Closed Bug 885976 Opened 11 years ago Closed 11 years ago

OdinMonkey: Assertion failure: isInterpreter(), at vm/Stack.h

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla25
Tracking Flags:
Tracking Status
firefox23 --- unaffected
firefox24 --- fixed
firefox25 --- verified

People

(Reporter: gkw, Assigned: jandem)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update])

Attachments

(2 files, 1 obsolete file)

stack
7.62 KB, text/plain
Details
Patch
1.54 KB, patch
luke
: review+
bajaj
: approval-mozilla-aurora+
Details | Diff | Splinter Review
Attached file stack 
x = {}
x.valueOf = (function(stdlib, foreign) {
    "use asm"
    var ff = foreign.ff
    function f(y) {
        y = +y;
        ff(0)
    }
    return f
})(this, {
    ff: Object.preventExtensions
});
+ x

asserts js debug shell on m-c changeset cea75ce9a559 without any CLI arguments at Assertion failure: isInterpreter(), at vm/Stack.h
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   http://hg.mozilla.org/mozilla-central/rev/f5eca934fa16
user:        Jan de Mooij
date:        Fri Jun 21 08:28:06 2013 +0200
summary:     Bug 881902 - Remove ContextStack and StackSpace. r=luke,njn

This iteration took 286.692 seconds to run.
jandem, is bug 881902 a possible regressor?
Flags: needinfo?(jdemooij)
Attached patch Patch (obsolete) — Splinter Review 
When we enter Odin, we push an (inactive) JitActivation for FFI calls into Ion. Then we call a native (Object.preventExtensions) from asm.js, the native enters the decompiler and the inactive JitActivation confuses ScriptFrameIter::numFrameSlots.

This patch makes ScriptFrameIter::numFrameSlots a bit nicer/more robust.
Assignee: general → jdemooij
Status: NEW → ASSIGNED
Attachment #766276 - Flags: review?(luke)
Flags: needinfo?(jdemooij)
Attached patch PatchSplinter Review 

        Attachment #766276 -
        Attachment is obsolete: true

        Attachment #766276 -
        Flags: review?(luke)

        Attachment #766279 -
        Flags: review?(luke)

    
  

        Attachment #766279 -
        Flags: review?(luke) → review+

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/82490fdde92b
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla25

    
    

    
  
Comment on attachment 766279 [details] [diff] [review]
Patch

[Approval Request Comment]
Bug caused by (feature/regressing bug #): Bug 881902
User impact if declined: Crashes
Testing completed (on m-c, etc.): On m-c
Risk to taking this patch (and alternatives if risky): Very low
String or IDL/UUID changes made by this patch: None

        Attachment #766279 -
        Flags: approval-mozilla-aurora?

    
    

    
  
Low risk uplift, approving for uplift but no need to track, unless we have any crash--signatures to be associated with crash-stats.

        Attachment #766279 -
        Flags: approval-mozilla-aurora? → approval-mozilla-aurora+

    
    

    
  
Is it ok to test this with http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2013/06/2013-06-21-mozilla-central-debug/jsshell-mac64.zip ?
I get "./js testcase
warning: successfully compiled asm.js code (total compilation time 1ms)
testcase:13:0 TypeError: 0 is not an object", so cannot reproduce the initial problem.

    
    

    
  
Try the binary from 2013-06-22 or the day after. Or probably this needs a deterministic shell, but I didn't check (the downloaded binaries are not compiled with --enable-more-deterministic).

    
    

    
  
Thanks Gary.
Reproduced with 2013-06-22-mozilla-central-debug/jsshell-mac64.
Verified fixed FF 25 2013-10-06-mozilla-beta-debug, Mac OS X 10.8.4

          status-firefox25:
          fixedverified

    
    

    
  
Sure! In the future, you might want to check that the revision is at least rev cea75ce9a559 in this case, it is usually specified in the initial bug report.

e.g. http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2013/06/2013-06-22-mozilla-central-debug/firefox-24.0a1.en-US.debug-mac64.txt

    
    

    
  
You're right, I was thinking the 2013-06-21 build has at least that revision (cause it was filed in that day), without checking.
But still don't know how is possible to file a bug today and to reproduce only on tomorrow's build.

    
    

    
  
> But still don't know how is possible to file a bug today and to reproduce
> only on tomorrow's build.

I probably updated and fuzzed the rev on the same day (after the nightly binary was produced), finding this bug in the same day, so this rev will only appear in the binary on the next day.

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: