Assertion failure: target->nargs() <= call->mir()->numStackArgs() - numNonArgsOnStack, at js/src/jit/CodeGenerator.cpp:3394

RESOLVED FIXED in Firefox 46

Status

()

Core
JavaScript Engine
--
critical
RESOLVED FIXED
2 years ago
2 years ago

People

(Reporter: gkw, Assigned: till)

Tracking

(Blocks: 1 bug, {assertion, regression, testcase})

Trunk
mozilla46
x86_64
Mac OS X
assertion, regression, testcase
Points:
---

Firefox Tracking Flags

(firefox46 fixed)

Details

(Whiteboard: [fuzzblocker][jsbugmon:update])

Attachments

(1 attachment)

(Reporter)

Description

2 years ago
The following testcase crashes on mozilla-central revision ad1f85f172b7 (build with --enable-debug --enable-more-deterministic, run with --fuzzing-safe --thread-count=2 --ion-eager):

eval.bind;
function f() {
    eval.bind();
}
f();

Backtrace:

0   js-dbg-64-dm-darwin-ad1f85f172b7	0x0000000100258ffe js::jit::IonBuilder::improveTypesAtTest(js::jit::MDefinition*, bool, js::jit::MTest*) + 798 (LifoAlloc.h:522)
1   js-dbg-64-dm-darwin-ad1f85f172b7	0x0000000100258ed5 js::jit::IonBuilder::improveTypesAtTest(js::jit::MDefinition*, bool, js::jit::MTest*) + 501 (IonBuilder.cpp:3832)
2   js-dbg-64-dm-darwin-ad1f85f172b7	0x000000010024b80a js::jit::IonBuilder::jsop_ifeq(JSOp) + 1162 (IonBuilder.cpp:4423)
3   js-dbg-64-dm-darwin-ad1f85f172b7	0x00000001002478c7 js::jit::IonBuilder::inspectOpcode(JSOp) + 1607 (IonBuilder.cpp:1654)
4   js-dbg-64-dm-darwin-ad1f85f172b7	0x0000000100244be6 js::jit::IonBuilder::traverseBytecode() + 678 (IonBuilder.cpp:1522)
5   js-dbg-64-dm-darwin-ad1f85f172b7	0x000000010023fecf js::jit::IonBuilder::build() + 1999 (IonBuilder.cpp:918)
6   js-dbg-64-dm-darwin-ad1f85f172b7	0x0000000100238245 js::jit::Compile(JSContext*, JS::Handle<JSScript*>, js::jit::BaselineFrame*, unsigned char*, bool, bool) + 3205 (Ion.cpp:2213)
7   js-dbg-64-dm-darwin-ad1f85f172b7	0x0000000100239112 js::jit::CanEnter(JSContext*, js::RunState&) + 370 (Ion.cpp:2613)
8   js-dbg-64-dm-darwin-ad1f85f172b7	0x0000000100704b61 js::RunScript(JSContext*, js::RunState&) + 289 (Interpreter.cpp:403)
9   js-dbg-64-dm-darwin-ad1f85f172b7	0x00000001006f2d19 js::Invoke(JSContext*, JS::CallArgs const&, js::MaybeConstruct) + 841 (Interpreter.cpp:497)
10  js-dbg-64-dm-darwin-ad1f85f172b7	0x000000010071bc2b js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value const*, JS::MutableHandle<JS::Value>) + 555 (Interpreter.cpp:531)
11  js-dbg-64-dm-darwin-ad1f85f172b7	0x000000010019815b js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICCall_Fallback*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) + 2827 (BaselineIC.cpp:6186)
12  ???                           	0x0000000102b212eb 0 + 4340191979
13  ???                           	0x0000000103f58e90 0 + 4361391760
14  ???                           	0x0000000102b17dc4 0 + 4340153796
15  js-dbg-64-dm-darwin-ad1f85f172b7	0x00000001001a6ea4 EnterBaseline(JSContext*, js::jit::EnterJitData&) + 660 (BaselineJIT.cpp:137)
16  js-dbg-64-dm-darwin-ad1f85f172b7	0x00000001001a6a64 js::jit::EnterBaselineMethod(JSContext*, js::RunState&) + 292 (BaselineJIT.cpp:173)
17  js-dbg-64-dm-darwin-ad1f85f172b7	0x0000000100704bac js::RunScript(JSContext*, js::RunState&) + 364 (Interpreter.cpp:407)
18  js-dbg-64-dm-darwin-ad1f85f172b7	0x00000001006f2d19 js::Invoke(JSContext*, JS::CallArgs const&, js::MaybeConstruct) + 841 (Interpreter.cpp:497)
19  js-dbg-64-dm-darwin-ad1f85f172b7	0x000000010071bc2b js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value const*, JS::MutableHandle<JS::Value>) + 555 (Interpreter.cpp:531)
20  js-dbg-64-dm-darwin-ad1f85f172b7	0x000000010019815b js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICCall_Fallback*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) + 2827 (BaselineIC.cpp:6186)
21  ???                           	0x0000000102b212eb 0 + 4340191979
22  ???                           	0x0000000103f58bc8 0 + 4361391048
23  ???                           	0x0000000102b17dc4 0 + 4340153796
24  js-dbg-64-dm-darwin-ad1f85f172b7	0x00000001001a6ea4 EnterBaseline(JSContext*, js::jit::EnterJitData&) + 660 (BaselineJIT.cpp:137)
25  js-dbg-64-dm-darwin-ad1f85f172b7	0x00000001001a6a64 js::jit::EnterBaselineMethod(JSContext*, js::RunState&) + 292 (BaselineJIT.cpp:173)
26  js-dbg-64-dm-darwin-ad1f85f172b7	0x0000000100704bac js::RunScript(JSContext*, js::RunState&) + 364 (Interpreter.cpp:407)
27  js-dbg-64-dm-darwin-ad1f85f172b7	0x000000010071c8fc js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::ExecuteType, js::AbstractFramePtr, JS::Value*) + 604 (Interpreter.cpp:685)
28  js-dbg-64-dm-darwin-ad1f85f172b7	0x000000010071cccf js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) + 479 (RootingAPI.h:719)
29  js-dbg-64-dm-darwin-ad1f85f172b7	0x000000010054ac41 ExecuteScript(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSScript*>, JS::Value*) + 417 (jsapi.cpp:4339)
30  js-dbg-64-dm-darwin-ad1f85f172b7	0x000000010054aeb2 JS_ExecuteScript(JSContext*, JS::Handle<JSScript*>) + 82 (RootingAPI.h:719)
31  js-dbg-64-dm-darwin-ad1f85f172b7	0x000000010001e219 Process(JSContext*, char const*, bool, FileKind) + 3273 (js.cpp:516)
32  js-dbg-64-dm-darwin-ad1f85f172b7	0x00000001000045d3 main + 11715 (js.cpp:6270)
33  js-dbg-64-dm-darwin-ad1f85f172b7	0x0000000100000bf4 start + 52

=== Treeherder Build Bisection Results by autoBisect ===

The "good" changeset has the timestamp "20160112055634" and the hash "0af7319a6a4169d94453f8fcfd78384459c343db".
The "bad" changeset has the timestamp "20160112064943" and the hash "592fc90e655a1ebd3968300b5ed6261d24ed4065".

Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=0af7319a6a4169d94453f8fcfd78384459c343db&tochange=592fc90e655a1ebd3968300b5ed6261d24ed4065

This is happening very frequently, so setting [fuzzblocker].

Eric/Till, is bug 1000780 a likely regressor?
(Reporter)

Updated

2 years ago
Flags: needinfo?(till)
Flags: needinfo?(efaustbmo)
(Assignee)

Comment 1

2 years ago
Created attachment 8707867 [details] [diff] [review]
Add JSFUN_HAS_REST flag to JSFunctionSpec entries for self-hosted builtins with ...rest parameters
Attachment #8707867 - Flags: review?(jdemooij)
(Assignee)

Updated

2 years ago
Assignee: nobody → till
Status: NEW → ASSIGNED

Comment 2

2 years ago
Looks like till has this handled.
Flags: needinfo?(efaustbmo)
Comment on attachment 8707867 [details] [diff] [review]
Add JSFUN_HAS_REST flag to JSFunctionSpec entries for self-hosted builtins with ...rest parameters

Review of attachment 8707867 [details] [diff] [review]:
-----------------------------------------------------------------

Nice.
Attachment #8707867 - Flags: review?(jdemooij) → review+
(Assignee)

Comment 4

2 years ago
https://hg.mozilla.org/integration/mozilla-inbound/rev/f6bd24864d7b8adfaa4d22db39dc63d640024771
Bug 1239403 - Add JSFUN_HAS_REST flag to JSFunctionSpec entries for self-hosted builtins with ...rest parameters. r=jandem
(Assignee)

Updated

2 years ago
Flags: needinfo?(till)

Comment 5

2 years ago
bugherder
https://hg.mozilla.org/mozilla-central/rev/f6bd24864d7b
Status: ASSIGNED → RESOLVED
Last Resolved: 2 years ago
status-firefox46: affected → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla46
(Reporter)

Updated

2 years ago
Whiteboard: [fuzzblocker][jsbugmon:update,bisect] → [fuzzblocker][jsbugmon:update]
You need to log in before you can comment on or make changes to this bug.