1183056 - Assertion failure: !IsInsideNursery(ty.singleton()), at js/src/jit/OptimizationTracking.cpp:391

Status: RESOLVED DUPLICATE of bug 1182730

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

The following testcase crashes on mozilla-central revision 9f2b81411bf5 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --ion-eager min.js):

enableSPSProfiling();
var a = {__lookupSetter__ : 'a'},
    b1 = Object.create(a),
    c1 = Object.create(b1),
    b2 = (Object(b1)),
    c2 = Object.create(b2);
for each (var obj in [c1, c2])
    s += obj.x;



Backtrace:

Program received signal SIGSEGV, Segmentation fault.
0x0000000000a07119 in js::jit::UniqueTrackedTypes::getIndexOf (this=this@entry=0x7fffffffc6d0, cx=cx@entry=0x7ffff69831c0, ty=..., indexp=indexp@entry=0x7fffffffc540 "") at js/src/jit/OptimizationTracking.cpp:391
#0  0x0000000000a07119 in js::jit::UniqueTrackedTypes::getIndexOf (this=this@entry=0x7fffffffc6d0, cx=cx@entry=0x7ffff69831c0, ty=..., indexp=indexp@entry=0x7fffffffc540 "") at js/src/jit/OptimizationTracking.cpp:391
#1  0x0000000000a07591 in js::jit::OptimizationTypeInfo::writeCompact (this=this@entry=0x7ffff3b07ab8, cx=cx@entry=0x7ffff69831c0, writer=..., uniqueTypes=...) at js/src/jit/OptimizationTracking.cpp:613
#2  0x0000000000a07a8d in js::jit::WriteIonTrackedOptimizationsTable (cx=cx@entry=0x7ffff69831c0, writer=..., start=<optimized out>, end=<optimized out>, unique=..., numRegions=numRegions@entry=0x7fffffffca1c, regionTableOffsetp=regionTableOffsetp@entry=0x7fffffffc9f0, typesTableOffsetp=typesTableOffsetp@entry=0x7fffffffca00, optimizationTableOffsetp=optimizationTableOffsetp@entry=0x7fffffffca10, allTypes=allTypes@entry=0x7ffff3a0aa10) at js/src/jit/OptimizationTracking.cpp:959
#3  0x0000000000a61647 in js::jit::CodeGeneratorShared::generateCompactTrackedOptimizationsMap (this=this@entry=0x7ffff3a16000, cx=cx@entry=0x7ffff69831c0, code=code@entry=0x7ffff7e794f0, allTypes=allTypes@entry=0x7ffff3a0aa10) at js/src/jit/shared/CodeGenerator-shared.cpp:835
#4  0x00000000008d9e39 in js::jit::CodeGenerator::link (this=this@entry=0x7ffff3a16000, cx=cx@entry=0x7ffff69831c0, constraints=<optimized out>) at js/src/jit/CodeGenerator.cpp:7942
#5  0x0000000000946a6f in LinkCodeGen (cx=cx@entry=0x7ffff69831c0, builder=builder@entry=0x7ffff3b02258, codegen=codegen@entry=0x7ffff3a16000, scripts=scripts@entry=0x7fffffffd150, info=info@entry=0x7fffffffd110) at js/src/jit/Ion.cpp:543
#6  0x00000000009471db in LinkBackgroundCodeGen (cx=cx@entry=0x7ffff69831c0, builder=builder@entry=0x7ffff3b02258, scripts=scripts@entry=0x7fffffffd150, info=info@entry=0x7fffffffd110) at js/src/jit/Ion.cpp:565
#7  0x0000000000947f86 in js::jit::AttachFinishedCompilations (cx=cx@entry=0x7ffff69831c0) at js/src/jit/Ion.cpp:1817
#8  0x00000000006fdc7e in InvokeInterruptCallback (cx=0x7ffff69831c0) at js/src/vm/Runtime.cpp:542
#9  0x00007ffff7ff1c49 in ?? ()
[...]
#31 0x0000000000000000 in ?? ()
rax	0x0	0
rbx	0x7fffffffc6d0	140737488340688
rcx	0x7ffff6ca53cd	140737333842893
rdx	0x0	0
rsi	0x7ffff6f7a9d0	140737336814032
rdi	0x7ffff6f791c0	140737336807872
rbp	0x7fffffffc520	140737488340256
rsp	0x7fffffffc480	140737488340096
r8	0x7ffff7fd4780	140737353959296
r9	0x6372732f736a2f6c	7165916604736876396
r10	0x7fffffffc240	140737488339520
r11	0x7ffff6c27960	140737333328224
r12	0x7fffffffc4d0	140737488340176
r13	0x7ffff3c00000	140737282834432
r14	0x7fffffffc6d0	140737488340688
r15	0x7ffff3b07ab8	140737281817272
rip	0xa07119 <js::jit::UniqueTrackedTypes::getIndexOf(JSContext*, js::TypeSet::Type, unsigned char*)+665>
=> 0xa07119 <js::jit::UniqueTrackedTypes::getIndexOf(JSContext*, js::TypeSet::Type, unsigned char*)+665>:	movl   $0x187,0x0
   0xa07124 <js::jit::UniqueTrackedTypes::getIndexOf(JSContext*, js::TypeSet::Type, unsigned char*)+676>:	callq  0x4994a0 <abort()>


Marking s-s because it's a GC-related assertion.

Comment 1

[Christian Holler (:decoder)]

JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.

Comment 2

[Andrew McCreight [:mccr8]]

Brian, could this be a regression from something you have been working on? (Or even a dupe of something.) Thanks.

Comment 3

[Christian Holler (:decoder)]

For some reason, this only reproduces with --no-threads for me now, so reposting for JSBugMon:

The following testcase crashes on mozilla-central revision 9f2b81411bf5 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --ion-eager --no-threads):

enableSPSProfiling();
var a = {__lookupSetter__ : 'a'},
    b1 = Object.create(a),
    c1 = Object.create(b1),
    b2 = (Object(b1)),
    c2 = Object.create(b2);
for each (var obj in [c1, c2])
    s += obj.x;

Comment 4

[Christian Holler (:decoder)]

JSBugMon: Bisection requested, result:
=== Treeherder Build Bisection Results by autoBisect ===

The "good" changeset has the timestamp "20150629094535" and the hash "1fd3716e4bd1".
The "bad" changeset has the timestamp "20150629101538" and the hash "1388dbf01406".

Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=1fd3716e4bd1&tochange=1388dbf01406

Comment 5

[Christian Holler (:decoder)]

Also needinfo from shu based on comment 4 :)

Comment 6

[Shu-yu Guo [:shu]]

This is my fault, not bhackett's. I think this is a dup of bug 1182730, but have no time to confirm until next week.