src/jit/arm/Simulator-arm.cpp:4305
#5  0x0834d7a6 in js::jit::Simulator::call (this=0x92d8790, entry=0xf7815db8 "\377\377\377\352\360O-\351\377\377\377\352\r\200\240\341\377\377\377\352,\304\006\343\377\377\377\352,\311@\343\377\377\377", <incomplete sequence \352>, argument_count=8) at js/src/jit/arm/Simulator-arm.cpp:4388
#6  0x081933d3 in EnterBaseline (cx=cx@entry=0x92d9208, data=...) at js/src/jit/BaselineJIT.cpp:122
#7  0x081db663 in js::jit::EnterBaselineMethod (cx=0x92d9208, state=...) at js/src/jit/BaselineJIT.cpp:154
#8  0x084ad2c8 in js::RunScript (cx=cx@entry=0x92d9208, state=...) at js/src/vm/Interpreter.cpp:438
#9  0x084ad3d2 in js::ExecuteKernel (cx=cx@entry=0x92d9208, script=script@entry=0xf5d481f0, scopeChainArg=(JSObject &) @0xf5d44040 [object global] delegate, thisv=..., type=type@entry=js::EXECUTE_GLOBAL, evalInFrame=evalInFrame@entry=..., result=result@entry=0xffffc3ac) at js/src/vm/Interpreter.cpp:657
#10 0x084ad527 in js::Execute (cx=0x92d9208, script=0xf5d481f0, scopeChainArg=(JSObject &) @0xf5d44040 [object global] delegate, rval=0xffffc3ac) at js/src/vm/Interpreter.cpp:694
#11 0x083ab279 in ExecuteScript (cx=0x92d9208, obj=..., scriptArg=0xf5d481f0, rval=0xffffc3ac) at js/src/jsapi.cpp:4362
#12 0x08053894 in Evaluate (cx=0x92d9208, argc=2, vp=0xffffc3ac) at js/src/shell/js.cpp:1317
#13 0x084ad7ce in CallJSNative (args=..., native=<optimized out>, cx=<optimized out>) at js/src/jscntxtinlines.h:226
#14 js::Invoke (cx=cx@entry=0x92d9208, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:498
#15 0x084ae335 in js::Invoke (cx=0x92d9208, thisv=..., fval=..., argc=2, argv=0xf60feec0, rval=$jsval(-nan(0xfff8200000000))) at js/src/vm/Interpreter.cpp:554
#16 0x081fabb2 in js::jit::DoCallFallback (cx=0x92d9208, frame=frame@entry=0xf60fef00, stub_=stub_@entry=0x92ea590, argc=argc@entry=2, vp=vp@entry=0xf60feeb0, res=$jsval(-nan(0xfff8200000000))) at js/src/jit/BaselineIC.cpp:9496
#17 0x0834d0c9 in js::jit::Simulator::softwareInterrupt (this=0x92d8790, instr=0x935efdc) at js/src/jit/arm/Simulator-arm.cpp:2187
#18 0x0834a44c in js::jit::Simulator::instructionDecode (this=this@entry=0x92d8790, instr=instr@entry=0x935efdc) at js/src/jit/arm/Simulator-arm.cpp:4162
#19 0x0835e9d4 in js::jit::Simulator::execute<false> (this=0x92d8790) at js/src/jit/arm/Simulator-arm.cpp:4217
#20 0x0834d6fd in js::jit::Simulator::callInternal (this=this@entry=0x92d8790, entry=entry@entry=0xf7815db8 "\377\377\377\352\360O-\351\377\377\377\352\r\200\240\341\377\377\377\352,\304\006\343\377\377\377\352,\311@\343\377\377\377", <incomplete sequence \352>) at js/src/jit/arm/Simulator-arm.cpp:4305
#21 0x0834d7a6 in js::jit::Simulator::call (this=0x92d8790, entry=0xf7815db8 "\377\377\377\352\360O-\351\377\377\377\352\r\200\240\341\377\377\377\352,\304\006\343\377\377\377\352,\311@\343\377\377\377", <incomplete sequence \352>, argument_count=8) at js/src/jit/arm/Simulator-arm.cpp:4388
#22 0x081933d3 in EnterBaseline (cx=cx@entry=0x92d9208, data=...) at js/src/jit/BaselineJIT.cpp:122
#23 0x081db663 in js::jit::EnterBaselineMethod (cx=0x92d9208, state=...) at js/src/jit/BaselineJIT.cpp:154
#24 0x084ad2c8 in js::RunScript (cx=cx@entry=0x92d9208, state=...) at js/src/vm/Interpreter.cpp:438
#25 0x084ad3d2 in js::ExecuteKernel (cx=cx@entry=0x92d9208, script=script@entry=0xf5d480d0, scopeChainArg=(JSObject &) @0xf5d44040 [object global] delegate, thisv=..., type=type@entry=js::EXECUTE_GLOBAL, evalInFrame=evalInFrame@entry=..., result=result@entry=0x0) at js/src/vm/Interpreter.cpp:657
#26 0x084ad527 in js::Execute (cx=0x92d9208, script=0xf5d480d0, scopeChainArg=(JSObject &) @0xf5d44040 [object global] delegate, rval=0x0) at js/src/vm/Interpreter.cpp:694
#27 0x083ab279 in ExecuteScript (cx=0x92d9208, obj=..., scriptArg=0xf5d480d0, rval=0x0) at js/src/jsapi.cpp:4362
#28 0x0805a715 in RunFile (compileOnly=false, file=0x9390f10, filename=0xffffd09b "min.js", obj=..., cx=0x92d9208) at js/src/shell/js.cpp:451
#29 Process (cx=cx@entry=0x92d9208, obj_=<optimized out>, filename=0xffffd09b "min.js", forceTTY=forceTTY@entry=false) at js/src/shell/js.cpp:584
#30 0x0805dcd9 in ProcessArgs (op=0xffffccec, obj_=<optimized out>, cx=0x92d9208) at js/src/shell/js.cpp:5489
#31 Shell (op=0xffffccec, cx=0x92d9208, envp=<optimized out>) at js/src/shell/js.cpp:5728
#32 main (argc=6, argv=0xffffce84, envp=0xffffcea0) at js/src/shell/js.cpp:6068
eax	0xf5d481f0	-170622480
ebx	0x92acff4	153800692
ecx	0x92d9230	153981488
edx	0xffffbb4c	-17588
esi	0x92d9208	153981448
edi	0x155	341
ebp	0x0	0
esp	0xffffb7b0	4294948784
eip	0x82819f1 <js::jit::NameIC::update(JSContext*, unsigned int, JS::Handle<JSObject*>, JS::MutableHandle<JS::Value>)+113>
=> 0x82819f1 <js::jit::NameIC::update(JSContext*, unsigned int, JS::Handle<JSObject*>, JS::MutableHandle<JS::Value>)+113>:	mov    0x28(%ebp),%edi
   0x82819f4 <js::jit::NameIC::update(JSContext*, unsigned int, JS::Handle<JSObject*>, JS::MutableHandle<JS::Value>)+116>:	movl   $0x0,0x8c(%esp)

Comment 1

[Christian Holler (:decoder)]

JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.

Comment 2

[Fuzzing Team]

JSBugMon: The testcase found in this bug no longer reproduces (tried revision ad16863d1d45).

Comment 3

[Fuzzing Team]

JSBugMon: Fix Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first good revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/723039c4f514
user:        Jan de Mooij
date:        Fri May 08 21:41:50 2015 +0200
summary:     Bug 1157231 - Optimize calls to own property setters. r=efaust

This iteration took 229.320 seconds to run.

Comment 4

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Jan, is bug 1157231 a likely fix?

Comment 5

[Jan de Mooij [:jandem]]

(In reply to Gary Kwong [:gkw] [:nth10sd] from comment #4)
> Jan, is bug 1157231 a likely fix?

No, but I modified the test a bit to fail more reliably and the real fix is bug 1135707.

Comment 6

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Marking FIXED by bug 1135707.