1123120 - Assertion failure: !isInterpretedLazy(), at jsfun.h

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

(function() {
    function f() {}
    var x
    (function() {
        x = 1
    })()
    f + 0
    relazifyFunctions()
})()

asserts js debug shell on m-c changeset 6446c26b45f9 with --fuzzing-safe --no-threads -D at Assertion failure: !isInterpretedLazy(), at jsfun.h

Debug configure options:

CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --enable-optimize --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests

=== Tinderbox Build Bisection Results by autoBisect ===

The "good" changeset has the timestamp "20150117005258" and the hash "b86864fd9d60".
The "bad" changeset has the timestamp "20150117035558" and the hash "eb6e90404b76".

Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=b86864fd9d60&tochange=eb6e90404b76

This was probably exposed by bug 1116760. Jan, thoughts?

Comment 1

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Attachment: stack

(lldb) bt 5
* thread #1: tid = 0x128f5, 0x0000000100024f9a js-dbg-opt-64-dm-nsprBuild-darwin-6446c26b45f9`JSFunction::isHeavyweight(this=<unavailable>) const + 202 at jsfun.h:95, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
  * frame #0: 0x0000000100024f9a js-dbg-opt-64-dm-nsprBuild-darwin-6446c26b45f9`JSFunction::isHeavyweight(this=<unavailable>) const + 202 at jsfun.h:95
    frame #1: 0x0000000100813d18 js-dbg-opt-64-dm-nsprBuild-darwin-6446c26b45f9`js::StaticScopeIter<(this=<unavailable>)0>::hasDynamicScopeObject() const + 120 at ScopeObject-inl.h:106
    frame #2: 0x00000001007bdcf8 js-dbg-opt-64-dm-nsprBuild-darwin-6446c26b45f9`js::ScopeCoordinateToStaticScopeShape(script=<unavailable>, pc=<unavailable>) + 200 at ScopeObject.cpp:45
    frame #3: 0x00000001007bdfaa js-dbg-opt-64-dm-nsprBuild-darwin-6446c26b45f9`js::ScopeCoordinateName(cache=0x0000000102029098, script=0x000000010505e300, pc=0x0000000101e1eabb) + 42 at ScopeObject.cpp:68
    frame #4: 0x000000010060a53d js-dbg-opt-64-dm-nsprBuild-darwin-6446c26b45f9`js_Disassemble1(cx=0x0000000101f01cf0, pc=0x0000000101e1eabb, loc=<unavailable>, lines=<unavailable>, sp=0x00007fff5fbff4b0, script=<unavailable>) + 2141 at jsopcode.cpp:979
(lldb)

Comment 2

[Christian Holler (:decoder)]

JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.

Comment 3

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Note that this requires -D.

Comment 4

[Jan de Mooij [:jandem]]

Attachment: Patch

We shouldn't relazify scripts with pc counts. If we're using this option, we're intentionally keeping the scripts alive (so that we can dump the info later), so relazifying doesn't gain us anything. Furthermore, this is only used by devs anyway.

Comment 5

[Till Schneidereit [:till]]

Comment on attachment 8551246 [details] [diff] [review]
Patch

Review of attachment 8551246 [details] [diff] [review]:
-----------------------------------------------------------------

Yup, that makes sense.

Comment 6

[Jan de Mooij [:jandem]]

https://hg.mozilla.org/integration/mozilla-inbound/rev/deadc5352365

Comment 7

[Ryan VanderMeulen [:RyanVM]]

https://hg.mozilla.org/mozilla-central/rev/deadc5352365