1217593 - Assertion failure: Modified registers between VM call and OsiPoint, at jit/MacroAssembler.cpp

Status: VERIFIED FIXED

(Core :: JavaScript Engine: JIT, defect)

Description

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

enableOsiPointRegisterChecks();
function f() {
    return this;
}
f();
f();

asserts js debug shell on m-c changeset 76bd0c01d72e with --fuzzing-safe --no-threads --ion-eager at Assertion failure: Modified registers between VM call and OsiPoint, at jit/MacroAssembler.cpp

Configure options:

CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --disable-threadsafe --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests

python -u ~/funfuzz/js/compileShell.py -b "--enable-debug --enable-more-deterministic" -r 76bd0c01d72e

=== Treeherder Build Bisection Results by autoBisect ===

The "good" changeset has the timestamp "20151021063502" and the hash "ab8d2508c6ea2e1a0869f62c668eb0dee6709e42".
The "bad" changeset has the timestamp "20151021065531" and the hash "935cdbf4fcf571496793fb06a5a9e1f90050e092".

Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=ab8d2508c6ea2e1a0869f62c668eb0dee6709e42&tochange=935cdbf4fcf571496793fb06a5a9e1f90050e092

Jon, is bug 930414 a likely regressor?

Comment 1

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Attachment: stack

(lldb) bt 5
* thread #1: tid = 0x3117f, 0x0000000101ee1f8d, queue = 'com.apple.main-thread', stop reason = EXC_BREAKPOINT (code=EXC_I386_BPT, subcode=0x0)
  * frame #0: 0x0000000101ee1f8d
    frame #1: 0x00000001001e78c9 js-dbg-64-dm-darwin-76bd0c01d72e`js::jit::IonCannon(JSContext*, js::RunState&) + 395 at Ion.cpp:2682
    frame #2: 0x00000001001e773e js-dbg-64-dm-darwin-76bd0c01d72e`js::jit::IonCannon(cx=0x0000000102c45400, state=0x00007fff5fbfe350) + 302 at Ion.cpp:2788
    frame #3: 0x0000000100684e29 js-dbg-64-dm-darwin-76bd0c01d72e`js::RunScript(cx=0x0000000102c45400, state=0x00007fff5fbfe350) + 313 at Interpreter.cpp:410
    frame #4: 0x00000001006765e2 js-dbg-64-dm-darwin-76bd0c01d72e`js::Invoke(cx=0x0000000102c45400, args=<unavailable>, construct=<unavailable>) + 882 at Interpreter.cpp:507
(lldb)

Comment 2

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Setting [fuzzblocker] because this is happening really often with jsfunfuzz now.

Comment 4

[Jon Coppeard (:jonco)]

Attachment: bug1217593-this-compilation

I messed up the changes to compiling LComputeThis.  It must now return a value and because it must not clobber its input.

Comment 5

[Jon Coppeard (:jonco)]

Attachment: bug1217593-this-compilation v2

...and fixed so it works on 32-bit builds.

Comment 6

[Andrew McCreight [:mccr8]]

Marking this as sec-high because it sounds bad.

Comment 7

[Wes Kocher (:KWierso) (Not reading bugmail; email directly if needed)]

https://hg.mozilla.org/mozilla-central/rev/6c52ba960d87

Comment 8

[Fuzzing Team]

JSBugMon: This bug has been automatically verified fixed.
JSBugMon: This bug has been automatically verified fixed on Fx44