1216126 - Crash [@ js::jit::BaselineScript::icEntryFromPCOffset] or Hit MOZ_CRASH(Invalid PC offset for IC entry.) at jit/BaselineJIT.cpp:630 or Assertion failure: analysis().usesScopeChain(), at jit/IonBuilder.cpp:12589

Status: RESOLVED DUPLICATE of bug 1215992

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

The following testcase crashes on mozilla-central revision e8c7dfe727cd (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --target=i686-pc-linux-gnu --disable-tests --disable-debug, run with --ion-eager):

try {
const [ all, e ] = ++e;   
} catch(exc0) {}



Backtrace:

Program received signal SIGSEGV, Segmentation fault.
js::jit::BaselineScript::icEntryFromPCOffset (this=0xf7a7c9e0, pcOffset=46) at js/src/jit/BaselineJIT.cpp:630
#0  js::jit::BaselineScript::icEntryFromPCOffset (this=0xf7a7c9e0, pcOffset=46) at js/src/jit/BaselineJIT.cpp:630
#1  0x08154137 in js::jit::BaselineScript::icEntryFromPCOffset (this=<optimized out>, pcOffset=<optimized out>, prevLookedUpEntry=0x0) at js/src/jit/BaselineJIT.cpp:653
#2  0x081549fa in icEntryFromPC (pc=0xf7a58937 "\270", this=0xf7a990a0) at js/src/jit/BaselineInspector.h:75
#3  js::jit::BaselineInspector::expectedPropertyAccessInputType (this=0xf7a990a0, pc=0xf7a58937 "\270") at js/src/jit/BaselineInspector.cpp:721
#4  0x081b353e in js::jit::IonBuilder::maybeUnboxForPropertyAccess (this=this@entry=0xf7a990e8, def=def@entry=0xf7a9a6f8) at js/src/jit/IonBuilder.cpp:10725
#5  0x081cc981 in maybeUnboxForPropertyAccess (def=0xf7a9a6f8, this=0xf7a990e8) at js/src/vm/TypeInference.h:412
#6  js::jit::IonBuilder::jsop_getprop (this=this@entry=0xf7a990e8, name=0xf4d11f10) at js/src/jit/IonBuilder.cpp:10780
#7  0x081cd256 in js::jit::IonBuilder::inspectOpcode (this=this@entry=0xf7a990e8, op=op@entry=JSOP_CALLPROP) at js/src/jit/IonBuilder.cpp:1990
#8  0x081ce14d in js::jit::IonBuilder::traverseBytecode (this=this@entry=0xf7a990e8) at js/src/jit/IonBuilder.cpp:1517
#9  0x081ce5e6 in js::jit::IonBuilder::build (this=0xf7a990e8) at js/src/jit/IonBuilder.cpp:913
#10 0x080725db in js::jit::IonCompile (cx=cx@entry=0xf7a7c040, script=<optimized out>, baselineFrame=baselineFrame@entry=0x0, osrPc=osrPc@entry=0x0, constructing=constructing@entry=false, recompile=false, optimizationLevel=js::jit::Optimization_Normal) at js/src/jit/Ion.cpp:2176
#11 0x081e6d42 in js::jit::Compile (cx=cx@entry=0xf7a7c040, script=script@entry=..., osrFrame=osrFrame@entry=0x0, osrPc=osrPc@entry=0x0, constructing=false, forceRecompile=forceRecompile@entry=false) at js/src/jit/Ion.cpp:2414
#12 0x081e706e in js::jit::CanEnter (cx=cx@entry=0xf7a7c040, state=...) at js/src/jit/Ion.cpp:2576
#13 0x084702e5 in js::RunScript (cx=cx@entry=0xf7a7c040, state=...) at js/src/vm/Interpreter.cpp:701
#14 0x0847272a in js::ExecuteKernel (cx=<optimized out>, cx@entry=0xf7a7c040, script=..., script@entry=..., scopeChainArg=..., thisv=..., newTargetValue=..., type=<optimized out>, evalInFrame=evalInFrame@entry=..., result=<optimized out>, result@entry=0x0) at js/src/vm/Interpreter.cpp:1000
#15 0x0847297b in js::Execute (cx=cx@entry=0xf7a7c040, script=script@entry=..., scopeChainArg=..., rval=rval@entry=0x0) at js/src/vm/Interpreter.cpp:1035
#16 0x08335ee4 in ExecuteScript (cx=cx@entry=0xf7a7c040, scope=..., scope@entry=..., script=script@entry=..., rval=rval@entry=0x0) at js/src/jsapi.cpp:4598
#17 0x08336029 in JS_ExecuteScript (cx=cx@entry=0xf7a7c040, scriptArg=scriptArg@entry=...) at js/src/jsapi.cpp:4631
#18 0x08068de4 in RunFile (compileOnly=false, file=<optimized out>, filename=<optimized out>, cx=0xf7a7c040) at js/src/shell/js.cpp:509
#19 Process (cx=cx@entry=0xf7a7c040, filename=<optimized out>, forceTTY=forceTTY@entry=false) at js/src/shell/js.cpp:628
#20 0x08079e4a in ProcessArgs (op=0xffffd940, cx=<optimized out>) at js/src/shell/js.cpp:5994
#21 Shell (envp=<optimized out>, op=0xffffd940, cx=<optimized out>) at js/src/shell/js.cpp:6297
#22 main (argc=3, argv=0xffffda84, envp=0xffffda94) at js/src/shell/js.cpp:6654
eax	0xf7a7cab4	-139998540
ebx	0x9477b50	155679568
ecx	0x60	96
edx	0x9	9
esi	0x88	136
edi	0x9	9
ebp	0xf7a7ca54	4154968660
esp	0xffffd080	4294955136
eip	0x8154040 <js::jit::BaselineScript::icEntryFromPCOffset(unsigned int)+176>
=> 0x8154040 <js::jit::BaselineScript::icEntryFromPCOffset(unsigned int)+176>:	movl   $0x276,0x0
   0x815404a <js::jit::BaselineScript::icEntryFromPCOffset(unsigned int)+186>:	call   0x8092210 <abort()>


This is a forced crash, I don't think it's s-s. However, it's quite frequent and fuzzblocker. I also do not understand why we abort in a --disable-debug build, but we don't emit the MOZ_CRASH message. If there is no particular reason why we can't do that, then we should, as it helps triaging issues.

Comment 1

[Fuzzing Team]

JSBugMon: Bisection requested, result:
=== Treeherder Build Bisection Results by autoBisect ===

The "good" changeset has the timestamp "20151016163631" and the hash "4690eec6b6583f4fd01b8b60be3ce6867d85ed78".
The "bad" changeset has the timestamp "20151016175031" and the hash "97e02e8d43a140b5389bd50acfd0bc33d1cd5aea".

Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=4690eec6b6583f4fd01b8b60be3ce6867d85ed78&tochange=97e02e8d43a140b5389bd50acfd0bc33d1cd5aea

Comment 3

[Fuzzing Team]

JSBugMon: The testcase found in this bug no longer reproduces (tried revision 4879f22ef96a).

Comment 4

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

autoBisect shows this is probably related to the following changeset:

The first good revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/d1e0b2e1b8ea
user:        Jan de Mooij
date:        Wed Oct 21 10:09:40 2015 +0200
summary:     Bug 1215992 - Terminate control flow for THROWSETCONST/THROWSETALIASEDCONST in IonBuilder. r=shu

Jan, is bug 1215992 a likely fix?

Comment 5

[Jan de Mooij [:jandem]]

(In reply to Gary Kwong [:gkw] [:nth10sd] from comment #4)
> Jan, is bug 1215992 a likely fix?

Yep!