Closed
Bug 1247257
Opened 7 years ago
Closed 7 years ago
Crash [@ js::jit::ICStub::trace] or Assertion failure: ICStub::CanMakeCalls(stub->kind()), at js/src/jit/JitFrames.cpp:1170
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla47
| Tracking | Status | |
|---|---|---|
| firefox47 | --- | fixed |
People
(Reporter: gkw, Assigned: h4writer)
References
Details
(4 keywords, Whiteboard: [jsbugmon:update])
Crash Data
Attachments
(1 file)
|
2.39 KB,
patch
|
jandem
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision 7042e8a19f94 (build with --enable-debug --enable-more-deterministic, run with --fuzzing-safe --no-threads --ion-eager --ion-shared-stubs=on):
// Adapted from randomly chosen test: js/src/jit-test/tests/baseline/metadata-hook-on-stack.js
enableShellObjectMetadataCallback();
// Adapted from randomly chosen test: js/src/jit-test/tests/debug/Debugger-debuggees-28.js
function addRemove(dbg, g) {
dbg.addDebuggee(g);
var f = dbg.getNewestFrame();
f.older;
}
function removeAdd(dbg, g) {
dbg.addDebuggee(g);
var f = dbg.getNewestFrame();
while (f)
f = f.older;
}
function newGlobalDebuggerPair(toggleSeq) {
var g = newGlobal();
g.eval("" + function f() {
return g();
});
g.eval("" + function g() {
return h();
});
g.eval("" + function h() {
for (var i = 0; i < 2; i++)
interruptIf(i == 1);
});
return g;
}
function testInterrupt(toggleSeq) {
var g = newGlobalDebuggerPair(toggleSeq);
setInterruptCallback(function() {
toggleSeq(new Debugger, g);
return true;
});
g.f()
}
testInterrupt(addRemove);
testInterrupt(removeAdd);
Backtrace:
0 js-dbg-64-dm-clang-darwin-7042e8a19f94 0x00000001002b47ef js::jit::MarkJitActivations(JSRuntime*, JSTracer*) + 3023 (JitFrames.cpp:1170)
1 js-dbg-64-dm-clang-darwin-7042e8a19f94 0x000000010097a75b js::gc::GCRuntime::markRuntime(JSTracer*, js::gc::GCRuntime::TraceOrMarkRuntime) + 1099 (RootMarking.cpp:298)
2 js-dbg-64-dm-clang-darwin-7042e8a19f94 0x0000000100960a5f js::Nursery::collect(JSRuntime*, JS::gcreason::Reason, mozilla::Vector<js::ObjectGroup*, 0ul, js::SystemAllocPolicy>*) + 1199 (Nursery.cpp:465)
3 js-dbg-64-dm-clang-darwin-7042e8a19f94 0x000000010056db7a js::gc::GCRuntime::minorGCImpl(JS::gcreason::Reason, mozilla::Vector<js::ObjectGroup*, 0ul, js::SystemAllocPolicy>*) + 138 (jsgc.cpp:6691)
4 js-dbg-64-dm-clang-darwin-7042e8a19f94 0x0000000100185462 js::jit::RecompileOnStackBaselineScriptsForDebugMode(JSContext*, js::Debugger::ExecutionObservableSet const&, js::Debugger::IsObserving) + 1458 (GCRuntime.h:610)
5 js-dbg-64-dm-clang-darwin-7042e8a19f94 0x0000000100665245 js::Debugger::updateExecutionObservabilityOfFrames(JSContext*, js::Debugger::ExecutionObservableSet const&, js::Debugger::IsObserving) + 101 (Debugger.cpp:2043)
6 js-dbg-64-dm-clang-darwin-7042e8a19f94 0x000000010065aa5a js::Debugger::ensureExecutionObservabilityOfFrame(JSContext*, js::AbstractFramePtr) + 266 (Debugger.cpp:1941)
7 js-dbg-64-dm-clang-darwin-7042e8a19f94 0x000000010065a6b1 js::Debugger::getScriptFrameWithIter(JSContext*, js::AbstractFramePtr, js::ScriptFrameIter const*, JS::MutableHandle<JS::Value>) + 497 (Debugger.cpp:506)
8 js-dbg-64-dm-clang-darwin-7042e8a19f94 0x000000010067738c DebuggerFrame_getOlder(JSContext*, unsigned int, JS::Value*) + 780 (Debugger.h:890)
9 js-dbg-64-dm-clang-darwin-7042e8a19f94 0x0000000100404e3c js::jit::DoCallNativeGetter(JSContext*, JS::Handle<JSFunction*>, JS::Handle<JSObject*>, JS::MutableHandle<JS::Value>) + 140 (SharedIC.cpp:3686)
10 ??? 0x0000000101ee8323 0 + 4327375651
11 ??? 0x0000000101ee4c1d 0 + 4327361565
|
Reporter | |
Comment 1•7 years ago
|
||
=== Treeherder Build Bisection Results by autoBisect === The "good" changeset has the timestamp "20151117080511" and the hash "fe34d01fb2ecb2dd4cda82e788cf7b541d5cbdb4". The "bad" changeset has the timestamp "20151117094304" and the hash "c6139e8bad12b756a178dd7eb005c82cf247bd43". Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=fe34d01fb2ecb2dd4cda82e788cf7b541d5cbdb4&tochange=c6139e8bad12b756a178dd7eb005c82cf247bd43 Hannes, is bug 1214508 a likely regressor?
Blocks: 1214508
Flags: needinfo?(hv1989)
|
|
Reporter | |
Comment 2•7 years ago
|
||
This testcase also crashes opt builds at js::jit::ICStub::trace.
Crash Signature: [@ js::jit::ICStub::trace]
Summary: Assertion failure: ICStub::CanMakeCalls(stub->kind()), at js/src/jit/JitFrames.cpp:1170 → Crash [@ js::jit::ICStub::trace] or Assertion failure: ICStub::CanMakeCalls(stub->kind()), at js/src/jit/JitFrames.cpp:1170
|
||
Updated•7 years ago
|
Whiteboard: [jsbugmon:update] → [jsbugmon:]
|
|
||
Comment 3•7 years ago
|
||
JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.
|
|
Reporter | |
Comment 4•7 years ago
|
||
> JSBugMon: Cannot process bug: Unable to automatically reproduce, please
> track manually.
(The testcase needs --ion-shared-stubs=on)
|
||
Comment 5•7 years ago
|
||
(In reply to Gary Kwong [:gkw] [:nth10sd] from comment #4) > > JSBugMon: Cannot process bug: Unable to automatically reproduce, please > > track manually. > > (The testcase needs --ion-shared-stubs=on) Added to the list of allowed options now.
Whiteboard: [jsbugmon:] → [jsbugmon:update]
|
Assignee | |
Comment 6•7 years ago
|
||
I noticed this already before, but forgot to act on it and thought it wasn't bad. I thought it would only be an optimization to not push it twice, but the jit frame iterator does read it. We push the return register twice. It is currently on the stack and we push it a second time. As a result the frame layout is off by 1 and interprets the return call value as stub value.
|
||
Updated•7 years ago
|
Attachment #8719763 -
Flags: review?(jdemooij) → review+
|
||
Comment 8•7 years ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/768ce03913e7
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla47
You need to log in
before you can comment on or make changes to this bug.
Description
•