Closed Bug 885976 Opened 11 years ago Closed 11 years ago

OdinMonkey: Assertion failure: isInterpreter(), at vm/Stack.h

Categories

(Core :: JavaScript Engine, defect)

x86_64
macOS
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla25
Tracking Status
firefox23 --- unaffected
firefox24 --- fixed
firefox25 --- verified

People

(Reporter: gkw, Assigned: jandem)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update])

Attachments

(2 files, 1 obsolete file)

Attached file stack
x = {} x.valueOf = (function(stdlib, foreign) { "use asm" var ff = foreign.ff function f(y) { y = +y; ff(0) } return f })(this, { ff: Object.preventExtensions }); + x asserts js debug shell on m-c changeset cea75ce9a559 without any CLI arguments at Assertion failure: isInterpreter(), at vm/Stack.h
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: http://hg.mozilla.org/mozilla-central/rev/f5eca934fa16 user: Jan de Mooij date: Fri Jun 21 08:28:06 2013 +0200 summary: Bug 881902 - Remove ContextStack and StackSpace. r=luke,njn This iteration took 286.692 seconds to run.
jandem, is bug 881902 a possible regressor?
Flags: needinfo?(jdemooij)
Attached patch Patch (obsolete) — Splinter Review
When we enter Odin, we push an (inactive) JitActivation for FFI calls into Ion. Then we call a native (Object.preventExtensions) from asm.js, the native enters the decompiler and the inactive JitActivation confuses ScriptFrameIter::numFrameSlots. This patch makes ScriptFrameIter::numFrameSlots a bit nicer/more robust.
Assignee: general → jdemooij
Status: NEW → ASSIGNED
Attachment #766276 - Flags: review?(luke)
Flags: needinfo?(jdemooij)
Attached patch PatchSplinter Review
Attachment #766276 - Attachment is obsolete: true
Attachment #766276 - Flags: review?(luke)
Attachment #766279 - Flags: review?(luke)
Attachment #766279 - Flags: review?(luke) → review+
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla25
Comment on attachment 766279 [details] [diff] [review] Patch [Approval Request Comment] Bug caused by (feature/regressing bug #): Bug 881902 User impact if declined: Crashes Testing completed (on m-c, etc.): On m-c Risk to taking this patch (and alternatives if risky): Very low String or IDL/UUID changes made by this patch: None
Attachment #766279 - Flags: approval-mozilla-aurora?
Low risk uplift, approving for uplift but no need to track, unless we have any crash--signatures to be associated with crash-stats.
Attachment #766279 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Is it ok to test this with http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2013/06/2013-06-21-mozilla-central-debug/jsshell-mac64.zip ? I get "./js testcase warning: successfully compiled asm.js code (total compilation time 1ms) testcase:13:0 TypeError: 0 is not an object", so cannot reproduce the initial problem.
Try the binary from 2013-06-22 or the day after. Or probably this needs a deterministic shell, but I didn't check (the downloaded binaries are not compiled with --enable-more-deterministic).
Thanks Gary. Reproduced with 2013-06-22-mozilla-central-debug/jsshell-mac64. Verified fixed FF 25 2013-10-06-mozilla-beta-debug, Mac OS X 10.8.4
Sure! In the future, you might want to check that the revision is at least rev cea75ce9a559 in this case, it is usually specified in the initial bug report. e.g. http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2013/06/2013-06-22-mozilla-central-debug/firefox-24.0a1.en-US.debug-mac64.txt
You're right, I was thinking the 2013-06-21 build has at least that revision (cause it was filed in that day), without checking. But still don't know how is possible to file a bug today and to reproduce only on tomorrow's build.
> But still don't know how is possible to file a bug today and to reproduce > only on tomorrow's build. I probably updated and fuzzed the rev on the same day (after the nightly binary was produced), finding this bug in the same day, so this rev will only appear in the binary on the next day.
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: