1233343 - Crash [@ js::jit::JitFrameIterator::checkInvalidation] or Assertion failure: hasScript(), at js/src/jsfun.h:423

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

The following testcase crashes on mozilla-central revision 0babaa3edcf9 (build with --32 --enable-more-deterministic --enable-simulator=arm, run with --fuzzing-safe --no-threads --ion-eager --ion-shared-stubs=on):

// Adapted from randomly chosen test: js/src/jit-test/tests/debug/Debugger-debuggees-28.js
function addRemove() {
    dbg.addDebuggee(g);
    f = dbg.getNewestFrame().older;
}
function removeAdd() {
    dbg.addDebuggee(g);
    var f = dbg.getNewestFrame();
    while (f) {
        f = f.older;
    }
}
function testInterrupt() {
    g = newGlobal();
    dbg = new Debugger;
    g.eval("" + function f() {
        return g();
    });
    g.eval("" + function g() {
        return h();
    });
    g.eval("" + function h() {
        for (var i = 0; i < 100; i++) {
            interruptIf(5);
        }
    });
    setInterruptCallback(function() {
        toggleSeq();
        return true;
    });
    g.f();
}
toggleSeq = addRemove;
testInterrupt();
toggleSeq = removeAdd;
testInterrupt();

Backtrace:

#0  0x08202ac5 in js::jit::JitFrameIterator::checkInvalidation (this=0xffbbd90c, ionScriptOut=0xffbbd4f8) at js/src/jit/JitFrames.cpp:156
#1  0x08203f80 in js::jit::JitFrameIterator::ionScript (this=0xffbbd90c) at js/src/jit/JitFrames.cpp:2347
#2  0x082049a9 in js::jit::JitFrameIterator::safepoint (this=0xffbbd90c) at js/src/jit/JitFrames.cpp:2365
#3  js::jit::JitFrameIterator::machineState (this=0xffbbd90c) at js/src/jit/JitFrames.cpp:359
#4  0x082060cd in js::jit::InlineFrameIterator::resetOn (iter=0xffbbd90c, this=0xffbbd93c) at js/src/jit/JitFrames.cpp:2429
#5  js::jit::InlineFrameIterator::InlineFrameIterator (this=0xffbbd93c, cx=0xf7173040, iter=0xffbbd90c) at js/src/jit/JitFrames.cpp:2391
#6  0x08626b49 in CollectJitStackScripts (entries=..., activation=..., obs=..., cx=0xf7173040) at js/src/jit/BaselineDebugModeOSR.cpp:243
#7  js::jit::RecompileOnStackBaselineScriptsForDebugMode (cx=0xf7173040, obs=..., observing=js::Debugger::Observing) at js/src/jit/BaselineDebugModeOSR.cpp:844
#8  0x084410ec in js::Debugger::updateExecutionObservabilityOfFrames (cx=cx@entry=0xf7173040, obs=..., observing=js::Debugger::Observing) at js/src/vm/Debugger.cpp:2021
#9  0x084429a9 in js::Debugger::ensureExecutionObservabilityOfFrame (cx=0xf7173040, frame=...) at js/src/vm/Debugger.cpp:2209
#10 0x084592ec in js::Debugger::getScriptFrameWithIter (this=0xf7189400, cx=0xf7173040, frame=..., maybeIter=0xffbbdedc, vp=...) at js/src/vm/Debugger.cpp:484
#11 0x0845a62a in js::Debugger::getScriptFrame (vp=..., iter=..., cx=0xf7173040, this=0xf7189400) at js/src/vm/Debugger.h:888
#12 DebuggerFrame_getOlder (cx=0xf7173040, argc=0, vp=0xffbbe168) at js/src/vm/Debugger.cpp:6377
#13 0x08295bad in js::jit::DoCallNativeGetter (cx=0xf7173040, callee=..., obj=..., result=...) at js/src/jit/SharedIC.cpp:3667
#14 0x083447dd in js::jit::Simulator::softwareInterrupt (this=0xf7172000, instr=0xf7107b54) at js/src/jit/arm/Simulator-arm.cpp:2321
#15 0x08344ea6 in js::jit::Simulator::decodeType7 (this=0xf7172000, instr=0xf7107b54) at js/src/jit/arm/Simulator-arm.cpp:3483
#16 0x0834620a in js::jit::Simulator::instructionDecode (this=0xf7172000, instr=0xf7107b54) at js/src/jit/arm/Simulator-arm.cpp:4405
#17 0x0834675a in js::jit::Simulator::execute<false> (this=0xf7172000) at js/src/jit/arm/Simulator-arm.cpp:4460
#18 js::jit::Simulator::callInternal (this=0xf7172000, entry=0xf77917a8 "\360O-\351\004\320M\342\020\212-\355\r\200\240\341h\220\235\345t\240\235", <incomplete sequence \345>) at js/src/jit/arm/Simulator-arm.cpp:4548
#19 0x08346a31 in js::jit::Simulator::call (this=0xf7172000, entry=0xf77917a8 "\360O-\351\004\320M\342\020\212-\355\r\200\240\341h\220\235\345t\240\235", <incomplete sequence \345>, argument_count=<optimized out>) at js/src/jit/arm/Simulator-arm.cpp:4631
#20 0x081e6c51 in EnterIon (data=..., cx=0xf7173040) at js/src/jit/Ion.cpp:2700
#21 js::jit::IonCannon (cx=0xf7173040, state=...) at js/src/jit/Ion.cpp:2804
#22 0x0849947a in js::RunScript (cx=0xf7173040, state=...) at js/src/vm/Interpreter.cpp:371
#23 0x08499602 in js::Invoke (cx=0xf7173040, args=..., construct=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:462
#24 0x0849a511 in js::Invoke (cx=0xf7173040, thisv=..., fval=..., argc=0, argv=0x0, rval=...) at js/src/vm/Interpreter.cpp:496
#25 0x0835a0c9 in JS_CallFunctionValue (cx=0xf7173040, obj=..., fval=..., args=..., rval=...) at js/src/jsapi.cpp:2790
#26 0x080798be in ShellInterruptCallback (cx=0xf7173040) at js/src/shell/js.cpp:432
#27 0x084d5112 in InvokeInterruptCallback (cx=0xf7173040) at js/src/vm/Runtime.cpp:573
#28 0x084d83cd in JSRuntime::handleInterrupt (this=<optimized out>, cx=<optimized out>) at js/src/vm/Runtime.cpp:664
#29 0x082c59aa in js::CheckForInterrupt (cx=0xf7173040) at js/src/jscntxt.h:666
#30 js::jit::InterruptCheck (cx=0xf7173040) at js/src/jit/VMFunctions.cpp:489
#31 0x083447dd in js::jit::Simulator::softwareInterrupt (this=0xf7172000, instr=0xf7107ac4) at js/src/jit/arm/Simulator-arm.cpp:2321
#32 0x08344ea6 in js::jit::Simulator::decodeType7 (this=0xf7172000, instr=0xf7107ac4) at js/src/jit/arm/Simulator-arm.cpp:3483
#33 0x0834620a in js::jit::Simulator::instructionDecode (this=0xf7172000, instr=0xf7107ac4) at js/src/jit/arm/Simulator-arm.cpp:4405
#34 0x0834675a in js::jit::Simulator::execute<false> (this=0xf7172000) at js/src/jit/arm/Simulator-arm.cpp:4460
#35 js::jit::Simulator::callInternal (this=0xf7172000, entry=0xf77917a8 "\360O-\351\004\320M\342\020\212-\355\r\200\240\341h\220\235\345t\240\235", <incomplete sequence \345>) at js/src/jit/arm/Simulator-arm.cpp:4548
#36 0x08346a31 in js::jit::Simulator::call (this=0xf7172000, entry=0xf77917a8 "\360O-\351\004\320M\342\020\212-\355\r\200\240\341h\220\235\345t\240\235", <incomplete sequence \345>, argument_count=<optimized out>) at js/src/jit/arm/Simulator-arm.cpp:4631
#37 0x081e6c51 in EnterIon (data=..., cx=0xf7173040) at js/src/jit/Ion.cpp:2700
#38 js::jit::IonCannon (cx=0xf7173040, state=...) at js/src/jit/Ion.cpp:2804
#39 0x0849947a in js::RunScript (cx=0xf7173040, state=...) at js/src/vm/Interpreter.cpp:371
#40 0x08499602 in js::Invoke (cx=0xf7173040, args=..., construct=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:462
#41 0x0849a511 in js::Invoke (cx=0xf7173040, thisv=..., fval=..., argc=0, argv=0xf5effb60, rval=...) at js/src/vm/Interpreter.cpp:496
#42 0x08177d53 in js::jit::DoCallFallback (cx=0xf7173040, frame=0xf5effb80, stub_=0xf7122088, argc=0, vp=0xf5effb50, res=...) at js/src/jit/BaselineIC.cpp:6164
#43 0x083449aa in js::jit::Simulator::softwareInterrupt (this=0xf7172000, instr=0xf5be7254) at js/src/jit/arm/Simulator-arm.cpp:2378
#44 0x08344ea6 in js::jit::Simulator::decodeType7 (this=0xf7172000, instr=0xf5be7254) at js/src/jit/arm/Simulator-arm.cpp:3483
#45 0x0834620a in js::jit::Simulator::instructionDecode (this=0xf7172000, instr=0xf5be7254) at js/src/jit/arm/Simulator-arm.cpp:4405
#46 0x0834675a in js::jit::Simulator::execute<false> (this=0xf7172000) at js/src/jit/arm/Simulator-arm.cpp:4460
#47 js::jit::Simulator::callInternal (this=0xf7172000, entry=0xf77917a8 "\360O-\351\004\320M\342\020\212-\355\r\200\240\341h\220\235\345t\240\235", <incomplete sequence \345>) at js/src/jit/arm/Simulator-arm.cpp:4548
#48 0x08346a31 in js::jit::Simulator::call (this=0xf7172000, entry=0xf77917a8 "\360O-\351\004\320M\342\020\212-\355\r\200\240\341h\220\235\345t\240\235", <incomplete sequence \345>, argument_count=<optimized out>) at js/src/jit/arm/Simulator-arm.cpp:4631
#49 0x081e6c51 in EnterIon (data=..., cx=0xf7173040) at js/src/jit/Ion.cpp:2700
#50 js::jit::IonCannon (cx=0xf7173040, state=...) at js/src/jit/Ion.cpp:2804
#51 0x0849947a in js::RunScript (cx=0xf7173040, state=...) at js/src/vm/Interpreter.cpp:371
#52 0x08499602 in js::Invoke (cx=0xf7173040, args=..., construct=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:462
#53 0x0849a511 in js::Invoke (cx=0xf7173040, thisv=..., fval=..., argc=0, argv=0xf5effc90, rval=...) at js/src/vm/Interpreter.cpp:496
#54 0x08177d53 in js::jit::DoCallFallback (cx=0xf7173040, frame=0xf5effcb0, stub_=0xf7121f88, argc=0, vp=0xf5effc80, res=...) at js/src/jit/BaselineIC.cpp:6164
#55 0x083449aa in js::jit::Simulator::softwareInterrupt (this=0xf7172000, instr=0xf5be7254) at js/src/jit/arm/Simulator-arm.cpp:2378
#56 0x08344ea6 in js::jit::Simulator::decodeType7 (this=0xf7172000, instr=0xf5be7254) at js/src/jit/arm/Simulator-arm.cpp:3483
#57 0x0834620a in js::jit::Simulator::instructionDecode (this=0xf7172000, instr=0xf5be7254) at js/src/jit/arm/Simulator-arm.cpp:4405
#58 0x0834675a in js::jit::Simulator::execute<false> (this=0xf7172000) at js/src/jit/arm/Simulator-arm.cpp:4460
#59 js::jit::Simulator::callInternal (this=0xf7172000, entry=0xf77917a8 "\360O-\351\004\320M\342\020\212-\355\r\200\240\341h\220\235\345t\240\235", <incomplete sequence \345>) at js/src/jit/arm/Simulator-arm.cpp:4548
#60 0x08346a31 in js::jit::Simulator::call (this=0xf7172000, entry=0xf77917a8 "\360O-\351\004\320M\342\020\212-\355\r\200\240\341h\220\235\345t\240\235", <incomplete sequence \345>, argument_count=<optimized out>) at js/src/jit/arm/Simulator-arm.cpp:4631
#61 0x081e6c51 in EnterIon (data=..., cx=0xf7173040) at js/src/jit/Ion.cpp:2700
#62 js::jit::IonCannon (cx=0xf7173040, state=...) at js/src/jit/Ion.cpp:2804
#63 0x0849947a in js::RunScript (cx=0xf7173040, state=...) at js/src/vm/Interpreter.cpp:371
#64 0x08499602 in js::Invoke (cx=0xf7173040, args=..., construct=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:462
#65 0x0849a511 in js::Invoke (cx=0xf7173040, thisv=..., fval=..., argc=0, argv=0xffbc00fc, rval=...) at js/src/vm/Interpreter.cpp:496
#66 0x08415a40 in js::DirectProxyHandler::call (this=0x95ca784 <js::CrossCompartmentWrapper::singleton>, cx=0xf7173040, proxy=..., args=...) at js/src/proxy/DirectProxyHandler.cpp:77
#67 0x0841b399 in js::CrossCompartmentWrapper::call (this=0x95ca784 <js::CrossCompartmentWrapper::singleton>, cx=0xf7173040, wrapper=..., args=...) at js/src/proxy/CrossCompartmentWrapper.cpp:289
#68 0x0842599c in js::Proxy::call (cx=0xf7173040, proxy=..., args=...) at js/src/proxy/Proxy.cpp:391
#69 0x08426311 in js::proxy_Call (cx=0xf7173040, argc=0, vp=0xffbc00ec) at js/src/proxy/Proxy.cpp:683
#70 0x08499a1f in js::CallJSNative (args=..., native=0x84262b0 <js::proxy_Call(JSContext*, unsigned int, JS::Value*)>, cx=0xf7173040) at js/src/jscntxtinlines.h:235
#71 js::Invoke (cx=0xf7173040, args=..., construct=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:432
#72 0x0849a511 in js::Invoke (cx=0xf7173040, thisv=..., fval=..., argc=0, argv=0xf5effdc0, rval=...) at js/src/vm/Interpreter.cpp:496
#73 0x08177d53 in js::jit::DoCallFallback (cx=0xf7173040, frame=0xf5effde0, stub_=0xf7120ad0, argc=0, vp=0xf5effdb0, res=...) at js/src/jit/BaselineIC.cpp:6164
#74 0x083449aa in js::jit::Simulator::softwareInterrupt (this=0xf7172000, instr=0xf5be7254) at js/src/jit/arm/Simulator-arm.cpp:2378
#75 0x08344ea6 in js::jit::Simulator::decodeType7 (this=0xf7172000, instr=0xf5be7254) at js/src/jit/arm/Simulator-arm.cpp:3483
#76 0x0834620a in js::jit::Simulator::instructionDecode (this=0xf7172000, instr=0xf5be7254) at js/src/jit/arm/Simulator-arm.cpp:4405
#77 0x0834675a in js::jit::Simulator::execute<false> (this=0xf7172000) at js/src/jit/arm/Simulator-arm.cpp:4460
#78 js::jit::Simulator::callInternal (this=0xf7172000, entry=0xf77917a8 "\360O-\351\004\320M\342\020\212-\355\r\200\240\341h\220\235\345t\240\235", <incomplete sequence \345>) at js/src/jit/arm/Simulator-arm.cpp:4548
#79 0x08346a31 in js::jit::Simulator::call (this=0xf7172000, entry=0xf77917a8 "\360O-\351\004\320M\342\020\212-\355\r\200\240\341h\220\235\345t\240\235", <incomplete sequence \345>, argument_count=<optimized out>) at js/src/jit/arm/Simulator-arm.cpp:4631
#80 0x081e6c51 in EnterIon (data=..., cx=0xf7173040) at js/src/jit/Ion.cpp:2700
#81 js::jit::IonCannon (cx=0xf7173040, state=...) at js/src/jit/Ion.cpp:2804
#82 0x0849947a in js::RunScript (cx=0xf7173040, state=...) at js/src/vm/Interpreter.cpp:371
#83 0x08499602 in js::Invoke (cx=0xf7173040, args=..., construct=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:462
#84 0x0849a511 in js::Invoke (cx=0xf7173040, thisv=..., fval=..., argc=0, argv=0xf5effee8, rval=...) at js/src/vm/Interpreter.cpp:496
#85 0x08177d53 in js::jit::DoCallFallback (cx=0xf7173040, frame=0xf5efff08, stub_=0xf71201e0, argc=0, vp=0xf5effed8, res=...) at js/src/jit/BaselineIC.cpp:6164
#86 0x083449aa in js::jit::Simulator::softwareInterrupt (this=0xf7172000, instr=0xf5be7254) at js/src/jit/arm/Simulator-arm.cpp:2378
#87 0x08344ea6 in js::jit::Simulator::decodeType7 (this=0xf7172000, instr=0xf5be7254) at js/src/jit/arm/Simulator-arm.cpp:3483
#88 0x0834620a in js::jit::Simulator::instructionDecode (this=0xf7172000, instr=0xf5be7254) at js/src/jit/arm/Simulator-arm.cpp:4405
#89 0x0834675a in js::jit::Simulator::execute<false> (this=0xf7172000) at js/src/jit/arm/Simulator-arm.cpp:4460
#90 js::jit::Simulator::callInternal (this=0xf7172000, entry=0xf77917a8 "\360O-\351\004\320M\342\020\212-\355\r\200\240\341h\220\235\345t\240\235", <incomplete sequence \345>) at js/src/jit/arm/Simulator-arm.cpp:4548
#91 0x08346a31 in js::jit::Simulator::call (this=0xf7172000, entry=0xf77917a8 "\360O-\351\004\320M\342\020\212-\355\r\200\240\341h\220\235\345t\240\235", <incomplete sequence \345>, argument_count=<optimized out>) at js/src/jit/arm/Simulator-arm.cpp:4631
#92 0x081e6c51 in EnterIon (data=..., cx=0xf7173040) at js/src/jit/Ion.cpp:2700
#93 js::jit::IonCannon (cx=0xf7173040, state=...) at js/src/jit/Ion.cpp:2804
#94 0x0849947a in js::RunScript (cx=0xf7173040, state=...) at js/src/vm/Interpreter.cpp:371
#95 0x0849af9b in js::ExecuteKernel (result=0x0, evalInFrame=..., type=<optimized out>, newTargetValue=..., scopeChainArg=..., script=..., cx=0xf7173040) at js/src/vm/Interpreter.cpp:650
#96 js::Execute (cx=0xf7173040, script=..., scopeChainArg=..., rval=0x0) at js/src/vm/Interpreter.cpp:685
#97 0x0835a3c2 in ExecuteScript (cx=cx@entry=0xf7173040, scope=..., scope@entry=..., script=script@entry=..., rval=0x0) at js/src/jsapi.cpp:4410
#98 0x0835a50e in JS_ExecuteScript (cx=0xf7173040, scriptArg=...) at js/src/jsapi.cpp:4443
#99 0x08069bff in RunFile (compileOnly=<optimized out>, file=<optimized out>, filename=<optimized out>, cx=0xf7173040) at js/src/shell/js.cpp:515
#100 Process (cx=cx@entry=0xf7173040, filename=0xffbc31fe "bb158181.js", forceTTY=forceTTY@entry=false, kind=FileScript) at js/src/shell/js.cpp:728
#101 0x08071373 in ProcessArgs (op=0xffbc12d0, cx=<optimized out>) at js/src/shell/js.cpp:6204
#102 Shell (envp=<optimized out>, op=0xffbc12d0, cx=<optimized out>) at js/src/shell/js.cpp:6516
#103 main (argc=6, argv=0xffbc1414, envp=0xffbc1430) at js/src/shell/js.cpp:6877


info reg

eax            0x302	770
ecx            0x3	3
edx            0xffbbd90c	-4466420
ebx            0xffbbd90c	-4466420
esp            0xffbbd4d0	0xffbbd4d0
ebp            0x1080	0x1080
esi            0xffbbd90c	-4466420
edi            0xb	11
eip            0x8202ac5	0x8202ac5 <js::jit::JitFrameIterator::checkInvalidation(js::jit::IonScript**) const+21>
eflags         0x10293	[ CF AF SF IF RF ]
cs             0x23	35
ss             0x2b	43
ds             0x2b	43
es             0x2b	43
fs             0x0	0
gs             0x63	99


x/8i $pc

=> 0x8202ac5 <js::jit::JitFrameIterator::checkInvalidation(js::jit::IonScript**) const+21>:	mov    0x44(%eax),%eax
0x8202ac8 <js::jit::JitFrameIterator::checkInvalidation(js::jit::IonScript**) const+24>:	mov    0x8(%ebx),%edx
0x8202acb <js::jit::JitFrameIterator::checkInvalidation(js::jit::IonScript**) const+27>:	cmp    $0x3,%eax
0x8202ace <js::jit::JitFrameIterator::checkInvalidation(js::jit::IonScript**) const+30>:	ja     0x8202af0 <js::jit::JitFrameIterator::checkInvalidation(js::jit::IonScript**) const+64>
0x8202ad0 <js::jit::JitFrameIterator::checkInvalidation(js::jit::IonScript**) const+32>:	add    -0x4(%edx),%edx
0x8202ad3 <js::jit::JitFrameIterator::checkInvalidation(js::jit::IonScript**) const+35>:	sub    $0xc,%esp
0x8202ad6 <js::jit::JitFrameIterator::checkInvalidation(js::jit::IonScript**) const+38>:	push   %edx
0x8202ad7 <js::jit::JitFrameIterator::checkInvalidation(js::jit::IonScript**) const+39>:	call   0x82cc910 <js::jit::Assembler::GetPointer(unsigned char*)>

Comment 1

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Attachment: stack for assertion

(gdb) bt 5
#0  JSFunction::hasUncompiledScript (this=0xf5eff878) at /home/ubuntu/trees/mozilla-central/js/src/jsfun.h:423
#1  JSFunction::nonLazyScript (this=0xf5eff878) at /home/ubuntu/trees/mozilla-central/js/src/jsfun.h:428
#2  0x082d38a9 in js::jit::ScriptFromCalleeToken (token=<optimized out>) at /home/ubuntu/trees/mozilla-central/js/src/jit/JitFrames.h:86
#3  0x082d8321 in js::jit::JitFrameIterator::script (this=0xffb8b350) at /home/ubuntu/trees/mozilla-central/js/src/jit/JitFrames.cpp:219
#4  0x082d83bc in js::jit::JitFrameIterator::checkInvalidation (this=0xffb8b350, ionScriptOut=0xffb8aed8) at /home/ubuntu/trees/mozilla-central/js/src/jit/JitFrames.cpp:155
(More stack frames follow...)
(gdb)

Comment 2

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Since this involves --ion-shared-stubs=on, setting needinfo? from Hannes as a start.

Comment 3

[Fuzzing Team]

JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.

Comment 4

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Attachment: bisection window

Bug 1214508 is in the bisection window, so yeah, guess this is related to shared stubs after all.

Comment 5

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

(In reply to Fuzzing Team from comment #3)
> JSBugMon: Cannot process bug: Unable to automatically reproduce, please
> track manually.

JSBugMon does not yet support --ion-shared-stubs=on, I'd guess.

Comment 6

[Bob Clary [:bc] (inactive)]

Attachment: maxim assertion stack

bughunter reproduces this assertion on Beta/44, Aurora/45, Nightly/46 on Linux, OS X, Windows at http://www.maxim.com/

Comment 7

[Hannes Verschore [:h4writer]]

(In reply to Gary Kwong [:gkw] [:nth10sd] from comment #2)
> Since this involves --ion-shared-stubs=on, setting needinfo? from Hannes as
> a start.

Awesome find!

Comment 8

[Hannes Verschore [:h4writer]]

Attachment: Patch

Bug due to the nature of ARM and using link registers. It pushes the ICTailCallReg (since it is needed when we go into cpp land to have correct jit stack layout). But it was pushed with adjusting the internal frame pushed state. Which is incorrect, because this is used to know what the size of the frame is, but this is actually part of the previous frame. As a result it should not get counted.

Comment 9

[Hannes Verschore [:h4writer]]

(In reply to Bob Clary [:bc:] from comment #6)
> Created attachment 8700252 [details]
> maxim assertion stack
> 
> bughunter reproduces this assertion on Beta/44, Aurora/45, Nightly/46 on
> Linux, OS X, Windows at http://www.maxim.com/

That is definitely another bug. This feature is not enabled by default yet and will only trigger on ARM devices

Comment 10

[Pulsebot]

https://hg.mozilla.org/integration/mozilla-inbound/rev/c8e48d86e373

Comment 11

[Carsten Book [:Tomcat]]

https://hg.mozilla.org/mozilla-central/rev/c8e48d86e373