1309174 - Assertion failure: isInterpretedLazy() && u.i.s.lazy_, at js/src/jsfun.h:442

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

The following testcase crashes on mozilla-central revision 7be6b348c431 (build with --enable-debug --enable-more-deterministic, run with --fuzzing-safe --no-threads):

function g01(x) {
    if (x < 0) {
        return function() {};
    }
    function f() {};
    "z01" + function() {} + g01(x - 1) + g01(x - 1);
}
for (var i = 0; i < 378; ++i) {
    try {
        undefined();
    } catch (e) {}
}
enableSPSProfiling();
gcparam("maxBytes", gcparam("gcBytes") + 1);
var x01 = new Int32Array();
this.f01 = function() {};
this.f02 = function() {
    var x02 = x03;
}
function f03() {};
g01(3);
s = newGlobal();
evalcx("class f{}; var d = new f;", s);
g01(3);
evalcx("for (var i = 0; i < 197; ++i) { +d; }", s);


Backtrace:

0   js-dbg-64-dm-clang-darwin-7be6b348c431	0x0000000103d0aa32 js::jit::WriteIonTrackedOptimizationsTable(JSContext*, js::jit::CompactBufferWriter&, js::jit::NativeToTrackedOptimizations const*, js::jit::NativeToTrackedOptimizations const*, js::jit::UniqueTrackedOptimizations const&, unsigned int*, unsigned int*, unsigned int*, unsigned int*, mozilla::Vector<js::jit::IonTrackedTypeWithAddendum, 1ul, js::SystemAllocPolicy>*) + 3186 (jsfun.h:442)
1   js-dbg-64-dm-clang-darwin-7be6b348c431	0x0000000103ddfa7c js::jit::CodeGeneratorShared::generateCompactTrackedOptimizationsMap(JSContext*, js::jit::JitCode*, mozilla::Vector<js::jit::IonTrackedTypeWithAddendum, 1ul, js::SystemAllocPolicy>*) + 556 (CodeGenerator-shared.cpp:896)
2   js-dbg-64-dm-clang-darwin-7be6b348c431	0x0000000103b72e4d js::jit::CodeGenerator::link(JSContext*, js::CompilerConstraintList*) + 1597 (CodeGenerator.cpp:9499)
3   js-dbg-64-dm-clang-darwin-7be6b348c431	0x0000000103bb9cf0 LinkCodeGen(JSContext*, js::jit::IonBuilder*, js::jit::CodeGenerator*) + 304 (Ion.cpp:522)
/snip

For detailed crash information, see attachment.

Setting s-s pending more triage, this seems to involve enableSPSProfiling, but may also be benign since it seems to crash at null.

Comment 1

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Attachment: Detailed Crash Information

Comment 2

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Setting needinfo? from Jan as a start.

autoBisect is running...

Comment 3

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

I got different results so hopefully these help to triage:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/d128c9990a76
parent:      311975:3d9cabea1e56
user:        Jan de Mooij
date:        Wed Aug 31 10:58:15 2016 +0200
summary:     Bug 1298878 - Don't store the actual builtin constructor properties on the global in reserved slots. r=Waldo

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/a6506191e894
user:        André Bargull
date:        Wed Oct 05 03:25:57 2016 -0700
summary:     Bug 1130636 - Reimplement Array.prototype.toLocaleString as per ECMA-402, 2nd edition. r=Waldo

Note that the first instance of this bug showed up around 20 Sept 2016, so I'm not sure if the latter is relevant...

Comment 4

[Jan de Mooij [:jandem]]

Not s-s, a problem with JIT debug spew.

Comment 5

[Jan de Mooij [:jandem]]

Attachment: Patch

Handle lazy self-hosted functions in SpewConstructor.

Comment 6

[Shu-yu Guo [:shu]]

Comment on attachment 8800161 [details] [diff] [review]
Patch

Review of attachment 8800161 [details] [diff] [review]:
-----------------------------------------------------------------

Thanks!

Comment 7

[Pulsebot]

Pushed by jandemooij@gmail.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/a84e0b5bc993
Handle lazy self-hosted functions in optimization tracking debug spew. r=shu

Comment 8

[Phil Ringnalda (:philor)]

https://hg.mozilla.org/mozilla-central/rev/a84e0b5bc993