Assertion failure: useSameScript || !fun->isInterpretedLazy() in debug/Source-invisible.js jit-test with GC zeal 2,21

RESOLVED FIXED in Firefox 40

Status

()

defect
RESOLVED FIXED
4 years ago
4 years ago

People

(Reporter: jonco, Assigned: jonco)

Tracking

unspecified
mozilla40
x86_64
Linux
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox40 fixed)

Details

Attachments

(1 attachment)

Running the debug/Source-invisible.js jit-test with GC zeal 14,21 fails:

Assertion failure: useSameScript || !fun->isInterpretedLazy(), at js/src/jsfun.cpp:2169
Exit code: -11
FAIL - debug/Source-invisible.js

Originally found in try pushes on Windows builds with the patches from bug 1155618 applied, although this is a pre-existing issue.
This is not related to compacting GC after all as it reproduces with zeal 2,21:

Program received signal SIGSEGV, Segmentation fault.
0x0000000000bb7040 in js::CloneFunctionObject (cx=cx@entry=0x7ffff651b330, fun=fun@entry=..., parent=..., allocKind=allocKind@entry=js::gc::AllocKind::OBJECT4_BACKGROUND, 
    newKindArg=newKindArg@entry=js::GenericObject, proto=...) at /home/jon/clone/dev/js/src/jsfun.cpp:2169
2169	    MOZ_ASSERT(useSameScript || !fun->isInterpretedLazy());
(gdb) bt
#0  0x0000000000bb7040 in js::CloneFunctionObject (cx=cx@entry=0x7ffff651b330, fun=fun@entry=..., parent=..., allocKind=allocKind@entry=js::gc::AllocKind::OBJECT4_BACKGROUND, 
    newKindArg=newKindArg@entry=js::GenericObject, proto=...) at /home/jon/clone/dev/js/src/jsfun.cpp:2169
#1  0x0000000000ae6a79 in CloneFunctionObject (cx=cx@entry=0x7ffff651b330, funobj=..., funobj@entry=..., dynamicScope=...) at /home/jon/clone/dev/js/src/jsapi.cpp:3320
#2  0x0000000000ae6d7a in JS::CloneFunctionObject (cx=cx@entry=0x7ffff651b330, funobj=..., funobj@entry=..., scopeChain=...) at /home/jon/clone/dev/js/src/jsapi.cpp:3339
#3  0x0000000000454d8d in Clone (cx=0x7ffff651b330, argc=<optimised out>, vp=0x7ffff4a02148) at /home/jon/clone/dev/js/src/shell/js.cpp:2596
#4  0x0000000000697ea7 in js::CallJSNative (cx=0x7ffff651b330, native=0x454a40 <Clone(JSContext*, unsigned int, jsval*)>, args=...) at /home/jon/clone/dev/js/src/jscntxtinlines.h:235
#5  0x0000000000687592 in js::Invoke (cx=0x7ffff651b330, args=..., construct=js::NO_CONSTRUCT) at /home/jon/clone/dev/js/src/vm/Interpreter.cpp:727
#6  0x000000000068139d in Interpret (cx=0x7ffff651b330, state=...) at /home/jon/clone/dev/js/src/vm/Interpreter.cpp:2955
#7  0x0000000000687040 in js::RunScript (cx=cx@entry=0x7ffff651b330, state=...) at /home/jon/clone/dev/js/src/vm/Interpreter.cpp:677
#8  0x0000000000691a88 in js::ExecuteKernel (cx=cx@entry=0x7ffff651b330, script=..., script@entry=..., scopeChainArg=..., thisv=..., type=type@entry=js::EXECUTE_INDIRECT_EVAL, 
    evalInFrame=..., evalInFrame@entry=..., result=0x7fffffffcc28) at /home/jon/clone/dev/js/src/vm/Interpreter.cpp:902
#9  0x000000000058da74 in EvalKernel (cx=cx@entry=0x7ffff651b330, args=..., evalType=evalType@entry=INDIRECT_EVAL, caller=..., scopeobj=scopeobj@entry=..., pc=pc@entry=0x0)
    at /home/jon/clone/dev/js/src/builtin/Eval.cpp:365
#10 0x000000000058e197 in js::IndirectEval (cx=0x7ffff651b330, argc=<optimised out>, vp=<optimised out>) at /home/jon/clone/dev/js/src/builtin/Eval.cpp:489
#11 0x0000000000697ea7 in js::CallJSNative (cx=0x7ffff651b330, native=0x58e100 <js::IndirectEval(JSContext*, unsigned int, JS::Value*)>, args=...)
    at /home/jon/clone/dev/js/src/jscntxtinlines.h:235
#12 0x0000000000687592 in js::Invoke (cx=cx@entry=0x7ffff651b330, args=..., construct=construct@entry=js::NO_CONSTRUCT) at /home/jon/clone/dev/js/src/vm/Interpreter.cpp:727
#13 0x00000000006891dc in js::Invoke (cx=cx@entry=0x7ffff651b330, thisv=..., fval=..., argc=<optimised out>, argv=0x7ffff4a020b0, rval=...)
    at /home/jon/clone/dev/js/src/vm/Interpreter.cpp:783
#14 0x0000000000bf95db in js::DirectProxyHandler::call (this=this@entry=0x1a85ac0 <js::CrossCompartmentWrapper::singleton>, cx=cx@entry=0x7ffff651b330, proxy=..., proxy@entry=..., 
    args=...) at /home/jon/clone/dev/js/src/proxy/DirectProxyHandler.cpp:77
#15 0x0000000000c00122 in js::CrossCompartmentWrapper::call (this=0x1a85ac0 <js::CrossCompartmentWrapper::singleton>, cx=0x7ffff651b330, wrapper=..., args=...)
    at /home/jon/clone/dev/js/src/proxy/CrossCompartmentWrapper.cpp:289
#16 0x0000000000c0c892 in js::Proxy::call (cx=cx@entry=0x7ffff651b330, proxy=proxy@entry=..., args=...) at /home/jon/clone/dev/js/src/proxy/Proxy.cpp:391
#17 0x0000000000c0c94f in js::proxy_Call (cx=0x7ffff651b330, argc=<optimised out>, vp=<optimised out>) at /home/jon/clone/dev/js/src/proxy/Proxy.cpp:697
#18 0x0000000000697ea7 in js::CallJSNative (cx=0x7ffff651b330, native=0xc0c8c0 <js::proxy_Call(JSContext*, unsigned int, JS::Value*)>, args=...)
    at /home/jon/clone/dev/js/src/jscntxtinlines.h:235
#19 0x0000000000687766 in js::Invoke (cx=0x7ffff651b330, args=..., construct=js::NO_CONSTRUCT) at /home/jon/clone/dev/js/src/vm/Interpreter.cpp:720
#20 0x000000000068139d in Interpret (cx=0x7ffff651b330, state=...) at /home/jon/clone/dev/js/src/vm/Interpreter.cpp:2955
#21 0x0000000000687040 in js::RunScript (cx=cx@entry=0x7ffff651b330, state=...) at /home/jon/clone/dev/js/src/vm/Interpreter.cpp:677
#22 0x0000000000691a88 in js::ExecuteKernel (cx=cx@entry=0x7ffff651b330, script=..., script@entry=..., scopeChainArg=..., thisv=..., type=type@entry=js::EXECUTE_GLOBAL, 
    evalInFrame=..., evalInFrame@entry=..., result=0x0) at /home/jon/clone/dev/js/src/vm/Interpreter.cpp:902
#23 0x00000000006940cb in js::Execute (cx=cx@entry=0x7ffff651b330, script=script@entry=..., scopeChainArg=..., rval=rval@entry=0x0) at /home/jon/clone/dev/js/src/vm/Interpreter.cpp:942
#24 0x0000000000ad8fef in ExecuteScript (cx=cx@entry=0x7ffff651b330, obj=..., scriptArg=..., rval=rval@entry=0x0) at /home/jon/clone/dev/js/src/jsapi.cpp:4159
#25 0x0000000000ad917b in JS_ExecuteScript (cx=cx@entry=0x7ffff651b330, scriptArg=..., scriptArg@entry=...) at /home/jon/clone/dev/js/src/jsapi.cpp:4181
#26 0x00000000004259ab in RunFile (compileOnly=false, file=0x7ffff4b5b000, filename=0x7fffffffeb7b "/home/jon/clone/dev/js/src/jit-test/tests/debug/Source-invisible.js", 
    cx=0x7ffff651b330) at /home/jon/clone/dev/js/src/shell/js.cpp:468
#27 Process (cx=cx@entry=0x7ffff651b330, filename=0x7fffffffeb7b "/home/jon/clone/dev/js/src/jit-test/tests/debug/Source-invisible.js", forceTTY=forceTTY@entry=false)
    at /home/jon/clone/dev/js/src/shell/js.cpp:598
#28 0x000000000043b183 in ProcessArgs (op=0x7fffffffe580, cx=0x7ffff651b330) at /home/jon/clone/dev/js/src/shell/js.cpp:5777
#29 Shell (envp=<optimised out>, op=0x7fffffffe580, cx=0x7ffff651b330) at /home/jon/clone/dev/js/src/shell/js.cpp:6068
#30 main (argc=<optimised out>, argv=<optimised out>, envp=<optimised out>) at /home/jon/clone/dev/js/src/shell/js.cpp:6390
Summary: Assertion failure: useSameScript || !fun->isInterpretedLazy() in debug/Source-invisible.js jit-test with compacting GC → Assertion failure: useSameScript || !fun->isInterpretedLazy() in debug/Source-invisible.js jit-test with GC zeal 2,21
No longer blocks: CompactingGC
The problem seems to be that in CloneFunctionObject() we try delazify the script to soon.  If the script is not lazy at this point it can become lazy if NewObjectWithClassProto() causes a GC and then the assertion fails.

The attached patch fixes the issue.  Jan does this look like this is the right approach here?
Attachment #8602213 - Flags: feedback?(jdemooij)
Duplicate of this bug: 1162413
Blocks: 1161362
Comment on attachment 8602213 [details] [diff] [review]
bug1161968-lazy-assertion

Review of attachment 8602213 [details] [diff] [review]:
-----------------------------------------------------------------

Looks good.
Attachment #8602213 - Flags: feedback?(jdemooij) → review+
https://hg.mozilla.org/mozilla-central/rev/ceadd609623b
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla40
You need to log in before you can comment on or make changes to this bug.