Closed Bug 1224883 Opened 6 years ago Closed 6 years ago

Assertion failure: calleeScript->hasBaselineScript(), at jit/Ion.cpp

Categories

(Core :: JavaScript Engine: JIT, defect)

x86_64
macOS
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla45
Tracking Status
firefox45 --- fixed

People

(Reporter: gkw, Assigned: h4writer)

References

Details

(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update])

Attachments

(2 files)

// Adapted from randomly chosen test: js/src/jit-test/tests/ion/bug1203791.js
gczeal(14);
for (a of [true, new Number]) {
    eval("\
        function n() {\
            try {} catch (e) {};\
        };\
        function m() {};\
        var g = newGlobal();\
        g.parent = this;\
        g.eval(\"\
            var dbg = Debugger();\
            var parentw = dbg.addDebuggee(parent);\
            var pw = parentw.makeDebuggeeValue(parent.p);\
            pw.script;\
        \");\
        g.dbg.onIonCompilation = function() {\
            h != g;\
        };\
        function p() {\
            inIon();\
        };\
        for (var a = 0; a < 9999; a++) {\
            p();\
        };\
    ")
}

asserts js debug shell on m-c changeset faf815a0fa9b with --fuzzing-safe --ion-eager at Assertion failure: calleeScript->hasBaselineScript(), at jit/Ion.cpp

Configure options:

CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests

python -u ~/funfuzz/js/compileShell.py -b "--enable-debug --enable-more-deterministic" -r faf815a0fa9b

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/3bbd0d929128
user:        Hannes Verschore
date:        Fri Aug 14 17:57:57 2015 +0200
summary:     Bug 1178834: IonMonkey - Always lazy link code, r=jandem

Hannes, is bug 1178834 a likely regressor?
Flags: needinfo?(hv1989)
Attached file stack
(lldb) bt 5
* thread #1: tid = 0x12762d, 0x00000001001e70b2 js-dbg-64-dm-darwin-faf815a0fa9b`js::jit::LazyLink(cx=<unavailable>, calleeScript=<unavailable>) + 1714 at Ion.cpp:622, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
  * frame #0: 0x00000001001e70b2 js-dbg-64-dm-darwin-faf815a0fa9b`js::jit::LazyLink(cx=<unavailable>, calleeScript=<unavailable>) + 1714 at Ion.cpp:622
    frame #1: 0x00000001001f8b07 js-dbg-64-dm-darwin-faf815a0fa9b`js::jit::CanEnter(cx=0x0000000102c69400, state=<unavailable>) + 423 at Ion.cpp:2588
    frame #2: 0x00000001006829b1 js-dbg-64-dm-darwin-faf815a0fa9b`js::RunScript(cx=0x0000000102c69400, state=0x00007fff5fbfca98) + 289 at Interpreter.cpp:317
    frame #3: 0x0000000100674a89 js-dbg-64-dm-darwin-faf815a0fa9b`js::Invoke(cx=0x0000000102c69400, args=<unavailable>, construct=<unavailable>) + 841 at Interpreter.cpp:412
    frame #4: 0x0000000100699aab js-dbg-64-dm-darwin-faf815a0fa9b`js::Invoke(cx=0x0000000102c69400, thisv=0x00007fff5fbfcec0, fval=<unavailable>, argc=<unavailable>, argv=<unavailable>, rval=<unavailable>) + 555 at Interpreter.cpp:446
(lldb)
Yes, that is related. I cannot reproduce, but given the stack I understand what is going on.

LazyLink is mostly called out of JIT code. In that case we should at least have "calleeScript->hasBaselineScript". Bug 1212305 fixed this for some of the edge cases. Now in this case we are in the Interpreter and it isn't important that "calleeScript->hasBaselineScript" is true. We can always go further in the Interpreter. In this case the assertion is too restrictive.
Attached patch PatchSplinter Review
Gary: I cannot reproduce locally. Therefore can you confirm it is fixed with this patch?
Assignee: nobody → hv1989
Flags: needinfo?(hv1989)
Attachment #8690045 - Flags: feedback?(gary)
Comment on attachment 8690045 [details] [diff] [review]
Patch

Yes, this does seem to fix the issue, thanks! :)
Attachment #8690045 - Flags: feedback?(gary) → feedback+
Attachment #8690045 - Flags: review?(jdemooij)
Attachment #8690045 - Flags: review?(jdemooij) → review+
https://hg.mozilla.org/mozilla-central/rev/3d0bf42bd24a
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla45
You need to log in before you can comment on or make changes to this bug.