1542355 - CACHEIR_LOGS=1 crashes nightly build

Status: RESOLVED FIXED

(Core :: JavaScript Engine: JIT, defect, P3)

Description

[Matthew Gaudet (he/him) [:mgaudet]]

CACHEIR_LOGS=1 ./mach mozregression --launch 67 just produces

WARNING: Process exited with code 1

Mozregression says

 8:51.58 INFO: Last good revision: 2e049c2537d4b5cf0615448c8371950a9990f18d
 8:51.58 INFO: First bad revision: 92f35371d6b31ec12b5563034c1110dd794018f3
 8:51.58 INFO: Pushlog:
https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=2e049c2537d4b5cf0615448c8371950a9990f18d&tochange=92f35371d6b31ec12b5563034c1110dd794018f3

So looks to be fallout from Bug 1528931.

I haven't checked a shell build quite yet.

Comment 1

[Matthew Gaudet (he/him) [:mgaudet]]

Definitely fails in the shell too.

$ CACHEIR_LOGS=1 lldb -- ./dist/bin/js ../jit-test/tests/cacheir/bug1420910.js
(lldb) r
Process 62661 launched: '/Users/mgaudet/unified/js/src/build_DBG.OBJ/dist/bin/js' (x86_64)
Hit MOZ_CRASH(unexpected type) at /Users/mgaudet/unified/js/src/vm/JSObject.cpp:139

Process 62661 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
    frame #0: 0x00000001003f6558 js`JS::InformalValueTypeName(v=0x00007ffeefbfb1e8) at JSObject.cpp:139:3
   136 	      break;
   137 	  }
   138 	
-> 139 	  MOZ_CRASH("unexpected type");
   140 	}
   141 	
   142 	// ES6 draft rev37 6.2.4.4 FromPropertyDescriptor
Target 0: (js) stopped.
(lldb) bt
* thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
  * frame #0: 0x00000001003f6558 js`JS::InformalValueTypeName(v=0x00007ffeefbfb1e8) at JSObject.cpp:139:3
    frame #1: 0x0000000100dd5ea2 js`js::jit::CacheIRSpewer::valueProperty(this=0x0000000102b5ca48, name="base", v=0x00007ffeefbfb1e8) at CacheIRSpewer.cpp:135:22
    frame #2: 0x0000000100da0408 js`js::jit::CacheIRSpewer::Guard::valueProperty(this=0x00007ffeefbfaa40, name="base", v=0x00007ffeefbfb1e8) const at CacheIRSpewer.h:98:11
    frame #3: 0x0000000100d99b51 js`js::jit::GetPropIRGenerator::trackAttached(this=0x00007ffeefbfafa0, name="MagicArgumentsName") at CacheIR.cpp:2367:8
    frame #4: 0x0000000100d9b172 js`js::jit::GetPropIRGenerator::tryAttachMagicArgumentsName(this=0x00007ffeefbfafa0, valId=ValOperandId @ 0x00007ffeefbfaac8, id=JS::HandleId @ 0x00007ffeefbfaac0) at CacheIR.cpp:2043:3
    frame #5: 0x0000000100d96913 js`js::jit::GetPropIRGenerator::tryAttachStub(this=0x00007ffeefbfafa0) at CacheIR.cpp:341:9
    frame #6: 0x0000000100c78b18 js`js::jit::DoGetPropFallback(cx=0x0000000105e2b000, frame=0x00007ffeefbfb230, stub=0x0000000107096218, val=JS::MutableHandleValue @ 0x00007ffeefbfaf90, res=JS::MutableHandleValue @ 0x00007ffeefbfaf88) at BaselineIC.cpp:2744:13
    frame #7: 0x00003cb16470717f

It appears InformalValueTypeName is grumpy about seeing ValueType::Magic from having attached MagicArgumentsName.

Tom: Would you be opposed to providing a name to Magic and PrivateGCThing, or would you prefer the checks happen in the CacheIRSpewer?

Comment 2

[Adam Holm]

(In reply to Matthew Gaudet (he/him) [:mgaudet] from comment #0)

After looking this over, it doesn't look to far out of my depth. I'd be up to fixing it, should you and Tom decide to go in that direction.

Comment 3

[Tom S. (please needinfo tschuster)]

I think returning "Magic" would be okay, I am pretty sure we still wouldn't expose it to the JS in other cases.

Comment 4

[Adam Holm]

Attachment: Bug 1542355 - Fixes CACHEIR_LOGS=1 crashing nightly build. r=mgaudet

Comment 5

[Adam Holm]

Attachment: Bug 1542355 - Fixes CACHEIR_LOGS=1 crashing nightly build. r=mgaudet

Comment 6

[Pulsebot]

Pushed by mgaudet@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/6ceb09138e9b
Fixes CACHEIR_LOGS=1 crashing nightly build. r=mgaudet

Comment 7

[Cosmin Sabou [:CosminS]]

https://hg.mozilla.org/mozilla-central/rev/6ceb09138e9b