Assertion failure: isScripted(), at js/src/jit/JSJitFrameIter.cpp:105 with inIon
Categories
(Core :: JavaScript Engine, defect, P1)
Tracking
()
Tracking | Status | |
---|---|---|
firefox-esr60 | --- | unaffected |
firefox65 | --- | wontfix |
firefox66 | --- | wontfix |
firefox67 | --- | fixed |
People
(Reporter: decoder, Assigned: tcampbell)
References
Details
(4 keywords, Whiteboard: [jsbugmon:update])
Attachments
(1 file)
The following testcase crashes on mozilla-central revision e0a4fe89a7b0 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe --cpu-count=2 --ion-offthread-compile=off --ion-eager):
Object.prototype[Symbol.toPrimitive] = inIon;
which = function() {};
for (var i = 0; i < 10; ++i) {
s = which[which[which]]
a = which;
a += s + '';
}
Backtrace:
received signal SIGSEGV, Segmentation fault.
js::jit::JSJitFrameIter::script (this=<optimized out>) at js/src/jit/JSJitFrameIter.cpp:105
#0 js::jit::JSJitFrameIter::script (this=<optimized out>) at js/src/jit/JSJitFrameIter.cpp:105
#1 0x0000555555c4e937 in testingFunc_inIon (cx=cx@entry=0x7ffff5f18000, argc=<optimized out>, vp=<optimized out>) at js/src/builtin/TestingFunctions.cpp:2677
#2 0x0000555555900839 in CallJSNative (cx=0x7ffff5f18000, native=0x555555c4e700 <testingFunc_inIon(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/vm/Interpreter.cpp:443
#3 0x00005555558f2137 in js::InternalCallOrConstruct (cx=<optimized out>, cx@entry=0x7ffff5f18000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:535
#4 0x00005555558f285d in InternalCall (cx=cx@entry=0x7ffff5f18000, args=...) at js/src/vm/Interpreter.cpp:590
#5 0x00005555558f29f0 in js::Call (cx=cx@entry=0x7ffff5f18000, fval=..., fval@entry=..., thisv=..., thisv@entry=..., args=..., rval=...) at js/src/vm/Interpreter.cpp:606
#6 0x0000555555b49efc in js::Call (rval=..., arg0=..., thisv=..., fval=..., cx=0x7ffff5f18000) at js/src/vm/Interpreter.h:98
#7 js::ToPrimitiveSlow (cx=<optimized out>, cx@entry=0x7ffff5f18000, preferredType=preferredType@entry=JSTYPE_UNDEFINED, vp=..., vp@entry=...) at js/src/vm/JSObject.cpp:3331
#8 0x00005555560b6995 in js::ToPrimitive (vp=..., cx=0x7ffff5f18000) at js/src/vm/JSObject.h:731
#9 js::jit::ConvertObjectToStringForConcat (cx=0x7ffff5f18000, obj=...) at js/src/jit/VMFunctions.cpp:1808
#10 0x00005555560c6985 in js::jit::DoConcatStringObject (cx=<optimized out>, lhs=..., rhs=..., res=...) at js/src/jit/VMFunctions.cpp:1832
#11 0x00002bd6a1a8298b in ?? ()
#12 0xffffffffffffffff in ?? ()
#13 0x00007fffffffc7f8 in ?? ()
#14 0x0000000000000000 in ?? ()
rax 0x555557bfa280 93825032757888
rbx 0x7fffffffbed0 140737488338640
rcx 0x555556bc25d0 93825015752144
rdx 0x0 0
rsi 0x7ffff6eeb770 140737336227696
rdi 0x7ffff6eea540 140737336223040
rbp 0x7fffffffbeb0 140737488338608
rsp 0x7fffffffbeb0 140737488338608
r8 0x7ffff6eeb770 140737336227696
r9 0x7ffff7fe6c80 140737354034304
r10 0x58 88
r11 0x7ffff6b927a0 140737332717472
r12 0x1 1
r13 0x7fffffffbf00 140737488338688
r14 0x7ffff5f7d800 140737320048640
r15 0x7ffff5f7d800 140737320048640
rip 0x5555562b6d39 <js::jit::JSJitFrameIter::script() const+89>
=> 0x5555562b6d39 <js::jit::JSJitFrameIter::script() const+89>: movl $0x0,0x0
0x5555562b6d44 <js::jit::JSJitFrameIter::script() const+100>: ud2
This seems to be related to the shell-only inIon function, based on that I assume it isn't s-s for now.
Updated•5 years ago
|
Comment 1•5 years ago
|
||
JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/2f5665631cc8 user: Matthew Gaudet date: Wed May 09 16:19:58 2018 -0400 summary: Bug 1438727: [Part 18] Add StringObject Concat r=tcampbell This iteration took 279.587 seconds to run.
Matthew, is bug 1438727 a likely regressor?
Assignee | ||
Comment 3•5 years ago
|
||
I should take a look while Matthew is away..
Comment 4•5 years ago
|
||
Ted, any updates on this bug?
Assignee | ||
Comment 5•5 years ago
|
||
Existing code didn't handle IonIC frames, but the
FrameScriptIter::script function does the right thing for us here.
Assignee | ||
Comment 6•5 years ago
|
||
Shell-only problem.
The code tried to figure out the current script by using JSJitIterator on the activation. This got confused by IonICCall frames. Using the naive FrameScriptIter::script can be used instead and makes more sense anyways when describing the context we care about "isIon" for.
Assignee | ||
Updated•5 years ago
|
Updated•5 years ago
|
Pushed by tcampbell@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/56023d83552d Fix the way isIon accesses current script r=nbp
Comment 8•5 years ago
|
||
Backed out changeset 56023d83552d (bug 1518377) for bustages at /tests/basic/bug908915.js on a CLOSED TREE
Backout link: https://hg.mozilla.org/integration/autoland/rev/024bef408a8896f365789759f6a3b6e00daf5aca
Push with failures: https://treeherder.mozilla.org/#/jobs?repo=autoland&resultStatus=testfailed%2Cbusted%2Cexception&selectedJob=225508340&revision=56023d83552d08ef93b28f20fa3ea72e7eeb08f1
Log link: https://treeherder.mozilla.org/logviewer.html#/jobs?job_id=225508340&repo=autoland&lineNumber=87845
Log snippet:
[task 2019-02-01T18:44:29.158Z] EXTERNAL_STRING 16 254 12
[task 2019-02-01T18:44:29.158Z] FAT_INLINE_ATOM 40 101 36
[task 2019-02-01T18:44:29.158Z] ATOM 24 169 20
[task 2019-02-01T18:44:29.158Z] SYMBOL 16 254 12
[task 2019-02-01T18:44:29.158Z] JITCODE 32 127 12
[task 2019-02-01T18:44:29.158Z] SCOPE 16 254 12
[task 2019-02-01T18:44:29.158Z] REGEXP_SHARED 64 63 44
[task 2019-02-01T18:44:29.158Z] FAT_INLINE_STRING 32 127 12
[task 2019-02-01T18:44:29.159Z] STRING 16 254 12
[task 2019-02-01T18:44:29.159Z] Exit code: -11
[task 2019-02-01T18:44:29.159Z] FAIL - basic/bug908915.js
[task 2019-02-01T18:44:29.159Z] TEST-UNEXPECTED-FAIL | js/src/jit-test/tests/basic/bug908915.js | (code -11, args "--ion-eager --ion-offthread-compile=off --more-compartments") [0.9 s]
[task 2019-02-01T18:44:29.159Z] {"action": "test_start", "jitflags": "--ion-eager --ion-offthread-compile=off --more-compartments", "pid": 748, "source": "jittests", "test": "basic/bug908915.js", "thread": "main", "time": 1549046668.265665}
[task 2019-02-01T18:44:29.159Z] {"action": "test_end", "extra": {"jitflags": "--ion-eager --ion-offthread-compile=off --more-compartments", "pid": 748}, "jitflags": "--ion-eager --ion-offthread-compile=off --more-compartments", "message": "", "pid": 748, "source": "jittests", "status": "FAIL", "test": "basic/bug908915.js", "thread": "main", "time": 1549046669.127568}
[task 2019-02-01T18:44:29.159Z] INFO exit-status : -11
[task 2019-02-01T18:44:29.159Z] INFO timed-out : False
[task 2019-02-01T18:44:29.159Z] INFO stdout > # Roots.
[task 2019-02-01T18:44:29.159Z] INFO stdout > 0xf5d00028 W unit-static-string
Pushed by tcampbell@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/95e72565e112 Fix the way isIon accesses current script r=nbp
Updated•5 years ago
|
Comment 10•5 years ago
|
||
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 476293c6700f).
Updated•5 years ago
|
Comment 12•5 years ago
|
||
bugherder |
Updated•5 years ago
|
Description
•