Closed Bug 1316565 Opened 8 years ago Closed 8 years ago

Assertion failure: hasBaselineScript(), at js/src/jsscript.h:1410

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1289610
Tracking Flags:
Tracking Status
firefox52 --- affected

People

(Reporter: gkw, Unassigned)

References

Details

(Keywords: assertion, bugmon, testcase, Whiteboard: [jsbugmon:])

Attachments

(2 files)

Detailed Crash Information
29.95 KB, text/plain
Details
Testcase
2.09 KB, text/plain
Details 
The following testcase crashes on mozilla-central revision 336759fad462 (build with --enable-debug --enable-more-deterministic --32, run with --fuzzing-safe --no-threads):

See attachment.

Backtrace:

0   js-dbg-32-dm-clang-darwin-336759fad462	0x006920b4 JSScript::setIonScript(JSRuntime*, js::jit::IonScript*) + 196 (jsscript.h:1410)
1   js-dbg-32-dm-clang-darwin-336759fad462	0x0022fb62 js::jit::CodeGenerator::link(JSContext*, js::CompilerConstraintList*) + 1634 (CodeGenerator.cpp:9628)
2   js-dbg-32-dm-clang-darwin-336759fad462	0x002e597b LinkCodeGen(JSContext*, js::jit::IonBuilder*, js::jit::CodeGenerator*) + 283 (Ion.cpp:524)
3   js-dbg-32-dm-clang-darwin-336759fad462	0x00275c62 js::jit::Compile(JSContext*, JS::Handle<JSScript*>, js::jit::BaselineFrame*, unsigned char*, bool) + 4114 (Ion.cpp:2310)
4   js-dbg-32-dm-clang-darwin-336759fad462	0x00274826 js::jit::CanEnter(JSContext*, js::RunState&) + 406 (Ion.cpp:2582)
/snip

For detailed crash information, see attachment.

Setting s-s because there is a call to gcslice near the bottom of the testcase. This was a pain to reduce because the value had to be tweaked downwards as the testcase was reduced.
Whiteboard: [jsbugmon:update] → [jsbugmon:]
JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.
Note that this is reliably reproducible on a 32-bit deterministic shell on Mac.

Bisection is in progress...
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/f7823287275f
user:        André Bargull
date:        Thu Oct 06 22:37:20 2016 -0700
summary:     Bug 837961 - Part 2: Implement timeZone support for Intl.DateTimeFormat. r=Waldo

Not sure if this is correct. Andre, is bug 837961 a likely regressor? Also oomTest is present, so cc'ing :jonco
Blocks: 837961
Flags: needinfo?(andrebargull)
(In reply to Gary Kwong [:gkw] [:nth10sd] from comment #5)
> Not sure if this is correct. Andre, is bug 837961 a likely regressor? Also
> oomTest is present, so cc'ing :jonco

I wasn't able to reproduce the assertion failure on Linux, it only printed "ReportOutOfMemory called" a few dozen times. 

My current guess is that bug 837961 showed up in the bisection because it increased GC pressure. Sorry I couldn't be of any help here.
Flags: needinfo?(andrebargull)
This is probably the same as bug 1289610. I'll take a look this week.
Flags: needinfo?(jdemooij)
Yes dupe of bug 1289610.
Status: NEW → RESOLVED
Closed: 8 years ago
Flags: needinfo?(jdemooij)
Resolution: --- → DUPLICATE
Group: javascript-core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: