Closed Bug 1518377 Opened 5 years ago Closed 5 years ago

Assertion failure: isScripted(), at js/src/jit/JSJitFrameIter.cpp:105 with inIon

Categories

(Core :: JavaScript Engine, defect, P1)

x86_64
Linux
defect

Tracking

()

RESOLVED FIXED
Tracking Status
firefox-esr60 --- unaffected
firefox65 --- wontfix
firefox66 --- wontfix
firefox67 --- fixed

People

(Reporter: decoder, Assigned: tcampbell)

References

Details

(4 keywords, Whiteboard: [jsbugmon:update])

Attachments

(1 file)

The following testcase crashes on mozilla-central revision e0a4fe89a7b0 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe --cpu-count=2 --ion-offthread-compile=off --ion-eager):

Object.prototype[Symbol.toPrimitive] = inIon;
which = function() {};
for (var i = 0; i < 10; ++i) {
s = which[which[which]]
a = which;
a += s + '';
}

Backtrace:

received signal SIGSEGV, Segmentation fault.
js::jit::JSJitFrameIter::script (this=<optimized out>) at js/src/jit/JSJitFrameIter.cpp:105
#0 js::jit::JSJitFrameIter::script (this=<optimized out>) at js/src/jit/JSJitFrameIter.cpp:105
#1 0x0000555555c4e937 in testingFunc_inIon (cx=cx@entry=0x7ffff5f18000, argc=<optimized out>, vp=<optimized out>) at js/src/builtin/TestingFunctions.cpp:2677
#2 0x0000555555900839 in CallJSNative (cx=0x7ffff5f18000, native=0x555555c4e700 <testingFunc_inIon(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/vm/Interpreter.cpp:443
#3 0x00005555558f2137 in js::InternalCallOrConstruct (cx=<optimized out>, cx@entry=0x7ffff5f18000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:535
#4 0x00005555558f285d in InternalCall (cx=cx@entry=0x7ffff5f18000, args=...) at js/src/vm/Interpreter.cpp:590
#5 0x00005555558f29f0 in js::Call (cx=cx@entry=0x7ffff5f18000, fval=..., fval@entry=..., thisv=..., thisv@entry=..., args=..., rval=...) at js/src/vm/Interpreter.cpp:606
#6 0x0000555555b49efc in js::Call (rval=..., arg0=..., thisv=..., fval=..., cx=0x7ffff5f18000) at js/src/vm/Interpreter.h:98
#7 js::ToPrimitiveSlow (cx=<optimized out>, cx@entry=0x7ffff5f18000, preferredType=preferredType@entry=JSTYPE_UNDEFINED, vp=..., vp@entry=...) at js/src/vm/JSObject.cpp:3331
#8 0x00005555560b6995 in js::ToPrimitive (vp=..., cx=0x7ffff5f18000) at js/src/vm/JSObject.h:731
#9 js::jit::ConvertObjectToStringForConcat (cx=0x7ffff5f18000, obj=...) at js/src/jit/VMFunctions.cpp:1808
#10 0x00005555560c6985 in js::jit::DoConcatStringObject (cx=<optimized out>, lhs=..., rhs=..., res=...) at js/src/jit/VMFunctions.cpp:1832
#11 0x00002bd6a1a8298b in ?? ()
#12 0xffffffffffffffff in ?? ()
#13 0x00007fffffffc7f8 in ?? ()
#14 0x0000000000000000 in ?? ()
rax 0x555557bfa280 93825032757888
rbx 0x7fffffffbed0 140737488338640
rcx 0x555556bc25d0 93825015752144
rdx 0x0 0
rsi 0x7ffff6eeb770 140737336227696
rdi 0x7ffff6eea540 140737336223040
rbp 0x7fffffffbeb0 140737488338608
rsp 0x7fffffffbeb0 140737488338608
r8 0x7ffff6eeb770 140737336227696
r9 0x7ffff7fe6c80 140737354034304
r10 0x58 88
r11 0x7ffff6b927a0 140737332717472
r12 0x1 1
r13 0x7fffffffbf00 140737488338688
r14 0x7ffff5f7d800 140737320048640
r15 0x7ffff5f7d800 140737320048640
rip 0x5555562b6d39 <js::jit::JSJitFrameIter::script() const+89>
=> 0x5555562b6d39 <js::jit::JSJitFrameIter::script() const+89>: movl $0x0,0x0
0x5555562b6d44 <js::jit::JSJitFrameIter::script() const+100>: ud2

This seems to be related to the shell-only inIon function, based on that I assume it isn't s-s for now.

Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/2f5665631cc8
user:        Matthew Gaudet
date:        Wed May 09 16:19:58 2018 -0400
summary:     Bug 1438727: [Part 18] Add StringObject Concat r=tcampbell

This iteration took 279.587 seconds to run.

Matthew, is bug 1438727 a likely regressor?

Blocks: 1438727
Flags: needinfo?(mgaudet)

I should take a look while Matthew is away..

Flags: needinfo?(tcampbell)

Ted, any updates on this bug?

Existing code didn't handle IonIC frames, but the
FrameScriptIter::script function does the right thing for us here.

Shell-only problem.

The code tried to figure out the current script by using JSJitIterator on the activation. This got confused by IonICCall frames. Using the naive FrameScriptIter::script can be used instead and makes more sense anyways when describing the context we care about "isIon" for.

Flags: needinfo?(tcampbell)
Flags: needinfo?(mgaudet)
Assignee: nobody → tcampbell
Priority: -- → P1
Pushed by tcampbell@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/56023d83552d
Fix the way isIon accesses current script r=nbp

Backed out changeset 56023d83552d (bug 1518377) for bustages at /tests/basic/bug908915.js on a CLOSED TREE

Backout link: https://hg.mozilla.org/integration/autoland/rev/024bef408a8896f365789759f6a3b6e00daf5aca

Push with failures: https://treeherder.mozilla.org/#/jobs?repo=autoland&resultStatus=testfailed%2Cbusted%2Cexception&selectedJob=225508340&revision=56023d83552d08ef93b28f20fa3ea72e7eeb08f1

Log link: https://treeherder.mozilla.org/logviewer.html#/jobs?job_id=225508340&repo=autoland&lineNumber=87845

Log snippet:

[task 2019-02-01T18:44:29.158Z] EXTERNAL_STRING 16 254 12
[task 2019-02-01T18:44:29.158Z] FAT_INLINE_ATOM 40 101 36
[task 2019-02-01T18:44:29.158Z] ATOM 24 169 20
[task 2019-02-01T18:44:29.158Z] SYMBOL 16 254 12
[task 2019-02-01T18:44:29.158Z] JITCODE 32 127 12
[task 2019-02-01T18:44:29.158Z] SCOPE 16 254 12
[task 2019-02-01T18:44:29.158Z] REGEXP_SHARED 64 63 44
[task 2019-02-01T18:44:29.158Z] FAT_INLINE_STRING 32 127 12
[task 2019-02-01T18:44:29.159Z] STRING 16 254 12
[task 2019-02-01T18:44:29.159Z] Exit code: -11
[task 2019-02-01T18:44:29.159Z] FAIL - basic/bug908915.js
[task 2019-02-01T18:44:29.159Z] TEST-UNEXPECTED-FAIL | js/src/jit-test/tests/basic/bug908915.js | (code -11, args "--ion-eager --ion-offthread-compile=off --more-compartments") [0.9 s]
[task 2019-02-01T18:44:29.159Z] {"action": "test_start", "jitflags": "--ion-eager --ion-offthread-compile=off --more-compartments", "pid": 748, "source": "jittests", "test": "basic/bug908915.js", "thread": "main", "time": 1549046668.265665}
[task 2019-02-01T18:44:29.159Z] {"action": "test_end", "extra": {"jitflags": "--ion-eager --ion-offthread-compile=off --more-compartments", "pid": 748}, "jitflags": "--ion-eager --ion-offthread-compile=off --more-compartments", "message": "", "pid": 748, "source": "jittests", "status": "FAIL", "test": "basic/bug908915.js", "thread": "main", "time": 1549046669.127568}
[task 2019-02-01T18:44:29.159Z] INFO exit-status : -11
[task 2019-02-01T18:44:29.159Z] INFO timed-out : False
[task 2019-02-01T18:44:29.159Z] INFO stdout > # Roots.
[task 2019-02-01T18:44:29.159Z] INFO stdout > 0xf5d00028 W unit-static-string

Flags: needinfo?(tcampbell)
Flags: needinfo?(tcampbell)
See Also: → 1404714
Pushed by tcampbell@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/95e72565e112
Fix the way isIon accesses current script r=nbp
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 476293c6700f).
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Whiteboard: [jsbugmon:update,ignore] → [jsbugmon:update]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: