Closed
Bug 884369
Opened 11 years ago
Closed 11 years ago
Assertion failure: hasBaselineScript(), at ../jsscript.h:699 or Crash [@ js::ion::BaselineScript::nativeCodeForPC] or Crash [@ js::ion::BaselineScript::icEntryFromPCOffset]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
mozilla25
Tracking | Status | |
---|---|---|
firefox24 | --- | disabled |
firefox25 | --- | fixed |
firefox-esr17 | --- | disabled |
firefox-esr24 | --- | disabled |
b2g18 | --- | unaffected |
b2g-v1.1hd | --- | unaffected |
b2g-v1.2 | --- | unaffected |
People
(Reporter: decoder, Assigned: shu)
Details
(4 keywords, Whiteboard: [jsbugmon:update,ignore])
Crash Data
Attachments
(2 files)
1.40 KB,
text/plain
|
Details | |
3.14 KB,
patch
|
sstangl
:
review+
|
Details | Diff | Splinter Review |
The following testcase asserts on mozilla-central revision 4e5983de6e3b (run with --ion-eager): gczeal(2); function testScatter() { var shape = [5]; for (var i = 0; i < 1000; ++i) { shape.push(1); var p = new ParallelArray(shape, function(k) { return k; }); var r = p.scatter([0,1,0,3,0e26 ], 9, function (a,b) { return a+shape ; }, 10); } } testScatter();
Reporter | ||
Comment 1•11 years ago
|
||
Reporter | ||
Comment 2•11 years ago
|
||
Marked s-s because this involves gczeal.
Crash Signature: [@ js::ion::BaselineScript::nativeCodeForPC]
[@ js::ion::BaselineScript::icEntryFromPCOffset]
Keywords: crash
Whiteboard: [jsbugmon:update,bisect]
Comment 3•11 years ago
|
||
I also saw this on rev 36da3cb92193 but it might have been fixed by the time 1790f40f71f0 landed (not the smallest regression window, I was testing on inbound).
Reporter | ||
Updated•11 years ago
|
Crash Signature: [@ js::ion::BaselineScript::nativeCodeForPC]
[@ js::ion::BaselineScript::icEntryFromPCOffset] → [@ js::ion::BaselineScript::nativeCodeForPC]
[@ js::ion::BaselineScript::icEntryFromPCOffset]
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
Reporter | ||
Comment 4•11 years ago
|
||
JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: http://hg.mozilla.org/mozilla-central/rev/48afaae197ab user: Gavin Sharp date: Fri May 31 14:56:48 2013 -0700 summary: Bug 878291: define RELEASE_BUILD/NIGHTLY_BUILD in the js configure too, r=ted This iteration took 306.992 seconds to run.
Comment 5•11 years ago
|
||
Never mind me, turns out they are different testcases and the testcase in comment 0 still reproduces for me on rev 1790f40f71f0.
Crash Signature: [@ js::ion::BaselineScript::nativeCodeForPC]
[@ js::ion::BaselineScript::icEntryFromPCOffset] → [@ js::ion::BaselineScript::nativeCodeForPC]
[@ js::ion::BaselineScript::icEntryFromPCOffset]
Reporter | ||
Updated•11 years ago
|
Crash Signature: [@ js::ion::BaselineScript::nativeCodeForPC]
[@ js::ion::BaselineScript::icEntryFromPCOffset] → [@ js::ion::BaselineScript::nativeCodeForPC]
[@ js::ion::BaselineScript::icEntryFromPCOffset]
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
Reporter | ||
Comment 6•11 years ago
|
||
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 8ea92aeab783).
Updated•11 years ago
|
Crash Signature: [@ js::ion::BaselineScript::nativeCodeForPC]
[@ js::ion::BaselineScript::icEntryFromPCOffset] → [@ js::ion::BaselineScript::nativeCodeForPC]
[@ js::ion::BaselineScript::icEntryFromPCOffset]
Whiteboard: [jsbugmon:update,ignore] → [jsbugmon:update,bisectfix]
Reporter | ||
Updated•11 years ago
|
Crash Signature: [@ js::ion::BaselineScript::nativeCodeForPC]
[@ js::ion::BaselineScript::icEntryFromPCOffset] → [@ js::ion::BaselineScript::nativeCodeForPC]
[@ js::ion::BaselineScript::icEntryFromPCOffset]
Whiteboard: [jsbugmon:update,bisectfix] → [jsbugmon:update,ignore]
Reporter | ||
Comment 7•11 years ago
|
||
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 8ea92aeab783). JSBugMon: Fix Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first good revision is: changeset: http://hg.mozilla.org/mozilla-central/rev/3efe3f3d2c25 user: Jan de Mooij date: Wed Jun 19 19:10:04 2013 +0200 summary: Bug 882111 - Don't push an interpreter frame when calling into the JITs. r=djvj This iteration took 297.906 seconds to run.
Comment 8•11 years ago
|
||
Jan, is bug 882111 a possible fix?
Crash Signature: [@ js::ion::BaselineScript::nativeCodeForPC]
[@ js::ion::BaselineScript::icEntryFromPCOffset] → [@ js::ion::BaselineScript::nativeCodeForPC]
[@ js::ion::BaselineScript::icEntryFromPCOffset]
Flags: needinfo?(jdemooij)
Comment 9•11 years ago
|
||
(In reply to Gary Kwong [:gkw] [:nth10sd] from comment #8) > Jan, is bug 882111 a possible fix? Unlikely, it's probably hiding this bug. Does anybody have an updated testcase maybe? @nmatsakis, shu: looking at the testcase, it's probably a PJS bug.
Flags: needinfo?(shu)
Flags: needinfo?(nmatsakis)
Flags: needinfo?(jdemooij)
Assignee | ||
Comment 10•11 years ago
|
||
Looking at it now, it seems like all the jitcode is discarded while the function is active on the stack. Not sure how that could be, yet...
Flags: needinfo?(shu)
Assignee | ||
Comment 11•11 years ago
|
||
Bug was due to us pushing the wrong callee in poly inline dispatch. Should've pushed the cloned version whereas we were pushing the original.
Updated•11 years ago
|
Attachment #767493 -
Flags: review?(sstangl) → review+
Assignee | ||
Comment 12•11 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/08f43331a642
Comment 13•11 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/08f43331a642
Status: NEW → RESOLVED
Closed: 11 years ago
status-firefox25:
--- → fixed
Flags: in-testsuite?
Resolution: --- → FIXED
Target Milestone: --- → mozilla25
Reporter | ||
Updated•11 years ago
|
Status: RESOLVED → VERIFIED
Crash Signature: [@ js::ion::BaselineScript::nativeCodeForPC]
[@ js::ion::BaselineScript::icEntryFromPCOffset] → [@ js::ion::BaselineScript::nativeCodeForPC]
[@ js::ion::BaselineScript::icEntryFromPCOffset]
Reporter | ||
Comment 14•11 years ago
|
||
JSBugMon: This bug has been automatically verified fixed.
Comment 15•11 years ago
|
||
This looks to affect ESR24. Can we get this fixed there?
Crash Signature: [@ js::ion::BaselineScript::nativeCodeForPC]
[@ js::ion::BaselineScript::icEntryFromPCOffset] → [@ js::ion::BaselineScript::nativeCodeForPC]
[@ js::ion::BaselineScript::icEntryFromPCOffset]
status-firefox-esr17:
--- → unaffected
status-firefox-esr24:
--- → affected
tracking-firefox-esr24:
--- → ?
Comment 16•11 years ago
|
||
Setting needinfo so I can perhaps get an ESR24 patch in time for the release?
status-firefox24:
--- → affected
Flags: needinfo?(shu)
Whiteboard: [jsbugmon:update,ignore] → [jsbugmon:update,ignore][adv-main25+]
Assignee | ||
Comment 17•11 years ago
|
||
This is a bug in Ion's interaction with callsite cloning. While the buggy code in question exists on ESR24, the only user of callsite cloning is PJS. PJS is ifdef'd out in all branches except Nightly, so there's no way to trigger this.
tracking-firefox-esr24:
? → ---
Flags: needinfo?(shu)
Comment 18•11 years ago
|
||
Thanks!
Updated•11 years ago
|
Whiteboard: [jsbugmon:update,ignore][adv-main25+] → [jsbugmon:update,ignore]
Updated•11 years ago
|
status-b2g18:
--- → unaffected
status-b2g-v1.1hd:
--- → unaffected
status-b2g-v1.2:
--- → unaffected
Updated•9 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•