IonMonkey: Assertion failure: tag <= CalleeToken_Script, at ../../ion/IonFrames.h:70

RESOLVED FIXED

Status

()

Core
JavaScript Engine
RESOLVED FIXED
6 years ago
5 years ago

People

(Reporter: h4writer, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(2 attachments)

(Reporter)

Description

6 years ago
Created attachment 601794 [details]
crypto.js.reduced

This happens on a reduced and modified version of v8/crypto.js. See attachment for testcase.
Running on "--ion -n -m"

Assertion failure: tag <= CalleeToken_Script, at /home/h4writer/Build/ionmonkey/js/src/ion/IonFrames.h:70

Program received signal SIGABRT, Aborted.
0xf7fdd430 in __kernel_vsyscall ()
(gdb) bt
#0  0xf7fdd430 in __kernel_vsyscall ()
#1  0xf7fa8ebe in raise (sig=6) at ../nptl/sysdeps/unix/sysv/linux/pt-raise.c:42
#2  0x08442856 in MOZ_Crash () at /home/h4writer/Build/ionmonkey/mfbt/Assertions.cpp:79
#3  0x084428b2 in MOZ_Assert (s=0x8502072 "tag <= CalleeToken_Script", 
    file=0x850203c "/home/h4writer/Build/ionmonkey/js/src/ion/IonFrames.h", ln=70)
    at /home/h4writer/Build/ionmonkey/mfbt/Assertions.cpp:88
#4  0x083b64e2 in js::ion::GetCalleeTokenTag (token=0x6ede28f7)
    at /home/h4writer/Build/ionmonkey/js/src/ion/IonFrames.h:70
#5  0x083b66be in js::ion::MaybeScriptFromCalleeToken (token=0x6ede28f7)
    at /home/h4writer/Build/ionmonkey/js/src/ion/IonFrames.cpp:60
#6  0x083b6be2 in js::ion::IonFrameIterator::script (this=0xffffc378)
    at /home/h4writer/Build/ionmonkey/js/src/ion/IonFrames.cpp:212
#7  0x0838526c in InvalidateActivation (cx=0x86dbe08, ionTop=0xffffc5e0 "8", invalidateAll=false)
    at /home/h4writer/Build/ionmonkey/js/src/ion/Ion.cpp:1018
#8  0x083856fd in js::ion::Invalidate (cx=0x86dbe08, invalid=..., resetUses=true)
    at /home/h4writer/Build/ionmonkey/js/src/ion/Ion.cpp:1122
#9  0x08119f16 in js::types::TypeCompartment::processPendingRecompiles (this=0x86dc6b8, cx=0x86dbe08)
    at /home/h4writer/Build/ionmonkey/js/src/jsinfer.cpp:2148
#10 0x080a4aaf in js::types::AutoEnterTypeInference::~AutoEnterTypeInference (this=0xffffc4c0, 
    __in_chrg=<optimized out>) at ../jsinferinlines.h:235
#11 0x08123130 in js::types::TypeMonitorResult (cx=0x86dbe08, script=0xf7306258, pc=0x86e4dbc "5", 
    rval=...) at /home/h4writer/Build/ionmonkey/js/src/jsinfer.cpp:5160
#12 0x08152ef5 in js::types::TypeScript::Monitor (cx=0x86dbe08, script=0xf7306258, pc=0x86e4dbc "5", 
    rval=...) at ../jsinferinlines.h:575
#13 0x0845cefe in js::ion::InvalidationBailout (sp=0xffffc598, frameSizeOut=0xffffc594)
    at /home/h4writer/Build/ionmonkey/js/src/ion/Bailouts.cpp:451
(Reporter)

Comment 1

6 years ago
Created attachment 601921 [details]
crypto.js.extra.reduced

I could reduce this .js file even more. The crash signature is now switching between the backtrace listed here and the one in bug #731820. (Under gdb it is only possible to get the backtrace listed in this file)

configure: debug enabled, 32bit
args: "--ion -n -m" 
revision: 89040:7d6da2d65595
(Reporter)

Comment 2

5 years ago
Doesn't fail on tip anymore. As testcase is very similar to bug #731820, I assume it was fixed on the same revision. That's also the reason I'm not adding this testcase. If somebody thinks differently, let me know and I'll add the testcase.
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.