Closed Bug 1232935 Opened 10 years ago Closed 10 years ago

Assertion failure: stub->monitorsThis() || *GetNextPc(pc) == JSOP_CHECKTHIS || *GetNextPc(pc) == JSOP_CHECKRETURN, at js/src/jit/SharedIC.cpp:4737

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
firefox46 --- wontfix

People

(Reporter: gkw, Unassigned)

References

Details

(4 keywords, Whiteboard: [jsbugmon:update])

The following testcase crashes on mozilla-central revision cb66ffeb6725 (build with --enable-debug --enable-more-deterministic, run with --fuzzing-safe --no-threads --no-ion --baseline-eager --ion-inlining=off): // Adapted from randomly chosen test: js/src/jit-test/tests/ion/lexical-check-2.js with(7) { function f() { if (i == 1) { g(); } const x = 42; function g() { return x; } return g; } } for (var i = 0; i < 2; i++) { f()(); } Backtrace: 0 js-dbg-64-dm-darwin-cb66ffeb6725 0x00000001003db14e js::jit::DoTypeMonitorFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICTypeMonitor_Fallback*, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) + 2734 (SharedIC.cpp:4735) 1 ??? 0x0000000101e6bdf7 0 + 4326866423 2 ??? 0x0000000101e68dc4 0 + 4326854084 3 js-dbg-64-dm-darwin-cb66ffeb6725 0x00000001001978e4 EnterBaseline(JSContext*, js::jit::EnterJitData&) + 660 (BaselineJIT.cpp:136) 4 js-dbg-64-dm-darwin-cb66ffeb6725 0x00000001001974a4 js::jit::EnterBaselineMethod(JSContext*, js::RunState&) + 292 (BaselineJIT.cpp:172) 5 js-dbg-64-dm-darwin-cb66ffeb6725 0x000000010070e8cc js::RunScript(JSContext*, js::RunState&) + 364 (Interpreter.cpp:372) 6 js-dbg-64-dm-darwin-cb66ffeb6725 0x0000000100725809 js::Invoke(JSContext*, JS::CallArgs const&, js::MaybeConstruct) + 889 (Interpreter.cpp:462) 7 js-dbg-64-dm-darwin-cb66ffeb6725 0x0000000100725fdb js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value const*, JS::MutableHandle<JS::Value>) + 555 (Interpreter.cpp:496) 8 js-dbg-64-dm-darwin-cb66ffeb6725 0x0000000100188b8b js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICCall_Fallback*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) + 2811 (BaselineIC.cpp:6160) 9 ??? 0x0000000101e71f6b 0 + 4326891371 10 ??? 0x0000000103e21d20 0 + 4360117536 11 ??? 0x0000000101e68dc4 0 + 4326854084 12 js-dbg-64-dm-darwin-cb66ffeb6725 0x00000001001978e4 EnterBaseline(JSContext*, js::jit::EnterJitData&) + 660 (BaselineJIT.cpp:136) 13 js-dbg-64-dm-darwin-cb66ffeb6725 0x00000001001974a4 js::jit::EnterBaselineMethod(JSContext*, js::RunState&) + 292 (BaselineJIT.cpp:172) 14 js-dbg-64-dm-darwin-cb66ffeb6725 0x000000010070e8cc js::RunScript(JSContext*, js::RunState&) + 364 (Interpreter.cpp:372) 15 js-dbg-64-dm-darwin-cb66ffeb6725 0x0000000100725809 js::Invoke(JSContext*, JS::CallArgs const&, js::MaybeConstruct) + 889 (Interpreter.cpp:462) 16 js-dbg-64-dm-darwin-cb66ffeb6725 0x0000000100725fdb js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value const*, JS::MutableHandle<JS::Value>) + 555 (Interpreter.cpp:496) 17 js-dbg-64-dm-darwin-cb66ffeb6725 0x0000000100188b8b js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICCall_Fallback*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) + 2811 (BaselineIC.cpp:6160) 18 ??? 0x0000000101e71f6b 0 + 4326891371 19 ??? 0x0000000103e21820 0 + 4360116256 20 ??? 0x0000000101e68dc4 0 + 4326854084 21 js-dbg-64-dm-darwin-cb66ffeb6725 0x00000001001978e4 EnterBaseline(JSContext*, js::jit::EnterJitData&) + 660 (BaselineJIT.cpp:136) 22 js-dbg-64-dm-darwin-cb66ffeb6725 0x00000001001974a4 js::jit::EnterBaselineMethod(JSContext*, js::RunState&) + 292 (BaselineJIT.cpp:172) 23 js-dbg-64-dm-darwin-cb66ffeb6725 0x000000010070e8cc js::RunScript(JSContext*, js::RunState&) + 364 (Interpreter.cpp:372) 24 js-dbg-64-dm-darwin-cb66ffeb6725 0x0000000100726c97 js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::ExecuteType, js::AbstractFramePtr, JS::Value*) + 583 (Interpreter.cpp:650) 25 js-dbg-64-dm-darwin-cb66ffeb6725 0x000000010072707f js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) + 495 (RootingAPI.h:719) 26 js-dbg-64-dm-darwin-cb66ffeb6725 0x000000010050a0a1 ExecuteScript(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSScript*>, JS::Value*) + 417 (jsapi.cpp:4410) 27 js-dbg-64-dm-darwin-cb66ffeb6725 0x000000010050a312 JS_ExecuteScript(JSContext*, JS::Handle<JSScript*>) + 82 (RootingAPI.h:719) 28 js-dbg-64-dm-darwin-cb66ffeb6725 0x000000010001e7a9 Process(JSContext*, char const*, bool, FileKind) + 3273 (js.cpp:515) 29 js-dbg-64-dm-darwin-cb66ffeb6725 0x0000000100004f91 main + 11825 (js.cpp:6205) 30 js-dbg-64-dm-darwin-cb66ffeb6725 0x0000000100001554 start + 52
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/a9a7f16c817b user: Eric Faust date: Thu Oct 30 17:27:03 2014 -0700 summary: Bug 611388 - |const| should be block scoped and require an initializer. (r=shu) This iteration took 193.175 seconds to run.
Eric, is bug 611388 a likely regressor?
Blocks: 611388
Flags: needinfo?(efaustbmo)
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 0babaa3edcf9).
(In reply to Gary Kwong [:gkw] [:nth10sd] from comment #2) > Eric, is bug 611388 a likely regressor? Mmmmmaybe. That revision doesn't have this assertion in its current form. Let's get some idea where it started going right.
Flags: needinfo?(efaustbmo)
Whiteboard: [jsbugmon:update,ignore] → [jsbugmon:update,bisectfix]
Whiteboard: [jsbugmon:update,bisectfix] → [jsbugmon:update,ignore]
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 0babaa3edcf9). JSBugMon: Fix Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first good revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/63a4acec4bd3 user: Shu-yu Guo date: Tue Dec 15 14:31:34 2015 -0800 summary: Bug 1182866 - Fix Baseline GETNAME stubs to check for uninitialized lexicals. (r=jandem) This iteration took 280.437 seconds to run.
Shu-yu, is bug 1182866 a likely fix?
Flags: needinfo?(shu)
Sure why not!
Flags: needinfo?(shu)
I did some digging here. We were asserting in a TypeMonitorFallback stub directly after a GETNAME. I think it's really very likely that bug 1182866 is a real fix, here. Marking RESOLVED WFM.
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → WORKSFORME
I'd say FIXED since we know bug 1182866 is the fix.
Resolution: WORKSFORME → FIXED
Whiteboard: [jsbugmon:update,ignore] → [jsbugmon:update]
Too late for assertion fixes in 46.
status-firefox46: affectedwontfix
You need to log in before you can comment on or make changes to this bug.