Closed
Bug 1213575
Opened 9 years ago
Closed 8 years ago
Assertion failure: CheckLexicalNameConflict(cx, lexicalScope, varObj, name), at js/src/vm/Interpreter-inl.h:441
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
| Tracking | Status | |
|---|---|---|
| firefox44 | --- | affected |
People
(Reporter: decoder, Unassigned)
Details
(Keywords: assertion, regression, testcase, Whiteboard: [fuzzblocker][jsbugmon:update,testComment=6,origRev=d1bb0de19476])
The following testcase crashes on mozilla-central revision c6ede6f30f3d (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --target=i686-pc-linux-gnu --disable-tests --enable-debug, run with --ion-eager --ion-offthread-compile=off min.js):
var lfcode = new Array();
var lfRunTypeId = -1;
lfcode.push = loadFile;
const libdir = "/srv/repos/mozilla-central/js/src/jit-test/lib/";
lfcode.push(`
const libdir = "/srv/repos/mozilla-central/js/src/jit-test/lib/";
`);
function loadFile(lfVarx) {
switch (lfRunTypeId) {
default: evaluate(lfVarx, { noScriptRval : true, compileAndGo : true }); break;
}
}
Backtrace:
Program received signal SIGSEGV, Segmentation fault.
0x08099251 in js::DefLexicalOperation (attrs=7, name=..., varObj=..., lexicalScope=..., cx=0xf7a7e020) at js/src/vm/Interpreter-inl.h:441
#0 0x08099251 in js::DefLexicalOperation (attrs=7, name=..., varObj=..., lexicalScope=..., cx=0xf7a7e020) at js/src/vm/Interpreter-inl.h:441
#1 0x083f0134 in DefLexicalOperation (attrs=7, name=..., varObj=..., lexicalScope=..., cx=0xf7a7e020) at ../../dist/include/js/RootingAPI.h:686
#2 js::jit::DefGlobalLexical (cx=0xf7a7e020, dn=..., attrs=7) at js/src/jit/VMFunctions.cpp:198
#3 0xf7fce844 in ?? ()
#4 0x082da2fb in EnterIon (data=..., cx=0xf7a7e020) at js/src/jit/Ion.cpp:2670
#5 js::jit::IonCannon (cx=cx@entry=0xf7a7e020, state=...) at js/src/jit/Ion.cpp:2771
#6 0x08662596 in js::RunScript (cx=cx@entry=0xf7a7e020, state=...) at js/src/vm/Interpreter.cpp:688
#7 0x0866464a in js::ExecuteKernel (cx=cx@entry=0xf7a7e020, script=..., script@entry=..., scopeChainArg=..., thisv=..., newTargetValue=..., type=js::EXECUTE_GLOBAL, evalInFrame=..., evalInFrame@entry=..., result=result@entry=0xffffc460) at js/src/vm/Interpreter.cpp:983
#8 0x08664ad7 in js::Execute (cx=cx@entry=0xf7a7e020, script=script@entry=..., scopeChainArg=..., rval=rval@entry=0xffffc460) at js/src/vm/Interpreter.cpp:1018
#9 0x084b8d1f in ExecuteScript (cx=cx@entry=0xf7a7e020, scope=..., scope@entry=..., script=script@entry=..., rval=rval@entry=0xffffc460) at js/src/jsapi.cpp:4505
#10 0x084b8ea5 in JS_ExecuteScript (cx=cx@entry=0xf7a7e020, scriptArg=scriptArg@entry=..., rval=...) at js/src/jsapi.cpp:4531
#11 0x080f1892 in Evaluate (cx=0xf7a7e020, argc=2, vp=0xffffc460) at js/src/shell/js.cpp:1252
#12 0x086658fa in js::CallJSNative (cx=0xf7a7e020, native=0x80f0f00 <Evaluate(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235
#13 0x08662797 in js::Invoke (cx=cx@entry=0xf7a7e020, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:767
#14 0x0866372a in js::Invoke (cx=cx@entry=0xf7a7e020, thisv=..., fval=..., argc=argc@entry=2, argv=argv@entry=0xffffc780, rval=rval@entry=...) at js/src/vm/Interpreter.cpp:822
#15 0x088af58f in js::jit::DoCallFallback (cx=0xf7a7e020, frame=0xffffc7c0, stub_=0xf7a1d580, argc=2, vp=0xffffc770, res=...) at js/src/jit/BaselineIC.cpp:8996
#16 0xf7fc96be in ?? ()
#17 0xf7a1d580 in ?? ()
#18 0xf7fc8ae3 in ?? ()
eax 0x0 0
ebx 0x97fbe34 159366708
ecx 0xf7e2f88c -136120180
edx 0x0 0
esi 0xffffbaa8 -17752
edi 0xf7a7e020 -139993056
ebp 0xffffb9f8 4294949368
esp 0xffffb9e0 4294949344
eip 0x8099251 <js::DefLexicalOperation(unsigned int, js::HandlePropertyName, JS::HandleObject, JS::Handle<js::ClonedBlockObject*>, JSContext*)+42>
=> 0x8099251 <js::DefLexicalOperation(unsigned int, js::HandlePropertyName, JS::HandleObject, JS::Handle<js::ClonedBlockObject*>, JSContext*)+42>: movl $0x1b9,0x0
0x809925b <js::DefLexicalOperation(unsigned int, js::HandlePropertyName, JS::HandleObject, JS::Handle<js::ClonedBlockObject*>, JSContext*)+52>: call 0x8101690 <abort()>
|
Reporter | |
Comment 1•9 years ago
|
||
Also a highly frequent fuzzblocker, still happening after the other fix as it seems.
Flags: needinfo?(shu)
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update,bisect][fuzzblocker]
|
||
Updated•9 years ago
|
Whiteboard: [jsbugmon:update,bisect][fuzzblocker] → [fuzzblocker] [jsbugmon:update,ignore]
|
|
||
Comment 2•9 years ago
|
||
JSBugMon: The testcase found in this bug no longer reproduces (tried revision b68eab795f9d). JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/ac0aa2c21379 user: Shu-yu Guo date: Tue Oct 06 14:00:30 2015 -0700 summary: Bug 589199 - Implement all-or-nothing redeclaration checks for global and eval scripts. (r=efaust) This iteration took 336.879 seconds to run.
|
|
Reporter | |
Updated•9 years ago
|
Whiteboard: [fuzzblocker] [jsbugmon:update,ignore] → [fuzzblocker] [jsbugmon:bisectfix]
|
|
||
Updated•9 years ago
|
Whiteboard: [fuzzblocker] [jsbugmon:bisectfix] → [fuzzblocker] [jsbugmon:]
|
|
||
Comment 3•9 years ago
|
||
JSBugMon: Fix Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first good revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/1f4cf75c8948 parent: 266641:875255a0ae25 parent: 266808:6bc7d5fb5686 user: Carsten "Tomcat" Book date: Thu Oct 08 15:26:54 2015 +0200 summary: merge mozilla-inbound to mozilla-central a=merge Not all ancestors of this changeset have been checked. Use bisect --extend to continue the bisection from the common ancestor, 1e1fa696e2b6. This iteration took 0.652 seconds to run. Oops! We didn't test rev 6bc7d5fb5686, a parent of the blamed revision! Let's do that now. We did not test rev 6bc7d5fb5686 because it is not a descendant of either c6ede6f30f3d or b68eab795f9d. Rev 6bc7d5fb5686: Updating... Compiling... Testing... [Uninteresting] It didn't crash. (0.053 seconds) good (not interesting) As expected, the parent's label is the opposite of the blamed rev's label. Bisect lied to us! Parent rev 6bc7d5fb5686 was also good! Bisect blamed the merge because our initial range did not include one of the parents. The common ancestor of 875255a0ae25 and 6bc7d5fb5686 is 1e1fa696e2b6. Rev 1e1fa696e2b6: Found cached shell... Testing... Exit status: CRASHED signal 11 (SIGSEGV) (0.552 seconds) bad (interesting) Consider re-running autoBisect with -s 1e1fa696e2b6 -e 1f4cf75c8948 in a configuration where earliestWorking is before the common ancestor.
I cannot seem to reproduce this. Decoder, is this still as highly frequent for you? (Or we could retest after some of the lexical-related fixes land soon)
Flags: needinfo?(choller)
Bisection windows are wrong - autoBisect probably got confused along the way.
|
|
Reporter | |
Comment 6•9 years ago
|
||
This is an automated crash issue comment:
Summary: Assertion failure: CheckLexicalNameConflict(cx, lexicalScope, varObj, name), at js/src/vm/Interpreter-inl.h:441
Build version: mozilla-central revision d1bb0de19476
Build flags: --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --target=i686-pc-linux-gnu --disable-tests --enable-debug
Runtime options: --fuzzing-safe --thread-count=2 --ion-shared-stubs=on --ion-offthread-compile=off --baseline-eager
Testcase:
var hits = 0;
with(f_arg => constructor.f_arg([3, 4, 5], null)) var length = 257751;
let get = () => 4,
hits = new Intl.Proxy([f_arg]),
y = ($ERROR < 1970) ? 1969 : 1970;
Backtrace:
Program terminated with signal SIGSEGV, Segmentation fault.
#0 0x080994e1 in js::DefLexicalOperation (attrs=5, name=..., varObj=..., lexicalScope=..., cx=0xf7277020) at js/src/vm/Interpreter-inl.h:441
#1 0x083f0b5c in DefLexicalOperation (attrs=5, name=..., varObj=..., lexicalScope=..., cx=0xf7277020) at js/src/jit/VMFunctions.cpp:192
#2 js::jit::DefLexical (cx=0xf7277020, dn=..., attrs=5, scopeChain=...) at js/src/jit/VMFunctions.cpp:191
#3 0xf74760be in ?? ()
#4 0xf7473c5c in ?? ()
#5 0x0822d723 in EnterBaseline (cx=0xf539e0d0, cx@entry=0xf7277020, data=...) at js/src/jit/BaselineJIT.cpp:127
[...]
#40 main (argc=8, argv=0xffeaa714, envp=0xffeaa738) at js/src/shell/js.cpp:6677
eax 0x0 0
ebx 0x98009b4 159386036
ecx 0xf762e88c -144512884
edx 0x0 0
esi 0xf7277020 -148410336
edi 0xffea8c94 -1405804
ebp 0xffea8c38 4293561400
esp 0xffea8c20 4293561376
eip 0x80994e1 <js::DefLexicalOperation(unsigned int, js::HandlePropertyName, JS::HandleObject, JS::Handle<js::ClonedBlockObject*>, JSContext*)+42>
=> 0x80994e1 <js::DefLexicalOperation(unsigned int, js::HandlePropertyName, JS::HandleObject, JS::Handle<js::ClonedBlockObject*>, JSContext*)+42>: movl $0x1b9,0x0
0x80994eb <js::DefLexicalOperation(unsigned int, js::HandlePropertyName, JS::HandleObject, JS::Handle<js::ClonedBlockObject*>, JSContext*)+52>: call 0x81020b0 <abort()>|
|
Reporter | |
Comment 7•9 years ago
|
||
shu already reproduced the problem with the test in comment 6. And yes, this bug is occurring at a high frequency for me.
Flags: needinfo?(choller)
(In reply to Christian Holler (:decoder) from comment #7) > shu already reproduced the problem with the test in comment 6. And yes, this > bug is occurring at a high frequency for me. Great, thanks.
|
||
Updated•9 years ago
|
Flags: needinfo?(shu)
Whiteboard: [fuzzblocker] [jsbugmon:] → [fuzzblocker] [jsbugmon:bisectfix]
|
|
||
Updated•9 years ago
|
Whiteboard: [fuzzblocker] [jsbugmon:bisectfix] → [fuzzblocker] [jsbugmon:]
|
|
||
Comment 9•9 years ago
|
||
JSBugMon: Fix Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first good revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/1f4cf75c8948 parent: 266641:875255a0ae25 parent: 266808:6bc7d5fb5686 user: Carsten "Tomcat" Book date: Thu Oct 08 15:26:54 2015 +0200 summary: merge mozilla-inbound to mozilla-central a=merge Not all ancestors of this changeset have been checked. Use bisect --extend to continue the bisection from the common ancestor, 1e1fa696e2b6. This iteration took 0.851 seconds to run. Oops! We didn't test rev 6bc7d5fb5686, a parent of the blamed revision! Let's do that now. We did not test rev 6bc7d5fb5686 because it is not a descendant of either c6ede6f30f3d or 9605da94e75d. Rev 6bc7d5fb5686: Found cached shell... Testing... [Uninteresting] It didn't crash. (0.538 seconds) good (not interesting) As expected, the parent's label is the opposite of the blamed rev's label. Bisect lied to us! Parent rev 6bc7d5fb5686 was also good! Bisect blamed the merge because our initial range did not include one of the parents. The common ancestor of 875255a0ae25 and 6bc7d5fb5686 is 1e1fa696e2b6. Rev 1e1fa696e2b6: Found cached shell... Testing... Exit status: CRASHED signal 11 (SIGSEGV) (0.650 seconds) bad (interesting) Consider re-running autoBisect with -s 1e1fa696e2b6 -e 1f4cf75c8948 in a configuration where earliestWorking is before the common ancestor.
Re: testcase in comment 0 autoBisect shows this is probably related to the following changeset: The first good revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/136ffcc6ad2c user: Shu-yu Guo date: Wed Oct 07 16:52:30 2015 -0700 summary: Bug 1212605 - Emit global name conflicts check for Ion scripts regardless of scope chain usage. (r=efaust) I found the fix window by throwing in "-s ac0aa2c21379" to set the starting point of the bisection with the revision in comment 2. Shu-yu, did bug 1212605 likely fix the testcase in comment 0 in some way?
Flags: needinfo?(shu)
Re: testcase in comment 6: autoBisect shows this is probably related to the following changeset: The first good revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/68db2fc2c547 user: Shu-yu Guo date: Thu Oct 15 00:36:34 2015 -0700 summary: Bug 1214013 - Parse global scripts non-incrementally. (r=efaust) Again, found the fix window by throwing in "-s ac0aa2c21379" to set the starting point of the bisection with the revision in comment 2. Shu-yu, did bug 1214013 likely fix the testcase in comment 6 in some way?
|
|
||
Comment 12•9 years ago
|
||
(In reply to Gary Kwong [:gkw] [:nth10sd] from comment #11) > Re: testcase in comment 6: > > autoBisect shows this is probably related to the following changeset: > > The first good revision is: > changeset: https://hg.mozilla.org/mozilla-central/rev/68db2fc2c547 > user: Shu-yu Guo > date: Thu Oct 15 00:36:34 2015 -0700 > summary: Bug 1214013 - Parse global scripts non-incrementally. (r=efaust) > > Again, found the fix window by throwing in "-s ac0aa2c21379" to set the > starting point of the bisection with the revision in comment 2. > > Shu-yu, did bug 1214013 likely fix the testcase in comment 6 in some way? Yeah, this should be the right result.
Flags: needinfo?(shu)
Setting FIXED by bug 1214013.
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Whiteboard: [fuzzblocker] [jsbugmon:] → [fuzzblocker][jsbugmon:update,testComment=6,origRev=d1bb0de19476]
You need to log in
before you can comment on or make changes to this bug.
Description
•