Closed Bug 1326152 Opened 7 years ago Closed 7 years ago

Assertion failure: stub->numOptimizedStubs() < MaxOptimizedCacheIRStubs, at js/src/jit/BaselineCacheIRCompiler.cpp:785

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla53
Tracking Flags:
Tracking Status
firefox53 --- fixed

People

(Reporter: gkw, Assigned: evilpie)

References

Details

(Keywords: assertion, bugmon, testcase, Whiteboard: [jsbugmon:update])

Attachments

(1 file)

Detailed Crash Information
125.89 KB, text/plain
Details 
The following testcase crashes on mozilla-central revision 143bb4b9249e (build with --enable-debug --enable-more-deterministic, run with --fuzzing-safe --no-threads --baseline-eager --no-ion):

var realEval = eval;
(function () {
    this.__defineGetter__("eval", arguments.callee);
    try {
        eval();
    } catch (e) {}
    delete this.eval;
    this.eval = realEval;
})();

Backtrace:

0   js-dbg-64-dm-clang-darwin-143bb4b9249e	0x000000010744e283 js::jit::AttachBaselineCacheIRStub(JSContext*, js::jit::CacheIRWriter const&, js::jit::CacheKind, js::jit::ICStubEngine, JSScript*, js::jit::ICFallbackStub*) + 1315 (BaselineCacheIRCompiler.cpp:785)
1   js-dbg-64-dm-clang-darwin-143bb4b9249e	0x000000010748225c js::jit::DoGetNameFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICGetName_Fallback*, JS::Handle<JSObject*>, JS::MutableHandle<JS::Value>) + 1196 (BaselineIC.cpp:2550)
2   ???                           	0x0000000108bdc50d 0 + 4441621773
3   ???                           	0x0000000108bdae1d 0 + 4441615901
4   js-dbg-64-dm-clang-darwin-143bb4b9249e	0x000000010749b3e9 EnterBaseline(JSContext*, js::jit::EnterJitData&) + 713 (BaselineJIT.cpp:159)
/snip

For detailed crash information, see attachment.
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/094c2806ef37
user:        Tom Schuster
date:        Sat Dec 24 14:35:23 2016 +0100
summary:     Bug 1324566 - Port Baseline GetName_Env to CacheIR. r=jandem

Tom, is bug 1324566 a likely regressor?
Blocks: 1324566
Flags: needinfo?(evilpies)
Looks like we're missing the check for max number of stubs. The old code in DoGetNameFallback set |attached| to true in this case, we can probably clean this up once all GetName stubs have been converted.
I think this should be fixed now on m-i.
Flags: needinfo?(evilpies)
autoBisect shows this is probably related to the following changeset:

The first good revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/1832a6e47f1c
user:        Tom Schuster
date:        Fri Dec 30 17:38:08 2016 +0100
summary:     Bug 1324566 - Port Baseline GlobalNameAccessor to CacheIR. r=jandem

Yes, this should be fixed in m-c rev 1832a6e47f1c.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Assignee: nobody → evilpies
No longer blocks: 1324566
status-firefox53: affectedfixed
Depends on: 1324566
Target Milestone: --- → mozilla53
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: