1175350 - Crashes at js::ValueToId in JavaScript engine

Status: RESOLVED DUPLICATE of bug 1174547

(Core :: JavaScript Engine, defect)

Description

[Steven Michaud [:smichaud] (Retired)]

These are 100% reproducible, in today's m-c nightly, on OS X and Windows, with and without e10s, using the following URL (among others):

http://www.bmj.com/theBMJ

Comment 1

[Steven Michaud [:smichaud] (Retired)]

Regression range on OS X:

firefox-2015-06-11-03-02-08-mozilla-central
firefox-2015-06-12-03-02-05-mozilla-central

http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=bfd82015df48&tochange=0093691d3715

Comment 2

[Steven Michaud [:smichaud] (Retired)]

(Following up comment #1)

The regression range is the same on Windows (Windows 7).

Comment 3

[Steven Michaud [:smichaud] (Retired)]

To see these crashes with e10s on (in the content process), you may need to switch away from the tab containing http://www.bmj.com/theBMJ and then back again.

Comment 4

[Steven Michaud [:smichaud] (Retired)]

[Tracking Requested - why for this release]:

These crashes are very easy to reproduce, and will probably quickly become a topcrasher on all platforms.

Comment 5

[Boris Zbarsky [:bzbarsky]]

So in a debug build, after loading this page I get:

Assertion failure: type == MIRType_Object, at ../../../mozilla/js/src/jit/IonTypes.h:450
#0  js::jit::ValueTypeFromMIRType (type=js::jit::MIRType_Value) at IonTypes.h:450
#1  0x0000000107ace9c9 in js::jit::CodeGeneratorX64::visitBox (this=0x13ef9a000, box=0x159aaf3b0) at CodeGenerator-x64.cpp:81
#2  0x0000000107b129e6 in js::jit::LBox::accept (this=0x159aaf3b0, visitor=0x13ef9a000) at LIR-x64.h:19
#3  0x00000001077eae49 in js::jit::CodeGenerator::generateBody (this=0x13ef9a000) at CodeGenerator.cpp:4103
#4  0x00000001077fe9d2 in js::jit::CodeGenerator::generate (this=0x13ef9a000) at CodeGenerator.cpp:7779

Looking at the regression range, bug 1166711 seems like a possible cause.  In fact, bug 1174547 already covers the assert I'm seeing....

Comment 6

[Nicolas B. Pierron [:nbp]]

I will investigate this issue once I am done with Bug 1174547.

Comment 7

[Steven Michaud [:smichaud] (Retired)]

Attachment: Complete gdb stack trace

All the Socorro stacks I've seen for this bug are incomplete.  I thought I'd have better luck with a non-opt non-debug self build.  But even when running that in gdb, most of my stacks are still incomplete.  Still, though, I did manage to get this one.

Comment 9

[Bill Gianopoulos [:WG9s]]

In bug 1175339 I noted that hg bisect identified:

The first bad revision is:
changeset:   248305:e51492b08d25
user:        Nicolas B. Pierron <nicolas.b.pierron@mozilla.com>
date:        Thu Jun 11 14:30:29 2015 +0200
summary:     Bug 1165348 - Move Scalar Replacement after GVN. r=jandem

I am currently doing a debug build and when that completes I will try to verify via backout that that is, in fact, the regressor.  If so I will update this bug accordingly.

Comment 10

[Nicolas B. Pierron [:nbp]]

I am finishing a custom build, I will double check.(In reply to Steven Michaud [:smichaud] from comment #0)
> These are 100% reproducible, in today's m-c nightly, on OS X and Windows,
> with and without e10s, using the following URL (among others):
> 
> http://www.bmj.com/theBMJ

I was unable to reproduce this Crash on a custom build including Bug 1174322, Bug 1174547, and Bug 1175233 patches.  I will mark it as a duplicate of Bug 1174547 (which is waiting for review).

Comment 11

[Ritu Kothari (:ritu) (Inactive, please n-i to RyanVM, jcristau, or pascal)]

Assuming that this is a dup of bug 1174547, we do not need to track this bug. Please re-open if that is not the case.